Chrome To Drop Lock Icon Showing HTTPS Status (itnews.com.au) 88
Google will remove the familiar lock icon that allows users to check a website's Transport Layer Security status for the connection, citing research that only a few users correctly understood its precise meaning. From a report: The lock icon has been displayed by web browsers since the 1990s, indicating that the connection to web sites is secured and authenticated with encryption. However, Google said its 2021 research showed that only 11 percent of participants in a study correctly understood the meaning of the lock icon. This, Google argued, is not harmless since most phishing sites also use the hyper text transfer protocol secure extension (HTTPS) and also display the lock icon. Ergo, a lock icon is not in actual fact an indicator of a site's security. [...] Starting with Chrome version 117, Google will introduce a new "tune" icon, which does not imply a site is trustworthy, and is more obviously clickable. The "tune" icon is more commonly associated with settings and other control, and Google said a more neutral indicator like that prevents the misunderstanding around site security that the lock icon is causing.
just click the tune icon (Score:3)
I mean nobody is going to click it when they suspect a site is a scam. But you could click it, and that's enough. Plus, changing established UI and defending the blowback gives some people a warm fuzzy feeling.
Re: (Score:1)
Plus, changing established UI and defending the blowback gives some people a warm fuzzy feeling.
Not to mention that Google can use the new icon in support of their own agenda. They could use it, for instance, to imply that non-AMP pages on mobile are somehow less trustworthy.
They really are the new Microsoft.
Re:just click the tune icon (Score:5, Interesting)
Re: (Score:2)
I agree the lock isn't used in an effective way by users. And Google's data backs that up. But I think the proposal doesn't go far enough. Actually I struggle to see how it could alter the user's behavior at all.
Re: (Score:2)
I agree the lock isn't used in an effective way by users. And Google's data backs that up. But I think the proposal doesn't go far enough. Actually I struggle to see how it could alter the user's behavior at all.
Google is removing the lock. How would you go further?
Note that the reason for the "tune" icon isn't that it's some more accurate alternative. They observed that the lock does serve one useful function, it gives you a place to click to find out more about the connection security. Rather than nerfing that, or burying it in a menu, they're substituting a different icon that doesn't have the misleading connotations.
Re: (Score:2)
Yes, they removed the icon and replaced it with an icon that fails to communicate anything. Not an improvement in my opinion.
Re: (Score:2)
Yes, they removed the icon and replaced it with an icon that fails to communicate anything. Not an improvement in my opinion.
The goal was to eliminate a misleading icon. Seems to me that this does that. What would you do?
Re: (Score:2)
What would I do with a staff of 100's of professionals earning six-figure salaries? Not this obviously.
I'd start with a user study. Ideally ran by someone with a psychology and user experience background. I'd want multiple proposals put together by a design team that attempts communicates a sense of security and encourages the user to examine the control when its status appears different. If a red lock icon doesn't do it, then let's try something else. Things that have that classic 3D bevel tend to draw use
Re: (Score:2)
I'd start with a user study. Ideally ran by someone with a psychology and user experience background.
This decision was the outcome of user experience studies, run by UX experts with psychology PhDs.
I'd want multiple proposals put together by a design team that attempts communicates a sense of security
Uh, what? No. This is exactly wrong. The goal is explicitly not to communicate a sense of security. We have an icon that communicates a sense of security, and that is the problem we're trying to solve. Anything that communicates a sense of security is lying.
Re: (Score:2)
I can only conclude that you think their goal is to make sure nobody knows what is going on in a web browser. because it's all too difficult. We can't just block idiots from using web browsers because we need them to buy stuff, but we also don't want them to feel confused by an increasingly complex security world.
Re: (Score:2)
I can only conclude that you think their goal is to make sure nobody knows what is going on in a web browser. because it's all too difficult. We can't just block idiots from using web browsers because we need them to buy stuff, but we also don't want them to feel confused by an increasingly complex security world.
No... the goal is to avoid misleading people. The lock -- or any icon that indicates that HTTPS implies security -- is misleading. The new icon does not imply security, but does provide a place to click if you want to know about the certificate, cipher selected, etc. No information is hidden, no "idiots" are blocked, no non-experts are misled into thinking that they have "security" when they may or may not. This seems to do all the right things.
I'm really having a hard time figuring out what you think is
Re:just click the tune icon (Score:5, Insightful)
...understand in detail what the difference was between a green lock icon and a gray lock icon without looking it up.
