See the entire conversation

🔒Moving towards secure-by-default indicators! Chrome's plan to evolving security indicators.…
106 replies and sub-replies as of May 18 2018

How are we supposed to know if a page is secure with no indicator?That is ridiculous!
read the article 😎
I got it now, http pages will be non secure and https won't need an indicator, however I still prefer at least a padlock as an indicator.
A lock indicates to users that what they're doing is safe. When that may not necessarily be true. HTTPS alone does not mean secure. It more means authenticated and harder to spy on. I know people who have been caught by HTTPS on bad sites before, no lock could help that.
ok...but, there are multitudes of internet/information/cyber/network security sites that do not use HTTPS and ask visiters to drop adblocker and other unsafe when the 'pros' screw the pooch on what they tell us to do who do you trust to tell you what to do??
So for that reason we should see at least a padlock.
Add this one to your site 👍
This is so good
For what reason? Authentication? How does a lock represent that a source is who they say they are?
It does not help. But remove the lock won't help either.
So, if it doesn't help why keep it? It's not a good point to say, it does nothing but I want it. Things most serve a purpose to end users.
I prefer to see a clear sign that the website I open is using https.
When this all rolls out, the clear sign is that you aren't told it isn't secure in some way. Secure-by-default is the new goal. So do most end users need a sign then? No, it's the default.
The goal is to try and reduce the vectors bad actors can use to manipulate end users. Providing focus to things like the domain name for users to tell if they are where they should be. Personal preference of a lock making you feel good is not relevant.
It’s a difficult one. I like having the secure indicator, but I also know a ton of users will undoubtedly confuse “https” for authenticity. More needs to be done to raise awareness about this.
In the future, this will be like preferring a clear sign that your computer is turned on
Will non HTTPS show a more clear indicator for being not secure?
This seems like a reasonable idea to explore. I wonder if users would see and understand an icon in the URL bar or if the browser itself should show some other sort of warning before users send sensitive information.
« ... in October 2018 (Chrome 70), we’ll start showing the red “not secure” warning when users enter data on HTTP pages. »
I understand and support the idea of reversing the security statement. At the same time, though, I can't help but think about the fact that we spent years teaching end-users that "green lock = secure" and can't help but think this might backfire.
It was never a true statement to make. I have SSL on my website. Doesn’t mean it’s secure. could have SSL, tricking the user into thinking they’re on a secure site. They’re not.
Hence why EV certificates exist.
Yeah, but to be fair, we should never have told end users "green padlock equals safe".
I somewhat agree, but I guess it's the flow of things that users will get used to a certain kind of symbology once enough (well known) products implement it. What reasonable alternative would you have preferred?
Some of us actually did - "pay attention to what you see; does the site look right? Is the domain name the one you expect? And if anything feels off, better safe than sorry - Google it, or in the case of your bank etc. - don't click the link, log in through the home page."
Never give end user training that requires the status quo to remain the status quo. Takes more work to do it that way, but you don't end up saying "okay, I know what I said last time, but"
ok, but, the average, non-insider end user wants convenience and obvious indicators that content providers and service providers are taking security seriously enuff to secure the convenience...
also, most outsider end users think that if a site looks different then it was changed by the legitimate owner...also , most people don't examine the URL enuff to know if it is different or strange or wrong...they figure the 'Internet tubes' are handling that kind of stuff 4 them
And why do they think these things? It isn't true. It isn't true of anything else they deal with, either. They think it with computer security because we tell them bullshit like "green padlock means safe" and pat ourselves on the back for keeping it simple.
Because they don't know any better. Frankly, you can't except every user to care enough about computer security to go beyond the simple indicators. In an ideal world, they would, but this is reality and that's why de-facto standards like this form and become accepted.
I can expect users to care, with the proper education and awareness. When they're properly supported, when they're treated as people rather than "clueless users", when they're engaged rather than talked at, I can and do expect people to care, to learn, and to do well.
While I think all of these are great advice, I admit I'd rather explain the "green padlock = secure" to an end user than any of those rules. Don't get me wrong, they're spot on but I'm talking users that don't [want to] know what a domain is and how to go to the site manually.
