Over the years, Chrome has been a big proponent of increasing HTTPS adoption to improve privacy and security on the web. The latest Chrome steps include rolling out an HTTPS-First Mode and experimenting with a replacement for the lock icon in the address bar.
Google reports over 90% of page loads in Chrome on most operating systems occur over HTTPS. Compared to HTTP, others on the network cannot intercept or alter personal information or any other data that’s shared over a connection.
The company believes “there’s more we can do to help make HTTPS the preferred protocol on the web, and better protect users on the remaining slice of the web that doesn’t yet support HTTPS.”
The first expansion is an HTTPS-First Mode that will start rolling out with Chrome 94 in September. All page visits will first try to load over HTTPS. On sites that don’t work, the Google browser will show a full-page warning before connecting over HTTP.
Based on ecosystem feedback, we’ll explore making HTTPS-First mode the default for all users in the future. Mozilla has also shared their intent to make HTTPS-only mode the future of web browsing in Firefox.
Meanwhile, with most pages using HTTPS, Google wants to retire the lock icon that appears to the left of URLs in the Chrome Omnibox:
In particular, our research indicates that users often associate this icon with a site being trustworthy, when in fact it’s only the connection that’s secure. In a recent study, we found that only 11% of participants could correctly identify the meaning of the lock icon.
Google wants to “reduce this confusion” by running an experiment with Chrome 93 later this month to replace the padlock with a “more neutral entry point to Page info.” Google is currently trying a downward-facing chevron/caret to open the menu that lets users set site permissions and see other details.
Importantly, a “Not Secure” indicator will continue to show on sites without HTTPS support, and the experiment includes an enterprise policy in case organizations want to opt-out. In all cases, we’ll provide advance notice if we decide to move ahead with a full launch.
Google today committed to HTTP support in Chrome, but will take steps to “protect and inform users whenever they are using insecure connections.” This might include limiting or restricting features on the insecure connection.
FTC: We use income earning auto affiliate links. More.