Google has announced that it will replace the lock icon, which is commonly associated with website security, with a new icon that will not imply that a website is secure or trustworthy. The lock icon was first introduced to show that a website was using HTTPS encryption to encrypt connections.
However, given that more than 99% of all web pages are now loaded in Google Chrome over HTTPS, the lock symbol is no longer necessary. Many organizations, including the FBI, have already published guidance that the lock icon is not an indicator of website safety.
Google’s decision to replace the lock icon is driven by the fact that it is misunderstood by users and often used to trick users into thinking they are safe from attacks, including phishing sites that use HTTPS and therefore also display the lock icon.
In its place, Google will use a “variant of the tune icon,” which is commonly associated with app settings and designed to show that it’s a clickable item. However, the lock icon will still be shown in the ‘tune’ submenu when website connections are secure.
The change was first announced in August 2021, when Google revealed that secure website indicators are no longer needed and would be removed from Google Chrome’s address bar since over 90% of connections are made over HTTPS. The new icon is scheduled to launch in Chrome 117, which releases in early September 2023, as part of a general design refresh for desktop platforms.
The lock icon will also be replaced in Google Chrome for Android in September, but it will be removed from iOS given that it cannot be tapped and is only displayed to convey additional information about the loaded website.
It is worth noting that Google Chrome will continue to alert users of insecure plaintext HTTP connections on all platforms. Those who want to test the lock icon replacement can enable it in Chrome Canary using the instructions provided by Google.
However, this feature is still under active development, and bugs are expected.
