​Chrome loses “confusing” yellow triangle for HTTPS sites

Google is removing a security icon it has used in Chrome to warn people that something’s amiss with a page that’s encrypted and should otherwise be considered secure.

The decision, announced today, will for some website owners mark the end of a bugbear that may have unnecessarily frightened visitors away by suggesting it suffered from vaguely described security issues when in fact, as Google has now admitted, were imperfectly implemented HTTPS that was still an improvement on unencrypted HTTP.

In September’s Chrome release number 45, Google had four different warnings including secure “HTTPS”, “HTTP”, “HTTPS with minor errors”, and “broken HTTPS”.

When visiting an encrypted HTTPS website, such as a bank’s website, Chrome typically displays a green padlock icon to communicate that the browser is on a secure connection and that the website’s digital (SSL) certificate proves it’s the site it claims to be.

Visit most news websites in Chrome and the browser will display a blank page icon in the address bar, signifying it’s an HTTP website on an unencrypted connection that lacks an SSL certificate to validate its identity.

A third icon, a padlock on a red background overlaid by a strike symbol or cross, indicates broken HTTPS and that the site could be a phishing page.

The fourth icon — a yellow triangle on a padlock and the one that will vanish from Chrome 46— signifies “HTTPS with minor errors” such as “mixed content” issues, which occurs when an HTTPS page draws on non-secure resources, such as an HTTP image or advertisement.

Google also began using the yellow triangle in Chrome 39 to signify that a website was using a SHA-1 SSL certificate, which it considered a deprecated or insecure practice. Other browser makers, including Microsoft and Mozilla, have also committed to phasing out SHA-1 certificates imminently for the same reasons.

Starting with Chrome 46 however, on pages where Chrome detects insecure practices the browser will simply present the HTTP blank page icon.

Read more: ​Android phones patched once a year, 87 percent exposed. Which brand is the most secure?

As Google notes, the site “may not be fully secured, but it will usually not be less secure than before” it’s transition from HTTP to HTTPS.

This fact partially explains the move. Another reason is that the yellow icon was confusing.

“We’ve come to understand that our yellow “caution triangle” badge can be confusing when compared to the HTTP page icon, and we believe that it is better not to emphasize the difference in security between these two states to most users,” Google said.

The other is that the yellow warning icon could have had the perverse effect of discouraging website operators from making the shift to HTTPS for fear they may be penalised due to that confusion.

“Removing the yellow “caution triangle” badge means that most users will not perceive a warning on mixed content pages during such a migration. We hope that this will encourage site operators to switch to HTTPS sooner rather than later,” said Google.

The downside is that users won’t see a warning when they visit a mixed content page, which could, for example, be exploited by an attacker to launch a cross-site scripting attack on a browser.

“We have to strike a balance: representing the security state of a webpage as accurately as possible, while making sure users are not overwhelmed with too many possible states and details,” said Google.

The search company also pointed out atet in the long run it hopes to display all HTTP content as non-secure to indicate that a particular page offers no data security whatsoever.

Blast from the past?

Try our new Space Invaders inspired video game NOW.

What score can you get ?

Read more: Victorian public-service executives ignoring warnings on IT security processes, end-of-life software: auditor

Join the CSO newsletter!

Error: Please check your email address.

Tags yellow triangleSHA-1 SSLGoogleMicrosoftHTTPS(SSL)​ChromeCSO Australiamozilla

More about GoogleMicrosoftMozilla

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts