BSidesSF 2026 - What happened to the lock icon? (Serena Chen)

Uh, welcome everyone everyone to uh, day two of Bides SF. Our first talk of the day will be Serena Chen talking about what happened to the lock icon. Serena. >> Okie dokie. Thanks for coming. >> All right, so the year is 2023 and in September of 2023, Chrome rolled out a redesign. We went from this to this. And for the super eagleeyed amongst you, you may have spotted a curious difference. The lock icon is no longer there. H what happened? Why did we remove this beautiful symbol of security? And perhaps most importantly, who cares? Um hello. Hi, I care. Hi, I'm Serena. Uh, I'm a UX person on the Chrome security team and uh, I have tricked the

organizers into letting me talk about an icon for 20 minutes. Here we go. This is why Chrome removed the lock icon. Bam. Tuttle slide. Let's go. But first, what does the lock icon even mean? Why was it around in the first place? Uh, who knows here? You can shout it out. Audience participation. What does the lock icon mean? Yeah, it means HTTPS. What does HTTPS mean? It means HTTP secure. What does that mean? All right, I'll take you on a quick trip through memory lane. In 1994, Netscape Navigator creates HTTPS or SSL version one, but it was never released due to security problems. Okay. Um, a year later though, SSLV2 is released with a number of flaws. Okay,

moving on. Third time's the charm. After many revisions of the spec, SSLV3 is released in 96 and standardized in the new millennium. time passes and it would be 10 years later that a large web app would launch available through HTTPS. So even been uh even though it's been 10 years since HTTPS was invented at this point, it's still kind of rare. So rare that our old friend Internet Explorer used to show a warning before connecting via HTTPS. This is what my colleague David Adrian likes to call the everything's okay alarm. It's all okay. So, it is a beautiful year 2004 and HTTPS is still this niche web enthusiast type thing. We'll come back to this

timeline a bit later. Okay. So, what does HTTPS do? It guarantees three things. Authentication, meaning the website is who they say they are and not someone else. Encryption, meaning no one can spy on the communications between you and the website. And data integrity, meaning no one else can like change and edit the message between you and the website. Now encryption and data integrity you get with this thing called public key cryptography which is a lot of math and uh functions where it's like really easy to encode a message into gibberish but then basically impossible to take that and get back to the original message unless you have the matching private key. Very good. So, by decree, everyone

gets a public key and a private key. And with this, you can do a lot. Let's say you're a browser and you want to talk to a server. I told people this talk would be chill, but I meant like running through the diff exchange kind of chill. So, to establish a connection, you both agree on some parameters out in public. And by mixing this up with your private keys and exchanging it back and forth and mixing up with your private keys again, you can arrive at a shared secret that both of you have to establish a secure channel. So this is great. Get rid of that. This is great. With the power of maths, we've

devised uh a way that you can't be spied on um and people can't edit your communications. But how do you know that the person you're talking to is actually who they say they are? This will turn out to be the hardest part of the problem. How does google.com prove to you that they're the real google.com? How do you prove that you're the real you? Back in the day, we used to have these um key signing parties where you would meet people in real life um and you would scan their public keys with your eyes and vouch for them. Now on the web, we can't physically meet every single server. So instead, authentication is provided by these complex trees of

trust. Websites are on the leaves of these trees and they're vouched for by certificate authorities. Now, you don't know these guys, but they're trusted by another authority which is trusted by another all the way down to your browser or your operating system at the root of the tree. So there's like a chain of vouching going on and this whole party is called the public key infrastructure. So that is how we make sure that website.com is actually website.com. But notice how I never said anything about whether you can trust the website, if it's going to protect your data, if it's not going to give you malware. None of that is really guaranteed. Um yeah that's the lock icon. That's what it

