Google Chrome To Remove 'Secure' Indicator From HTTPS Pages in September

Google announced Thursday it plans to drop the "Secure" indicator from the Chrome URL address bar -- starting with Chrome v68, set for release in July -- and only show a lock icon when the user is navigating to an HTTPS-secured website. From a report: The move is scheduled to take effect with the release of Chrome 69, scheduled for September, this year. Emily Schechter, Product Manager for Chrome Security, said the company is now comfortable making this move as a large chunk of Chrome's traffic is now via HTTPS. Since most traffic is HTTPS anyway, it's not necessary to draw the user's attention to the "Secure" indicator anymore.

It will be back

[asackett]

Now that the brakes work most of the time we can take the bumpers off the cars? Goofballs.

Re:It will be back

The title is misleading, they aren't removing the secure indicator, they are just removing the word "secure" but leaving the lock icon which indicates the exact same thing.

Re:It will be back

I was confused by the summary and so I RTFA.

The change is more along the lines of, "we are no longer emphasizing when a site is secure, we are emphasizing when it is NOT secure."

They are adding a "Not Secure" message to sites without https, as a bonus they plan to add flashing redness to the "Not Secure" message if you try to type into a form on that page.

Overall, I approve, the "everything's OK alarm" can go.

Re:It will be back

[HiddenL]

Actually, no. The seatbelt ding is an "insecure indicator". When you are properly buckled, there isn't any warning or noise: there is only a "ding" when you are unbuckled. Chrome is gradually making the "not secure" more prominent for all plain http sites.

How about ...

[PPH]

... an insecure indicator?

Re:Stupid move

[thegarbz]

So care to justify what makes it so stupid? Or are you going to repeat the shitty advice of the late 90s that says if you see the the word "Secure" just go ahead and type all your credit cards in? Because that worked a treat! /sarcasm

HTTPS is not security. Desensitizing people to the word "secure" is not security. We should be focusing on indications of proper EV certificates rather than confusing users.

Re:What is the purpose?

[gumpish]

Get with the times.

All UI must now be compatible with the lowest common denominator: a smartphone in portrait orientation.

Only show/show only

[wonkey_monkey]

and only show a lock icon when the user is navigating to an HTTPS-secured website. From a report:

"And show only a lock sign" would have been less ambiguous. I see a lot of people confused over what's being suggested here.

Re:If anyone from Mozilla is here.

[wonkey_monkey]

Edit: actually it looks like they're eventually planning to get rid of the lock, too. And the colouring is being ditched first, too.

There'll still be a warning indicator on non-HTTPS sites.

Re:Stupid move

[sexconker]

We should be focusing on indications of proper EV certificates rather than confusing users.

The entire reason we need extended validation certificates is because the TRUSTED certificate AUTHORITIES weren't doing their fucking jobs and weren't verifying anything before issuing certificates to anyone who wanted one.

Telling the CAs they have to do more work to issue MORE TRUSTED certs won't fix shit.

HTTPS was only ever about securing the pipe from one end to the other. It was never about ensuring the host on the other end is who you think it is, and it never will be. Maybe when CAs fuck up EV certs so badly in 2020 the clowns decide we need EV+ or EV2 certs you'll realize this.

Re:Chrome, the Phisherman's friend.

[Zontar+The+Mindless]

In a just universe, it'd be one that administers an electric shock in response to using an apostrophe for the plural.

http blocked within 5 years

[THE_WELL_HUNG_OYSTER]

It's only a matter of time until Chrome either blocks http or users are forced to click a security exception button before an http site will load (like sites with invalid SSL certs today).