Google has decided to remove its yellow “caution triangle” previously used in Chrome to denote an HTTPS website with insecure elements, in a bid to encourage more operators to switch to HTTPS and make security more user-friendly for netizens.
Lucas Garron and Chris Palmer of the Chrome security team explained in a post on the Google Online Security Blog that starting with Chrome 46, the “HTTPS with Minor Errors” state will use the “same neutral page icon as HTTP pages.”
This, they said would be a “better visual indication of the security state of the page relative to HTTP” and ensure that Chrome users have fewer security states to learn.
It means there are now three security states for users to spot: a green padlock for fully-configured HTTPS sites; a neutral grey for HTTPS with minor errors and HTTP sites; and a padlock overlayed with a red cross plus a crossed out red ‘HTTPS’ for a broken HTTPS site which could be malicious.
The duo claimed that the changes would mainly affect web owners with HTTPS pages that contain mixed content like HTTP images.
“Site operators face a dilemma: switching an HTTP site to HTTPS can initially result in mixed content, which is undesirable in the long term but important for debugging the migration. During this process the site may not be fully secured, but it will usually not be less secure than before,” they explained.
“Removing the yellow ‘caution triangle’ badge means that most users will not perceive a warning on mixed content pages during such a migration. We hope that this will encourage site operators to switch to HTTPS sooner rather than later.”
Google’s ultimate aim is to reduce the icon to a simple binary “secure” or “not secure” so this change is a small step in that direction.
“We’ve come to understand that our yellow ‘caution triangle’ badge can be confusing when compared to the HTTP page icon, and we believe that it is better not to emphasize the difference in security between these two states to most users,” said Garron and Palmer.
“For developers and other interested users, it will still be possible to tell the difference by checking whether the URL begins with ‘https://’.”
Image copyright: