Web browsers have had the padlock icon next to the website addresses for years to show that the site has an SSL certificate and that your data is protected between you and that website. For years it was mostly just ecommerce that had that, but in 2017 Google started pushing all sites to use SSL.
SSL is a great thing, but it’s often very misunderstood. At a basic level, it protects that information that you give to a website (so no one can see it in transit), but that’s about it. It offers no other protection for the website itself, or for your assurance that the website is legit. As I heard a friend say at a security conference, “SSL just means that hackers have a secure way to get your site”.
As a consequence of the confusion, many users see the padlock and assume that the site is completely safe — not only is their data safe, but the site itself is reputable. Those two things are completely unrelated, and it’s led to problems. Here is what Google had to say about it:
Despite our best efforts, our research in 2021 showed that only 11% of study participants correctly understood the precise meaning of the lock icon.
This misunderstanding is not harmless — nearly all phishing sites use HTTPS, and therefore also display the lock icon.
Any good scammer will use SSL, so that icon is of no value. Google has slowly been making the lock less obvious, and now they’re going to replace it with this new symbol:
While I think it’s an improvement in some ways, as people won’t see the misunderstood lock, it’s a confusing icon itself. Personally, I think Google should have just done away with that icon completely, and only alerted users when a site was not using SSL at all.
Either way, this should help a little bit, and it’s a reminder to all of us that hackers do many things to try to appear legit so always be on guard.