Google changes icons in Chrome

7 September 2016

Research has shown that the current security indicators used by browsers to warn visitors against non-secure websites are not clear enough. Google will therefore introduce new icons for its Chrome browser.

Chrome user statistics revealed that visitors did not respond (enough) to warnings. Warning the visitor against unreliable or non-secure websites is pointless if visitors do not understand what a notification means or if they fail to realise its importance and then ignore the message.

Knowledge of SSL

Google has therefore cooperated with the university in Berkeley, California, to conduct a study among 1,329 Chrome users. This study revealed that most respondents understand what HTTPS:// means. The secure connection was often mentioned, as well as the authentication that SSL offers (although the latter was brought up less often). Far fewer respondents knew that HTTP:// indicates a non-secure connection.

The most recognisable icons

Next, a selection of over forty icons with variations in colour and shape was tested among thousands of respondents to find the icons with the strongest associations with “secure” and “non-secure.” This test led to a selection of three icons that remain recognisable even if they are displayed at a small size and without colour.

The most recognisable terminology

Google also examined which terms were considered to be the clearest when combined with these symbols. The terms “secure” and “https” were associated most strongly with security, while “not secure” and “site not secure” were associated with a lack of security.

Implementation in Chrome

Google has adopted the recommendations of the study and implemented them into the current version of Chrome (version 53 for Windows and one version earlier for Mac). The representation of a secure connection has undergone minimal changes. The representation of a non-secure connection, however, has changed significantly: a non-secure HTTP connection now displays an “i,” which is intended to encourage visitors to click on it for more information. A broken HTTPS connection displays a highly noticeable hazard triangle.

What else?

Making the indicators clearer is part of Google’s goal to promote the adoption of HTTPS:// as the new standard. The next step will likely be to study how to make the indicators as noticeable as possible. The representation of the different types of SSL certificates (Domain validation certificates with limited verification versus the extensively verified Extended Validation certificates) has not yet been covered in the current research.