The lock icon in your browser is going away because people don’t understand what it means

Web browsers have had the padlock icon next to the website addresses for years to show that the site has an SSL certificate and that your data is protected between you and that website. For years it was mostly just ecommerce that had that, but in 2017 Google started pushing all sites to use SSL.

SSL is a great thing, but it’s often very misunderstood. At a basic level, it protects that information that you give to a website (so no one can see it in transit), but that’s about it. It offers no other protection for the website itself, or for your assurance that the website is legit. As I heard a friend say at a security conference, “SSL just means that hackers have a secure way to get your site”.

As a consequence of the confusion, many users see the padlock and assume that the site is completely safe — not only is their data safe, but the site itself is reputable. Those two things are completely unrelated, and it’s led to problems. Here is what Google had to say about it:

Despite our best efforts, our research in 2021 showed that only 11% of study participants correctly understood the precise meaning of the lock icon.

This misunderstanding is not harmless — nearly all phishing sites use HTTPS, and therefore also display the lock icon.

Any good scammer will use SSL, so that icon is of no value. Google has slowly been making the lock less obvious, and now they’re…