means. It should be simple enough to get. There's no way that people would misinterpret it or anything, she says, foreshadowing the next section. In 2021, Chrome did a large scale study, uh, large scale user study to check what do people actually think that the lock icon means. And here's what we found. Good news is that most people correctly said lock icon means connection security. But over half thought it meant it's safe to enter your data on the website. and almost half thought it meant the website was trustworthy in general. All in all, only about 11% correctly identified the guarantees made by the lock icon and over 89% of participants overestimated the security guarantees. Bad. Prior research in 2019 also showed

a similar overestimation of trustworthiness, which led to increased clickthrough rates. Um, so yeah, this seems to be a problem. And let's say for the sake of argument that I got bored one night and decided to do some crime, it would be scarily easy for me to replicate a well-known bank's login page, configure a secure connection, and boom, there is a nice, friendly lock icon that says you can trust me to the majority of people looking at it. The fishing attack, by the way. So, this was such a big problem that in June of 2019, the FBI actually issued a public service announcement telling people, "Hey, um, please don't trust the website just because it has a lock

icon." So, this lock icon, as it turns out, is a dangerous miscommunication. So, how do we fix this? How do we communicate the right level of security guarantees? We're going to pop back into the timeline. So, in HTTPS land, um, what is it? Six years have passed. Uh, Gmail is now HTTPS by default, but things are still kind of pretty quiet. The usual internet characters are pushing for more HTTPS, but not seeing like that much change from the ecosystem. In 2013, something outside of the timeline happens. Uh many of you might remember a guy called Edward Snowden. He led a bunch of info about mass surveillance. So while there's always been a background push for better privacy and

security, this event really brought privacy and security issues to the forefront and galvanized the whole tech industry to aggressively push for better security on the web. And at this point, internet traffic over HTTPS was still pretty rare. Estimates vary. Uh, telemetry from Let's Encrypt shows about 27% of all page loads over HTTPS. In May of 2014, Google is like, "Hey, everyone, please use HTTPS." Um, and they said, "Oh, we're serious about it. We're going to start using HTTPS in search rankings." In November of that year, Let's Encrypt announces free certificates, which removes a huge roadblock for for a lot of websites, and Chrome starts to change up uh the security indicators to try and move people towards HTTPS and away from

HTTP. Now the reason why I'm showing you this line go up is because if we're talking about communication and security indicators and UI then communication requires context always. This is why uh designing warning signs for nuclear waste storage bunkers is is so difficult. You don't know what cultural context is going to be like in 10,000 years. So you end up with these kind of like mysterious, vaguely ominous messages. You need context. The optimal design for anything is never static. The best way to show security UI at 15% adoption should and will look wildly different from 95% adoption. And this is what we see through the years. Insecure connections were once normal. Um, but over time as adoption grows, the

warnings become louder and louder. Conversely, HTTPS started off as like a rare jewel, a rare treat. Um, and so it's celebrated, but as it becomes more normalized, the indicators get quieter and quieter. At this point, we hypothesize that we've outgrown the need for a lock. So, let's do this. So, we go to the rest of the Chrome team. And we're like, "Hi, rest of Chrome team, we want to remove the lock icon." But then we realized, ah, hang on. As a tech industry, we've been telling people to look for a lock icon for the past 10 years. H tricky. So, we needed to know before we did anything. Will people freak out unnecessarily if the lock icon

disappears? So, let's find out using this thing called science. Let's do a 1% experiment. We swapped out the lock icon for this uh security neutral drop down icon and we showed it to 1% of Chrome users and here's what we found. People did indeed notice a change. So, we saw a lot of people clicking on this icon, investigating it. Um, but no, they didn't freak out. We didn't see any regressions on HTTPS pages or form submissions over HTTPS. At the same time, we also spent a few weeks drawing hundreds of potential replacement icons. Um, but all in all, we'd gathered enough evidence um, and it looks like removing the lock icon is fine. But still, still we were worried that it

