Modern field guide to security and privacy

How Google's icon experiment could improve online security

Changing the way icons indicate safe website connections may seem small, but it could have a profound impact on users' understanding of secure online communications.

|
Wolfgang Rattay/Reuters/File

Google just took a small step toward increasing users' understanding of their online security.

On Chrome Canary, the experimental version of the Google Chrome browser, Google has ditched the lock-and-triangle icon (below), an ambiguous symbol that indicates a mixed degree of security on a site. Instead, it began marking all sites that don't have a fully secure connection the same way as sites with a nonsecure connection – a blank page icon.

A lock with a yellow warning triangle means the user's connection to the site is "dubiously" secure. The connection is encrypted, but some of the site's resources do not have an encrypted connection. BadSSL.com is a website that displays various problems with SSL implementation.

If the change is eventually adopted in the regular Chrome browser, experts say it could eliminate confusion surrounding online security and help users understand that the site is not fully secure.

Currently, the lock-and-triangle symbol is one of several icons that could come up in the URL bar depending on the user's connection to the website.

A site’s URL will begin with either “HTTP” or “HTTPS.” The “s” indicates a secure connection that encrypts the Web traffic between a user and a particular website. Without the “s,” a user’s connection to the site is not encrypted, and any information the user submits over the site, such as credit card information or passwords, could be compromised.

“Most people don’t start thinking about security, they only start thinking about security when you raise the issue of security to them,” said Matt Green, security researcher at Johns Hopkins University. “The lock does that, but in the absence of a lock, you’re basically saying that conversation isn’t happening.”

To help users notice the difference, Google uses several icons on its Chrome browser, the world's most popular browser, that come before the URL to indicate the security of the connection. A green padlock means user has a secure, encrypted connection to the site. The gray lock and yellow triangle means the connection is encrypted, but there are elements on the page that are not secure, such as pictures. Google suggests not submitting private information on a page like that. And a white page icon is for sites that do not encrypt the connection between the user and the site. These sites will have “HTTP” instead of “HTTPS.”

A green lock means the user has a secure connection to the website. BadSSL.com is a website that displays various problems with SSL implementation.

  

A white page icon means the connection between the user and the website is non-secure. There is no encryption, and the user should not submit sensitive information to the website. BadSSL.com is a website that displays various problems with SSL implementation.

According to a tweet by Chris Palmer, a security engineer for Google Chrome, the move to delete the triangle is, “a recognition of how much cognitive overhead people can manage.” 

Chrome Canary is an experimental version of Google Chrome that Google describes as being on the “bleeding edge” of the Web – so new and in-development that it changes every day and “can sometimes break down completely.” It’s where Google tests out new browser features.

While average Google Chrome users might not see the update for a while – or at all depending on if later incarnations take its place – the move fits into the Chrome security team’s proposal earlier this year to mark HTTP as nonsecure.

The proposal notes that users often do not notice when a warning sign is not present.

“Yet the only situation in which web browsers are guaranteed not to warn users is precisely when there is no chance of security,” the proposal says, referring to the unmarked HTTP sites.

It called for feedback on different ways to transition to marking the HTTP sites differently

“We all need data communication on the web to be secure (private, authenticated, untampered),” it says. “When there is no data security, the [site] should explicitly display that, so users can make informed decisions about how to interact with an origin.”

Editor's note: This article was updated Aug. 17 to clarify that mixed content means that certain elements of the website are insecure, not just links. 

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to How Google's icon experiment could improve online security
Read this article in
https://www.csmonitor.com/World/Passcode/2015/0814/How-Google-s-icon-experiment-could-improve-online-security
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe