Google to Remove Secure Site Indicator from Chrome

Posted on May 18, 2018 by Paul Thurrott in Cloud with 19 Comments

Google to Remove Secure Site Indicator from Chrome

Google announced this week that it will remove the green security indicator in its Chrome web browser by the end of 2018. Instead, it will now only call out those websites that are insecure.

“HTTPS usage on the web has taken off as we’ve evolved Chrome security indicators,” Google’s Emily Schechter explains. So “we [will] mark all HTTP pages as definitively ‘not secure’ and remove secure indicators for HTTPS pages.”

If it’s not clear, the security indicator is the green or red badge that sits to the left of the Chrome address bar when you load a web page. A green indicator means that the site is “secure,” or delivered over HTTPS. A red indicator is insecure and delivered over HTTP.

As Google notes, users should expect the web to be safe, but I’m not sure that removing the green secure indicator is that smart. Color-coding for each site seems to work just fine. But they’re getting rid of the green bit.

Fortunately, they’re doing so over time. Starting with Chrome version 69, due in September, the security indicator will lose the green color and “Secure” text; you’ll just see a locked lock indicator. Then, in Chrome 70, that locked lock graphic will disappear too. And Chrome 70 will display a red “not secure” warning on HTTP pages.


Tagged with

Join the discussion!


Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Comments (19)

19 responses to “Google to Remove Secure Site Indicator from Chrome”

  1. rossdelliott

    Yet again, Google is dictating how the web works. It's bad enough that they've forced content to be "SEO" friendly (aka Google friendly), now they're forcing how hosting works. (Though since they give higher scores to HTTPS sites in their rankings, you could argue they've been doing this for a while already...)

    I don't disagree that things should be HTTPS, but Google is essentially forcing all hosting providers to enact this whether they have the means or not. Yes, services like Let's Encrypt are free (thankfully, because SSL certificates are ridiculously expensive otherwise), but not everyone has that option available to them for various reasons.

    At what point do they get push back on anything they are doing?

    • lvthunder

      In reply to rossdelliott:

      At no point will they get push back. No one wants to go up against Google. Unless they get hit with being a monopoly like Microsoft did in the 90s.

    • jecouch66

      In reply to rossdelliott:

      I disagree. Chrome is a free product and I can think of three alternative browsers one can use right now if dissatisfied with Chrome or Google's practices.

      They are not forcing anyone to do anything, but they are informing their user base when connecting to unsecure sites. That is the responsible thing to do. You as the consumer can still decide to visit the site if you wish. It doesn't matter why the site is not secure, it just matters that its not.

    • DaddyBrownJr

      In reply to rossdelliott:

      I fail to see how encouraging safer browsing is "dictating" how the web works.

      • Stokkolm

        In reply to DaddyBrownJr:

        They're essentially requiring every site on the web to have a valid SSL certificate, whether they transmit sensitive information or not. That is definitely dictating how the web works. Users will now see a red "Not Secure" message for all HTTP sites and we've all been conditioned to avoid those sites at all costs.

        One thing I'm curious about though is if they're going to force the click through interface on HTTP sites like they do for invalid HTTPS sites. That would be pretty egregious, so we'll see.

        • Chris Hodapp

          In reply to Stokkolm:

          You are right that Google is attempting to at least guide how hosting happens toward HTTPS but a big thing to understand is that even if a site isn't supposed to do anything secure, https is still a huge deal because it prevents the content of sites from being tampered with before you see it. You may think that that isn't a huge deal but connecting over HTTP allows arbitrary Javascript to be injected into the site and at least US ISPs actively do this.

        • Nicholas Kathrein

          In reply to Stokkolm:

          Having https is important no matter what site your on because it means your company who provides your internet can't see what it is your doing. They probably can see the site address but that all. Also it help with man in middle attacks that you get by being on public / non public wifi. Everything should be https.

          • robsanders247

            In reply to Nicholas_Kathrein:

            Many of these public WiFi networks in hotels and airports are terminating the SSL session at the proxy. I’ve seen many instances where Outlook tells me it’s connecting to an URL with a certificate that’s definitely not the one from my company. If you want to be really secure on those networks, HTTPS is not enough and you need to be on a trusted VPN.

            I also believe there are perfectly valid use cases for having a site on plain-old HTTP. Not every site is equal and in many cases the added complexity and expense to add certificates is not worth it. We risk that we’ll lose a lot of those sites, which hurts the Open Web.

  2. red.radar

    this Exemplifies googles monopoly power. They can unilaterally change web behavior without the need for consensus from other groups.

    In this case the change seems good... tomorrow it may not. It highlights the danger and it should be discussed and dealt with.

  3. jwpear

    I think this visual change is too soon. We're just getting folks to expect a secure connection. Now Google has decided to flip the presentation. I think the lock icon should remain, if nothing else.

  4. MikeGalos

    Anyone want to bet Google finds a way to become an SSL root certificate provider and offer to provide discounted https hosting?

  5. skane2600

    I think potentially there could be lawsuits. https doesn't guarantee security and http doesn't guarantee a site is insecure. Labeling a site as insecure that isn't could be interpreted as abusing Google's relative monopoly status.

    • dontbe evil

      In reply to skane2600:

      no surprise, is scroogle... "don't be evil"

    • behindmyscreen

      In reply to skane2600:

      HTTP actually does guarantee your traffic is insecure.....not sure what you think that secure means but it has to do with the certificate, the identity of the site, knowing if your traffic is closed to prying eyes, and if you can trust that you are actually at the site you think you are at.

      • skane2600

        In reply to behindmyscreen:

        If you define "secure" solely as https, you're correct, but one can also take a broader definition that includes things like not allowing anyone to determine your browsing location through DNS, not allowing a web site to know your IP address etc.

        The only relevant traffic to a static site is going to be the URL of the site (that https can't hide) and the data returned from that site. I suppose someone could go to a lot of trouble to trick you into going to another static site, but it's not clear what the benefit would be.

        In any case secure == https is a technical classification and not something that a typical user would understand (and the fact that Google would use either the word "Secure" or "not secure" rather than having https or http "speak for itself" is proof that Google understands that). It could be reasonably construed as an indication that the site is infected. Thus the potential damage to the owner of the site.

  6. MarkPow

    This is a mistake; it’s worth keeping just the green padlock. This shows progress on the security of the web and reassures non-technical users, which, lets face it, the majority of Internet users are.