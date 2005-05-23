Google announced today that the lock icon, long thought to be a sign of website security and trustworthiness, will soon be changed with a new icon that doesn't imply that a site is secure or should be trusted.

While first introduced to show that a website was using HTTPS encryption to encrypt connections, the lock symbol is no longer needed given that more than 99% of all web pages are now loaded in Google Chrome over HTTPS.

These also include websites used as landing pages in phishing attacks or other malicious purposes, designed to take advantage of the lock icon to trick the targets into thinking they're safe from attacks.

"This misunderstanding is not harmless — nearly all phishing sites use HTTPS, and therefore also display the lock icon," Google said.

[...] The lock icon will be changed in Chrome 117 with a "variant of the tune icon," a user interface element commonly linked to app settings and designed to show that it's a clickable item.

[...] This move was first announced almost two years ago, in August 2021, when the company revealed that secure website indicators are no longer needed and would be removed from Google Chrome's address bar since over 90% of connections are made over HTTPS.

​"When HTTPS was rare, the lock icon drew attention to the additional protections provided by HTTPS. Today, this is no longer true, and HTTPS is the norm, not the exception, and we've been evolving Chrome accordingly," Google said.

[...] It's worth noting that Google Chrome will continue to alert users of insecure plaintext HTTP connections on all platforms.