The grey lock means the SSL provider said it validated the identity of the SSL purchaser. The green lock means the SSL provider admitted it lied about the grey lock, but will do what it said it did for the grey lock if you just pay more money for the green lock.
Re: (Score:2)
...understand in detail what the difference was between a green lock icon and a gray lock icon without looking it up.
The grey lock means the SSL provider said it validated the identity of the SSL purchaser. The green lock means the SSL provider admitted it lied about the grey lock, but will do what it said it did for the grey lock if you just pay more money for the green lock.
LOL. More or less. This is a very cynical take, but probably pretty close to the truth.
Re: (Score:3)
Yes, I know people
Re:just click the tune icon (Score:4, Insightful)
I don't disagree that it is needed, but it's only needed in certain scenarios.
This conclusion comes from a common misunderstanding of what TLS does and what it's for. You're focusing on the fact that TLS provides encryption, i.e. it makes your traffic confidential. That's useful, but not what's really important. Another thing it does is identify the origin or the traffic, i.e. authentication. This is theoretically valuable, but given the level of validation done by CAs, it's not great in practice... but it does contribute significantly to a third property of TLS traffic, the one that really does matter: integrity. TLS ensures that the bits that your browser receives are the bits that were sent, and that no one between server and browser can modify those bits to insert malware (or ads, though that's kind of a lost battle).
The integrity element is what makes it possible to trust that any web content is non-malicious, and the authentication element provide some basis to trust that specific content may not be malicious. It's these factors that make TLS essential for all connections, though there are two fairly good arguments for why all traffic should be encrypted, too. Those are, first, that if you try to encrypt only the traffic that needs to be encrypted, you'll fail, leaving some sensitive traffic vulnerable and second, that you'll highlight the traffic of high interest to attackers of various sorts.
For all of these reasons, it's really best if all traffic has cryptographic assurance of integrity, authenticity and confidentiality. Yes, this is a pain for network administrators and law enforcement, but that's just the price we have to pay.
Re:just click the tune icon (Score:4, Insightful)
So uhh, then how is it that I visit a website and get a cloudflare captcha?
Oh that's right... cloudflare and websites have conspired to subvert the integrity you are talking about. Instead, cloudflare with its thousands of employees is the largest gang of men-in-the-middle in history.
When a website conspires with cloudflare the website changes its DNS to point to cloudflare servers rather than its own. So the user's browser connects to cloudflare.
"Good" cloudflare connections work like this:
browser cloudflare website
"Evil" cloudflare connections work like this:
browser cloudflare website
Both "Good" and "Evil" cloudflare connections are bad because CF remains man in the middle even though the SSL info displayed to the user in the browser indicates it is a secure connection to the website. So the website is lying to the end user. Lying is generally considered bad/evil.
The "Evil" CF connections are even worse because the connection between CF and the website is unencrypted and any hop along the way could sniff the traffic. And again, to the end-user it appears there is a secure connection all the way to the website.
This is the real problem today, not the appearance of a silly lock icon.
Re: (Score:2)
I wouldn't know for any particular website... that's the problem. The browser reports them all as "secure". However I know that CF does it because they clearly document the practice on their site and list it as the "Flexible" connection option.
https://community.cloudflare.c... [cloudflare.com]
Re: (Score:2)
cloudflare and websites have conspired to subvert the integrity you are talking about
Technically, yes. In practice, not really. In most cases, cloudflare is likely better-managed and more secure than the server you're talking to, and the server you're connecting to has chosen to explicitly trust cloudflare, else they couldn't MITM the connection.
The "Evil" CF connections are even worse because the connection between CF and the website is unencrypted and any hop along the way could sniff the traffic.
Cite? I would be shocked and confused if CF didn't use TLS to connect to the web site.
Re: (Score:3)
The website has chosen to trust cloudflare, yes but the end-user hasn't. And the arrangement enables them to lie to the user that there is a secure connection between user and website.
As for a citation about the plaintext option, CF clearly documents it.
From https://community.cloudflare.c... [cloudflare.com]
See also: https://blog. [sean-wright.com]
Re: (Score:2)
The website has chosen to trust cloudflare, yes but the end-user hasn't.
That's a distinction without a difference. The end user has chosen to trust the web site, which means the end user is trusting the web site with a whole lot of decisions; this is one of the smallest.
