GlobalSign Blog

It May Be Time to Take Your Padlock Off as Google Plans to Amend Secure Website Indicators

It May Be Time to Take Your Padlock Off as Google Plans to Amend Secure Website Indicators

In our modern daily life as human being, even though we’ve eradicated most of our predators, we’re still looking for visible signs of security which will reassure us we’re safe. A light that goes on in our car to confirm that the airbag is active, a parameter on our smartwatch telling us our heart still beats properly, a green traffic light that tells us we can cross the road or drive through a crossroad without being hit by anyone (or at least shouldn’t be). These signs help us avoid showing any fight-or-flight signals which could increase blood pressure, caused hyperventilation, or simply got anxious. 

For websites, browsers have been displaying since 2008 a padlock icon in the address bar, and this lets users know that a website is using SSL/TLS encryption. The ‘HTTPS’ prefix was then introduced in 2014 to make it even more visible (for those that might not link the icon with a sign of never know). I won’t go in the green bar story to not bore you to death or start a endless discussion.

Security Indicators Provide Trustworthiness 

These various security indicators are meant to provide users with more information about the security of the websites they visit. The trustworthiness, the owner behind the domain and the security of the sensitive data you may or may not enter. 

All these signs are activated when a website has a valid SSL/TLS certificate, issued by a trusted third-party organization, which confirms that the connection is secure and that the visited domain (or website) is truly the one it says it is. The validity term of SSL/TLS certificates is a whole other subject, although not one for now though (we’d be here all day). 

Padlocks Aren’t Bulletproof to Cyber-Attacks 

However, this sign of security isn’t bulletproof and doesn’t grant you full assurance as attackers can still create fake SSL/TLS certificates and fool users to obtain their sensitive data. So, don’t trust blindly and stay vigilant. Make sure to double-check the URL and other signs of a secure connection before entering sensitive information like a password or a credit card number online. 

Now, as more and more websites started to use SSL/TLS certificates (according to Google, more than 90% of all pages are now loaded in Google Chrome), due to the great push of giants like Google and others to encrypt by default, we’ve all became accustomed to see these signs and aren’t even really looking at it anymore as such protection is expect to be the rule.  

Taken the generalisation of HTTPS, browsers are wondering about the real necessity to keep showing these indicators, leading to Google’s recent announcement to remove secure website indicators in Chrome 117 later in the year. 

Maintaining Anxiety Levels When it Comes to Website Security 

But without these security signs, how can we ensure if our connection is still secure or not? How can we make sure we won’t fall victim to scams, phishing attacks or other cyberattacks? In other words, how can we ensure our anxiety level and blood pressure don’t go up? 

It’s important to remember that the disappearance of these indicators don’t necessarily mean that the website is insecure; you just don’t have a visible confirmation of it. It’s part of good cyber hygiene practices to double-check the URL and look for other signs of secure connections – the padlock and the HTTPS not being the only indicators. 

So in conclusion, yes security indicators like the HTTPS prefix and the padlock on a browser address bar are meant to disappear in a near future, not because Google said so but because the need for it became less and less relevant for users. If non-HTTPS becomes the exception, why should we highlight the HTTPS sites still? But this doesn’t mean that there is reason for concern.  

The disappearance of these signs may help users to make informed decisions about their online safety and security, instead of blindly trust these indicators. 

You Can Ride The ‘Webcycle’ Without the Training Wheels 

Remember the days when you were learning to ride a bicycle. You potentially first had those 2 little side wheels that kept you in balance and ensured that you wouldn’t fall. As you got more accustomed to write your bike, these sidewheels lost their meant to be so your parents (or grandparents took them off). Since then, you’re riding your bike on 2 wheels instead of four and you’re still ok; you don’t lose your balance and aren’t falling. Same with the https prefix and the padlock, you’ve mastered your skill as internet user, so, it’s time to take these security signs of. 

And if you fall (victim) without these signs, it’s not due to the disappearance of them, but due to your reckless behaviour as an internet user. 

Yes – SSL/TLS certificates should be used everywhere and always, but as everyone is using it, what’s the point of making it visible? 

Share this Post

Recent Blogs