Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Chrome Security The Internet

Google Chrome To No Longer Show Secure Website Indicators (bleepingcomputer.com) 68

Google Chrome will no longer show whether a site you are visiting is secure and only show when you visit an insecure website. Bleeping Computer reports: To further push web developers into only using HTTPS on their sites, Google introduced the protocol as a ranking factor. Those not hosting a secure site got a potentially minor hit in their Google search results rankings. It has appeared to have worked as according to the 'HTTPS encryption on the web' of Google's Transparency Report, over 90% of all browser connections in Google Chrome currently use an HTTPS connection.

Currently, when you visit a secure site, Google Chrome will display a little locked icon indicating that your communication with the site is encrypted, as shown below. As most website communication is now secure, Google is testing a new feature that removes the lock icon for secure sites. This feature is available to test in Chrome 93 Beta, and Chrome 94 Canary builds by enabling the 'Omnibox Updated connection security indicators' flag. With this feature enabled, Google Chrome will only display security indicators when the site is not secure. For businesses who wish to have continued HTTPS security indicators, Google has added an enterprise policy for Chrome 93 named 'LockIconInAddressBarEnabled' that can be used to enable the lock icon again on the address bar.

This discussion has been archived. No new comments can be posted.

Google Chrome To No Longer Show Secure Website Indicators

Comments Filter:
  • by gweihir ( 88907 ) on Tuesday August 03, 2021 @07:10PM (#61653313)

    Not that most people even look in regular circumstances, but what if people get warned to be careful in some environments? Then most cannot.

    Anyways, using a "mainstream" browser like Chrome is probably a pretty bad idea.

    • by dohzer ( 867770 )

      Personally, I only use browsers that I've written myself.

    • by crow ( 16139 ) on Tuesday August 03, 2021 @07:46PM (#61653469) Homepage Journal

      No, the always-on indicator serves no purpose. Just have an indicator that shows up when something is wrong. That's why cars have a "check engine" light, but not "engine does not need to be checked" light.

      • by Anonymous Coward on Tuesday August 03, 2021 @07:59PM (#61653517)

        But a 'check engine light' is lit when the engine is started to show that it functions.
        If you never show a symbol/light if everything is ok, then how does the user know that it is working properly? Maybe it is not working properly and not being tripped or lit.

        • by The MAZZTer ( 911996 ) <megazztNO@SPAMgmail.com> on Wednesday August 04, 2021 @12:24AM (#61654065) Homepage

          The problem is, somewhat interestingly, similar to the "check engine" light: It lies (sort of). The light goes on even when it's time for a scheduled oil change and nothing is wrong with the engine at all. As a result there's a risk some people who know this will ignore it, when there is actually something seriously wrong with their car.

          The lock icon has a similar problem: some people are under the idea that it means the website is safe. This is not true. It just means nobody can snoop on your communications with the server, it says nothing about the trustworthiness of the server itself. And anyone can get that lock on their site for free. So it makes sense Google would want to do something to combat this dangerous belief.

        • by AmiMoJo ( 196126 )

          The check engine light is lit when the car is turned on to make sure the bulb isn't dead. Bulbs used to die regularly before LEDs and now digital dashboards.

          In the case of Chrome there is a really good system for warning the user. Normal HTTP pages show a broken lock. If the user starts entering any data into a form on a non-secure page an animated red warning message appears. If they try to submit the form a pop-up explains the issue and asks them to confirm.

          • by gweihir ( 88907 )

            The problem with this is that most users will not understand that they are now outside of a secure workflow. They will just think "something is broken, let's try anyways". An "everything is ok" indicator is much better for non-experts, because it being missing signals a clear "stop".

        • But a 'check engine light' is lit when the engine is started to show that it functions.

          I don't need to replace the indicator on my browser graphic. Users of cars and computers put a lot of faith into the fact that things work. We provide verification for the few cases where an inexplicable hardware error such as a blown lightbulb can cause a function to fail on demand.

      • by geekmux ( 1040042 ) on Wednesday August 04, 2021 @04:06AM (#61654439)

        No, the always-on indicator serves no purpose. Just have an indicator that shows up when something is wrong. That's why cars have a "check engine" light, but not "engine does not need to be checked" light.

        Not long ago, I was here discussing with others who were defending the ongoing value of FTP as browsers look to depreciate support for that insecure protocol. And now, we are going to flag any and all websites running HTTP, as "something is wrong"? HTTP is still a perfectly functioning protocol, as is FTP. The main difference is FTP is utilized far more to serve up specific files and content that would likely hold a higher need for privacy, integrity, and security.

