Google is removing a security icon it has used in Chrome to warn people that something’s amiss with a page that’s encrypted and should otherwise be considered secure.
The decision, announced today, will for some website owners mark the end of a bugbear that may have unnecessarily frightened visitors away by suggesting it suffered from vaguely described security issues when in fact, as Google has now admitted, were imperfectly implemented HTTPS that was still an improvement on unencrypted HTTP.
In September’s Chrome release number 45, Google had four different warnings including secure “HTTPS”, “HTTP”, “HTTPS with minor errors”, and “broken HTTPS”.
When visiting an encrypted HTTPS website, such as a bank’s website, Chrome typically displays a green padlock icon to communicate that the browser is on a secure connection and that the website’s digital (SSL) certificate proves it’s the site it claims to be.
Visit most news websites in Chrome and the browser will display a blank page icon in the address bar, signifying it’s an HTTP website on an unencrypted connection that lacks an SSL certificate to validate its identity.
A third icon, a padlock on a red background overlaid by a strike symbol or cross, indicates broken HTTPS and that the site could be a phishing page.
The fourth icon — a yellow triangle on a padlock and the one that will vanish from Chrome 46— signifies “HTTPS with minor errors” such as “mixed content” issues, which occurs when an HTTPS page draws on non-secure resources, such as an HTTP image or advertisement.
Google also began using the yellow triangle in Chrome 39 to signify that a website was using a SHA-1 SSL certificate, which it considered a deprecated or insecure practice. Other browser makers, including Microsoft and Mozilla, have also committed to phasing out SHA-1 certificates imminently for the same reasons.
Starting with Chrome 46 however, on pages where Chrome detects insecure practices the browser will simply present the HTTP blank page icon.
As Google notes, the site “may not be fully secured, but it will usually not be less secure than before” it’s transition from HTTP to HTTPS.
This fact partially explains the move. Another reason is that the yellow icon was confusing.
“We’ve come to understand that our yellow “caution triangle” badge can be confusing when compared to the HTTP page icon, and we believe that it is better not to emphasize the difference in security between these two states to most users,” Google said.
The other is that the yellow warning icon could have had the perverse effect of discouraging website operators from making the shift to HTTPS for fear they may be penalised due to that confusion.
“Removing the yellow “caution triangle” badge means that most users will not perceive a warning on mixed content pages during such a migration. We hope that this will encourage site operators to switch to HTTPS sooner rather than later,” said Google.
The downside is that users won’t see a warning when they visit a mixed content page, which could, for example, be exploited by an attacker to launch a cross-site scripting attack on a browser.
“We have to strike a balance: representing the security state of a webpage as accurately as possible, while making sure users are not overwhelmed with too many possible states and details,” said Google.
The search company also pointed out atet in the long run it hopes to display all HTTP content as non-secure to indicate that a particular page offers no data security whatsoever.
Blast from the past?
Try our new Space Invaders inspired video game NOW.
What score can you get ?Read more: Victorian public-service executives ignoring warnings on IT security processes, end-of-life software: auditor