Then don't train end users.
Sorry, but the current way is way better. Yes, https should be default for all web pages, but I would keep the green indicator. I also would suggest to make the "Not secure" label even more red and more eye catchy.
What about EV ssl certificates? How are those displayed?
How does this impact sites with EV certs? Will those indicators disappear as well?
Seems like they are looking at removing them as well
So it turns out that 3 different machines in my workshop today are part of the Chrome experiment to remove the EV indicator from the browser. The usefulness of EV is going, going...
Yeah, but it's all just a test right now? Hope to get some kind of clear indication soon.. (see what I did there? ;)
I suspect the EV indicator will be removed, it’s superfluous at present and Chrome is really pushing to simplify the UI
I figured as much.. it does make sense - guess we'll have to wait for official word tho. Makes planning new cert policy tough.
Yes they are removing them for all and they will warn about http sites. The lock icon is not proof of a secure site, just proof the connection is encrypted. Malicious sites often have the lock.
Say goodbye to that green 'Secure' lock on Google Chrome
Google says security should be so normal you don't see it. But bad security should be in your face.
Are you sure it's a good idea ?
If all insecure pages showed a big red "Not Secure" warning, then getting rid of the green might work. But no-color secure along with no-color insecure is much to subtle. It's not enough to show color just when a password is being entered.
« ... in October 2018 (Chrome 70), we’ll start showing the red “not secure” warning when users enter data on HTTP pages. »
It's not enough to show color only when data is being entered because security is important whether you're reading or writing. If we want to eliminate the green indicator on secure sites, then insecure sites should show a large, prominent, red warning at all times.
it already does this
This is so terrible idea please don;t do that
What about EV?
Please teach users what is wrong and begin with ftp. ❤️
I believe Chrome already labels `ftp://` resources as "Not Secure".
Currently I don't know that 'ftp' is itself the problem. It is also confusing that sometimes https is red and crossed out like it would be a protocol that I shouldn't use, despite it's mostly green.
Got it. We currently mark `ftp://` URLs as not secure, but we don’t yet turn them red. @emschec @estark37: WDYT about being more agressive here first? (I’ll write the patch :) )
I think the current mechanism of showing http:// only on non-www & non-apex domains would be confusing in the future: Please always show http:// as a compensation for hiding https:// and to make it possible to mark it red later. So it's easier to learn that https is the default.
Why can't we just keep the green "badge" for websites that employ not just HTTPs but also other best practises to keep the website as secure as possible? Keep updating the requirements and companies will keep improving their websites in order not to lose that badge.
Keep the green indicator ? Works better for me. Secure by default is nice, but there’s no harm in leaving the green indicator.
a lot of people associate green with safe and it is increasingly easy for scammers to use https, so users will be fooled into thinking a site is safe by their own browser, having red on http, grey on https and green on ev https would be the best
Lots of non tech people look for Secure. If it does not say that it will freak them out
What's the worst that will happen? They switch back to Internet Explorer? Walk away from their computer and go outside? I think they'll adapt pretty quickly.
It would freak people out though, for instance all adults I know, know to the look for that green padlock.
I'm thinking beyond the initial freakout. What're they gonna do as a result of the freakout? Or is that "freaking out feeling" what you're worried about? I think most users who are concerned will try clicking the ℹ️ where the 🔒 used to be, which will then say "Secured"
The freaking out feeling. I think some people who are less techy will be genuially scared to submit forms and login, because the media have implanted the idea that the padlock is pretty much required.
The problem is that scammers can also use HTTPS. We should not place a big green lock and say secure on things just because they are HTTPS. It makes a ton more sense to make plain HTTP convey danger instead.
I never thought of it that way, that does make sense. Because some may just look at the padlock, without it, they might check the domain.
Thats not a good idea i think. People have gotten used to seeing the green secure mark which builds their trust on the website. You should rethink this before making it a default on Chrome!
Approximately, when to expect HTTP in RED for all HTTP pages?
There's been no announcement beyond what's in the post: October 2018 (Chrome 70) will start showing the red “not secure” warning when users enter data on HTTP pages.