        A website that does not dabble in authentication or collecting personal information and merely exists to serve public information, doesn't need HTTPS to function. Perhaps we re-think the wrongthink?

        And if it's privacy you wish, anyone have any evidence that a subpoena from your ISP has now become worthless, because HTTPS-everywhere? If that were the case, why is anyone pissing money away on a personal VPN proxy? HTTPS made you invisible and secure.

        • by catprog ( 849688 )

          ISPs are intercepting HTTP and changing the content.

          This is why their is the big push to HTTPS.

      • always-on indicator serves no purpose

        It has one purpose, right click to enable javasctipt when "no" is your default. Gonna be a right pain in the ass doing it through settings or find the keyvalue again when they change that too.

      • by gweihir ( 88907 ) on Wednesday August 04, 2021 @08:02AM (#61654953)

        I disagree. Your car analogy is flawed. For example, a car most certainly has a gas level indicator that _also_ tells you when you do not need to get gas. And if you look at more more professional cars, you will certainly find a green light for "engine" or something like it.

    • Not that most people even look in regular circumstances, but what if people get warned to be careful in some environments? Then most cannot.

      An indicator which is always on is an indicator which is always ignored. The purpose of this indicator is to show you something unexpected. With some 80+% of websites now using SSL it's far more valuable to indicate an insecure connection than it is to indicate a secure one.

      Notice how in your car you have a lamp that comes on when oil pressure drops, or the engine goes into limp, or when fuel is low? These aren't lights which are always on and just go out when something happens.

      We have 60 years of research

      • by gweihir ( 88907 )

        The problem with a specific "fault" indicator is that it requires an act of understanding. In fields that have reliable engineering (cars), such indicators can be simplified to "stop car now" and will not cause issues, because it will only light up if something very likely wrong. In the software field, we do not have reliable engineering. Hence users are used to ignoring indicators of faults and just try anyways because that often works. That behavior is fatal in a "security not present" indicator.

        • The problem with a specific "fault" indicator is that it requires an act of understanding.

          This problem is not at all related to how the indicator shows up but rather is inherent to the indicator itself. If a person doesn't understand it then it makes no difference whether it is always lit, and off by exception or the complete reverse. Any problem with the "fault" indicator exists equally with the "secure" indicator.

          That behavior is fatal in a "security not present" indicator.

          You seem to be basing your entire experience on the idea that a fault indicator will be ignored because it will be frequently present. I'm not sure if you actually use the internet, b

  • So rather than indicating the site is secure they'll only tell you if it's not. Seems like a great way to make people feel like there's need to give a second thought to security.

    Also disappointing is that they've just made it more inconvenient to see the certificate info.
    • The problem they see that they're trying to solve is that, based on their research, people incorrectly associate the lock icon with trustworthiness of the site rather than the security of the connection to the site. Removing it and only warning if there's an actual problem with the connection security solves that problem.

      In my opinion, people shouldn't need to give a second thought to whether the connection is secure anymore. Secure connections should be the default. Other factors such as trustworthiness, p

    • The material design people can't stand something that is almost always visible in the UI that often doesn't change. They also hate things that are easy to find, so if they take away the lock how can I quickly click it to get to site settings? Can't have that!
  • by Anonymous Coward
    The lock indicator never showed whether or not a site was secure, only that the connection between you and the origin server was encrypted. Technical reporters should know better.
  • Seriously, why? Is there a shortage of green pixels or something?

    They constantly want to try to hide part of the URL anyway, so it's not like they need the room for that ...

  • Google is really getting completely out of hand with burying results for reasons completely unrelated to their relevancy. This is the most egregiously obnoxious reason yet and will have the greatest impact. When you add on how it's nigh impossible to get around them thinking they know what you're looking for but being wrong, more and more of my searches are returning garbage these days. Exact phrase searching seems entirely broken. If you're searching for virtually anything on a specific topic, a lot of the
  • by jsepeta ( 412566 ) on Wednesday August 04, 2021 @12:33AM (#61654071) Homepage

    Bwahahahahaha

  • This is in the category of something not being there tells you X. The problem is that the something not being there could be due to any number of bugs or unforeseen circumstances. They are idiots.

Life is a game. Money is how we keep score. -- Ted Turner

Working...