As for a citation about the plaintext option
I don't think they should offer this option. But is it actually used much?
Re: (Score:2)
Its not a small decision. As a MITM, CF has access to monitor or even modify all connections (which they regularly do). Who knows how 3 letter agencies are using this capability or for what purposes. Who knows how CF employees are using it either.
They put stupid captchas in whenever they like, which really messes with Tor and sometimes VPN connections. That directly affects the end-user experience.
As just one example, Richard Stallman wrote a blog about it because he objects to the use of javascript
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Seriously? Between a million unpatched vulnerabilities on sites we visit on a daily basis, any of which could easily provide the means for malware injection, you're worried about the network traffic?
With secure network connections, users can avoid untrustworthy sites. This probably means their selection of options is a tiny, tiny fraction of the web, but at least it's possible. Without secure network connections... no one can ever have any idea where the bits are coming from.
Re: (Score:2)
With secure network connections, users can avoid untrustworthy sites.
Care to elaborate on that? How? An untrustworthy site can get a certificate from True Crypt or any number of places and start to encrypt the traffic. How does that help users avoid this untrustworthy site?
Re: (Score:2)
With secure network connections, users can avoid untrustworthy sites.
Care to elaborate on that? How? An untrustworthy site can get a certificate from True Crypt or any number of places and start to encrypt the traffic. How does that help users avoid this untrustworthy site?
The certificate is irrelevant, as long as it's sufficiently hard for attackers to get certs for sites they don't own/operate. The cert just ensures that when you go to foo.com, you're actually talking to foo.com. Whether foo.com is trustworthy is a separate question, which requires other information to answer.
As to how ordinary people can figure out which sites to trust? Mostly stick with big names which would suffer bad PR if they did bad things.
Re: (Score:2)
Every web site displays ads hosted on other servers, and downloads all their framework scripts from other servers. Do you really think anyone really gives a fuck about source integrity?
If the Internet were designed to be truly secure, nothing we do today would actually work.
Re: (Score:2)
Re: (Score:2)
You casually gloss over the fact that the CA hierarchy isn't the only way to achieve those goals. TLS with CAs is a shitshow that is kept around because Google and its Mozilla sidekick refuse to support other key management systems and maintain a centralized system for certificate issuance, which I'm sure is a complete fucking coincidence.
What alternative PKI would you suggest?
Re: (Score:2)
Re: (Score:2)
DANE
That could work, though Let's Encrypt gets us most of the way there, I think.
Re: (Score:2)
Re: (Score:2)
The lock icon is an "everything's fine" alarm. These days most sites are using HTTPS, so it makes more sense to alert the user when the site is insecure.
The FBI and many others have been warning that the old advice to look for the lock is bad. It should be ignored and the website evaluated in other ways.
It's time to get rid of this thing. It only ever gave people a false sense of security.
Bad (Score:1)
Re: (Score:2)
Re: (Score:2)
I want Chrome to continue with warnings if you try to access a website without a valid certificate.
Well I don't well at least not so scary at least for things on your local network. The problem I see with this is that https is more secure than http that has absolutely no warning apart from the lock icon, which we know most people don't look at. Things like routers that don't want to scare the average home user, who is not going to set up their own certificate signing authority then just use http. Also if i want to man in the middle someone all I have to do is use http instead of https since all browser j
Re: (Score:2)
Re: (Score:2)
The functionality remains the same. All that is happening is that the "padlock" icon is being replaced with a "tune" icon.
Using the words "drop" and "remove" in the headlines is just clickbait.
Re: (Score:3, Insightful)
Slashdot will continue to overestimate users (Score:1)
However, Google said its 2021 research showed that only 11 percent of participants in a study correctly understood the meaning of the lock icon
That feels about right. I would say it might be a bit lower than 11% and that the 11% comes from not a large enough sample. But, yes, I think it's worthwhile to point out to all of Slashdot, that it's likely around 90% to 95% of Internet users globally have no idea how any of this works and that Facebook appears on their desktop via magic.
I say this, because here on Slashdot someone is bound to launch into the "more information is better" debate and you know what friend, I agree with you. BUT Since Chrom
Re:Slashdot will continue to overestimate users (Score:4, Insightful)
So the justification for getting rid of the lock seems to be that it gives the great unwashed a false sense of security.
The implication is that some fraction of those people will start acting more prudently/paranoid when the lock is gone.