It applies to "search bar" inputs too, right?
I don't know what you mean by "search bar" but if you're talking about a text box on a webpage, then yes.
At least keep green lock icon. Removing it completely is idiotic...
SECURE BY DEFAULT IS NOT SECURE. Why do you people continue to make poor product decisions and think it's a great idea for the user?
How is "secure by default" ...not?
Uninstalling Chrome on September 2018
Why tho? Why not just keep the lock icon like green or something. So we still have something to tap on when we want to see the website’s permissions or settings. Like what if I want to block notifs on this site, or permission to camera. Where will that setting will go?
Sorry, but that's like saying the traffic lights are green by default if they're not working (No indication of the status) ........personally I'm not a fan of this plan
This isn't a fail state though. The fact that the site uses HTTPS should be invisible to the user. If the site *isn't* using it, that will be conveyed.
Unless ALL browsers are going to use the same indication then confusion will reign. All this tells the user is 'no indication is a good indication' and that assumes the user has a level of understanding of online security they may not have.
When the vast majority of web traffic is encrypted, even users with an understanding of security will not need to check if every site is secure. They'll just be notified (in red) when it's *not* secure. You don't check to make sure every HTTP request returns a 200, do you?
So after training users for so long to look for the padlock, it'll be removed? I don't see the benefit to this, it's a silly idea.
Going forward, we won't have to train them at all. HTTPS will be assumed, and if it's insecure, they'll get a little warning. I think people will adapt pretty easily. I think the green lick made them feel good, but I don't think its absence stopped a lot of people
Whose stupid idea is this? Let the people on social media troll that person. Please disclose the twitter handle at least. 😇 There should have been some polling here. I believe Chromium is open source project.
I really don't like this development. We educated users that they have to look after a "green lock" in their address-bar - This will confuse a lot of people.
My parents have recently got into the habit of checking for the green padlock when doing online shopping. Is there going to be any kind of message about this change in behaviour shown to people who don't follow the Chrome Dev Twitter feed?
Yes, your parents should be receiving a call about it later this year. (From you 😁) Jk, that's a good question though. In the worst case scenario, I wonder how confused people will be, considering this will affect *all* websites. I bet some will just use their secondary browser
We always look for the indicator to know if a website is secure, this will be so confusing ...
👍 in general. small suggestion: more red / ⚠️ on http form fields (or pop up like for password autocomplete) Some people wont notice the warning in the address bar I think
"Previously, HTTP usage was too high to mark all HTTP pages with a strong red warning" - without indicating how much https usage there is, this does not sound like a valid reason.
They link to their exact transparency report
Next up, implied stop signs! If you dont see it, it means it's there
Actually, a stop sign is exactly what they are putting up (http is now a warning instead of default). Before, we only had "GO" signs and baddies could also put up the "GO" signs.
So i guess traffic lights will begin to be made with yellow and red now, green is default, implied!
These analogies doesn't make a lot of sense. :) The "traffic light" looks like this: Today: http: Neutral https: Good After October: http: Bad https: Neutral The new version is much better at conveying the risk to the user, as https can be a bad site.
Just tell me I'm on https when i am and tell me when im not. There needs no be a default. Fine, dont use the word secure. This 'by default' approach is what other areas of engineering have gotten rid of because of accidents and bad understanding
Agree with this, user informed approach is much better. An indicator for HTTP or HTTPS session is still useful. The gold standard may be all web traffic using TLS but when is ‘eventually’? Much like IPv6 is considered an eventuality but we’re still, mostly, on v4 many years later
We need to be "told" what it is in both cases. Neither should be implied. Thats why traffic lights have 3 lights. None is implied. None is the result of the other two being off. This type of thing needs to be communicated explicitly. Ass, you and me.
The short-sightedness in many of the replies here baffles me. The "happy safe green lock" UX is super exploitable by scammers - it makes a ton more sense to have a UX that conveys http as DANGER unsafe and https as neutral.
yeah idk why people are so unwilling to change
Makes sense for devs, for the broader audience #ux wise? Not so great honestly