How many, do you think?
Re: (Score:2)
Always ignored the lock until the protocol stopped being displayed....
Keep one or the other, or with the "ssl all the things" maybe some indicator up there saying it ISN'T https...
Re: (Score:2)
Re: (Score:2)
No, the justification is "the great unwashed don't understand it, and the information it gives isn't very useful anyways, so let's simplify the interface". Nobody (except you) claims that removing this will make anyone behave better. You're making a strawman argument; please don't. It's a bad look.
But every feature has a cost (both in support and in user attention/distraction), so culling useless features reduces the overall cost.
Re: (Score:3)
How many, do you think?
You know, I don't write code for Chrome or Chromium so my take on how many is slightly irrelevant. But I will say that. . . . I assume that Google did enough of a study to determine that it was enough for a net positive. Nothing in the published article indicates that and so I mean, this really just boils down to me blowing smoke out my ass, but I'm going to assume that Google knows what is best for Google's browser and their study backs up this choice.
Now the reason why I say this is because, it's cheape
Re: (Score:2)
> I assume that Google did enough of a study to determine that it was enough for a net positive.
Yeah, just like how they deprecated JPEG-XL support in Chrome one year after the spec was published, citing "lack of interest in the ecosystem" (and definitely not citing the existence of their own WebP image format).
Re: (Score:2)
Lexi posting to her Insta about her drip isn't interested in understanding TLS and that's just never going to change
I, on the other hand, am intrigued by this "drip" you speak of.
one click cert details please (Score:5, Insightful)
Would be nice if it didn't require an hour of clicking just to see the certificate details. Every major revamp of browser UIs buries that info under at least an extra layer of clicks.
Re: (Score:2)
Irrelevant 99.99% of people have no idea what certificate details means. Yes I'm including a lot of Slashdot users there. For nearly everyone the certificate is useless ... Unless you're debugging why you already have a blocked site with a certificate warning.
Heck I'm surprised they haven't hidden them in the developer console yet.
I've been saying this for decades. (Score:4, Insightful)
And yes, I know about Extended Verification, but that doesn't mean the site is secure either. It means the site spent money, and assuming that all sites that cough up the money for EV certs are necessarily secure, is idiotic. At least we have LetsEncrypt now, so being on a budget doesn't block a small site from using basic https. So there's that.
Re: (Score:1)
Well, if you're a gay adoptive parent in Florida, it isn't impossible that the government might turn up at your door and take your kids away from you.
Re: (Score:3)
It means traffic between you and the site is encrypted in transit, so that your ISP can't trivially read everything you look at.
True, but that's not the important part. The important part is that HTTPS means that the bits your browser receives are the bits the server sent. It's useful to be sure that parties in between can't read your traffic, but it's essential that they not be able to modify your traffic and inject malware. Of course, if the server is sending malware, you're hosed, but without TLS to ensure traffic integrity you can't ever be certain that any site you visit is safe.
Re: (Score:3)
it doesn't even mean that anymore, not since the advent of CloudFlare as a giant man-in-the-middle with websites pointing their DNS at CF servers right and left.
And worse yet, CF gives website operators the option to use plaintext (http) between CF and the website. Which means that https indicator in the browser becomes useless... your traffic may still be traversing the intertubes unencrypted and you have no way to tell.
Not trust, but security (Score:2)
It is valuable as an indicator that the connection is encrypted, not that you can trust whoever's on the other end. While most sites are encrypting these days, it's useful for that fact to be obvious.
Re: (Score:2)
Re: (Score:2)
As long as they highlight the insecure sites, that's fine.
Re: (Score:2)
It is valuable as an indicator that the connection is encrypted
No. It *was* a valuable indicator that a connection is encrypted. These days where: a) every website is encrypted, b) chrome presents a warning when connecting to a non-secure website, and c) chrome flashes up a warning if the unsecure website has entry fields for data, the addition of a completely pointless indicator showing a website is encrypted is just that, pointless.
Your car doesn't show a green tick when it is running okay, it shows a warning light when it's not. The padlock item has no meaning anymo
Re:Not trust, but security (Score:4, Insightful)
Your car doesn't show a green tick when it is running okay....
That's how it's been for decades, and people are used to it. Imagine if Ford decided to unilaterally reverse the meaning of lights because [reasons]. Now your check engine light is on all the time when the engine is fine, and turns off when your engine is misbehaving. And instead of saying "Check Engine", it now just says "Motor".
This is change for the sake of change. It will be interesting to see the fallout.
User training: cause or effect? (Score:1)
Just a few days ago, my wife looked at a padlock icon and said, "so it's secure." Indeed, lots of people have referred to it as meaning "secure" rather than "we think this is probably who they say they are."
But why do they think that? Are they just doomed to be wrong, or were they guided into being wrong? If you're mistraining people, then analysis of how they act is less important.
Change the icon into something that looks like a drivers' license or passport, and have clicking it say something like: "Cloudf
you can lead a horse to water... (Score:2)
What makes Google think that my mom is going to notice this change, be curious, and then click to train herself? That will never happen, she will call me and demand that I make it like it was before because none of the sites she visits show the secure lock anymore.
Let it connect to http again (Score:2)
Great! Now let it connect to my own services on my own local network using IP addresses and http without making me jump through stupid hoops.
Re: (Score:2)
What we really need is an option to say that, yes, this certificate is invalid, but I expected that, and ignore it, and most importantly, remember this forever. Maybe only allow that for internal addresses like 10.0.0.0/8 or 192.168.0.0/16.
This would solve problems with things like a security camera on my network that uses https with some certificate from the vendor that I can't easily touch. Likewise with my printer, which I can upload a new certificate to, but it's a pain (not easily automated), and has
Re: (Score:3)
these days
What's a "these days"? Is that some kind of arbitrary line that should magically make me throw away perfectly working hardware which doesn't support what you propose?
Re: (Score:2)
You shouldn't be using http even internally.
Why? My wifi uses WPA2. Don't everybody's?
What threat model are you using to make this pronouncement?
Why change? (Score:2)
Re: (Score:2)
Applications still use a diskette icon to represent Save, even though floppy drives haven't been installed on computers for years.
There's a whole generation of users who understand that icon means "save" but don't know why. That isn't the core issue here. If people continuously mistook the purpose of that icon then you would find it too would end up on the chopping block.
Poop Emoji (Score:2)
Re: (Score:3)
Because that's exactly the kind of misconception they are trying to avoid as they have no way of knowing which site you intended to be on versus which site you actually navigated to. You can have a secure connection with someone untrustworthy. Establishing trustworthiness is another matter entirely and the lock icon has never meant that you could trust a site, just the connection. They do try do do some warnings through the safe browsing checks that block malware sites (among others) but there's no way they
Re: (Score:2)
Re: (Score:2)
They do more than just a poop emoji for those, they turn the whole thing red with a warning about deceptive sites:
https://safebrowsing.google.co... [google.com]
The main problem is it's a constant whac-a-mole game of new bad sites popping up, so it probably doesn't get seen as often as it should if they were perfect at it.
Re: (Score:1)
I think firefox is A-B testing a chain (Score:2)
to substitute the lock icon, but I am not 100% sure. Anyone knows for sure?
Put some research into email alerting (Score:1)
Especially considering that that is where a tremendous amount phishing is instigated. We have the tools to do it with DKIM, SPF and DMARC yet MUA vendors have been pathetically behind the times with some like Thunderbird doing nothing at all, and they are all pretty inconsistent with one another. For alerting, email is a different creature than web stuff since it is usually the initial vector to an attack and often arrives unsolicited unlike the web. We all know that the lock icon is not a panacea, but that
The real TLS security problem. (Score:2)
The real problem is not a lock icon, it is CloudFlare.
Cloudflare and website operators have conspired to subvert the integrity of TLS connections and make the lock icon meaningless -- to the point that the connection may not even be encrypted and the user has no way of knowing. Cloudflare with its thousands of employees is the largest gang of men-in-the-middle in history.
When a website conspires with cloudflare the website changes its DNS to point to cloudflare servers rather than its own. So the user's
Re: (Score:2)
Fixing formatting to make my point clearer. Sometimes I forget slashdot code is stuck in the 90s.
------------
The real problem is not a lock icon, it is CloudFlare.
Cloudflare and website operators have conspired to subvert the integrity of TLS connections and make the lock icon meaningless -- to the point that the connection may not even be encrypted and the user has no way of knowing. Cloudflare with its thousands of employees is the largest gang of men-in-the-middle in history.
When a website conspires wit
HTTPS? So what? (Score:2)
Bring back the Gopher client!