would cause people to feel the web as unsafe, especially if they were used to looking for it. So, what do we do? I want to take a moment to talk about security theater. Security theater, uh, this performative security flavored things that make you feel safe without actually making a difference to your safety. The term comes from Brush Nay talking about airport security back in 2008. And just two years ago, undercover tests by the Department of Homeland Security found that the TSA's failure rate ranges between 80 to 95%. So security theater can be actively harmful. It can lull you into a false sense of security and most of the time can make you less safe. Other examples

include like these private VPNs that actually snoop on all of your data. Um, forcing your employees to rotate their passwords every few months so they just like write their password on a post-it note and stick it to the laptop. Um, or showing a lock icon on fishing scam or malware pages. This need to feel safe is extremely powerful. even if airport security has shown to be kind of useless, never going away. And this is also why I suspect even though Firefox has um had a plan to remove the lock icon and Edge tried removing the lock icon, I suspect the other browsers might not do this. I don't know. I hope they prove me wrong.

Um, but security theater and the feeling of safety feels really good, really compelling. People will do almost anything to feel safe, including things that will actively make you less safe. Um I'm reminded of during co times when uh we put like clear plexiglass in front of like everything in front of like you know doctor's receptions and like checkout counters even though the virus is airborne and these clear plexiglasses would trap more virus like make us unsafe but we put it up there cuz you know it's a barrier makes you feel good but at the same time I do want to defend this natural need to feel safe. I think security people, we tend to be super

conservative with reassurance. We we want to be like warning people all the time. H be careful. But reassurance when things are actually okay is also super important. If people are not adequately reassured in safe situations, they may opt for a less safe option. For example, after 9/11, people opted to drive instead of fly. makes sense. But as you probably already know, flying is statistically much much safer than driving. And it's been estimated that the 9/11 effect contributed about 2300 excess road deaths in the months immediately after 9/11. So we do need some reassurance. So the question is now, when is something necessary reassurance and when is it dangerous theater? How do we tell? Well, to differentiate, I look to

people's actual behavior. Does the lack of reassurance lead people away from safety? And does the presence of reassurance lead people towards danger? With the lock icon, we see no, it's fine. It's not there. Uh, and yes, when it is there, people are more likely to click on fishing links and whatnot. And so with this evidence, it puts the lock clearly in the category of security theater. And this clear differentiation between reassurance and theater and how people behave with either is how we eventually convince ourselves that removing the lock icon was the right thing to do. And so more than 30 years after the creation of HTTPS, it is now so common that Chrome can finally remove the lock icon. And as far

as the UI is concerned, HTTPS is not just something uh it's not something that anyone has to think about. It's just the default way we do things. Cool. So what does the story mean for us in 2006? the far away future. The web is a massive decentralized system of interconnected parts. And if there's anything I learned from this whole ordeal, it's that ecosystem change takes time. More time than you will be comfortable with. In this decadel long push for HTTPS everywhere, I was only actively involved for the last 3 or 4 years of it. And during that there were many times where I wanted to give up. But making the web secure and private is

worth it. And the secret to change on the biggest of scales is just to keep going is just to keep trying. You will have ups and downs. You'll encounter setbacks and more setbacks. Um but you have to keep going. You just have to keep pushing in the right direction. Solve problems one by one. Unfortunately, it is not that deep. Very simple, but hard. And I think this applies to any change that feels too big to tackle. If you'll allow me to get a bit philosophical here. Working on Chrome and the web platform has fundamentally changed how I look at big problems. big problems like I don't know solving inequality, rising fascism, climate change, these all feel so big and so

insurmountable. And by yourself in the next year, it's insurmountable. Can't do it. But with enough people and with enough time and with enough unrelenting persistence, you can move mountains. As for the HTTPS story, we're in the last chapters. Chrome now upgrades your connection to HTTPS unless you like explicitly want to do HTTP. Um, later this year, we won't make any insecure connections without your explicit consent. We're preparing for quantum computers and quantum authentication, and we're maintaining the public key infrastructure. The integrity of the pipes, the pipes are important. The change from the lock icon to the not lock icon is a change of like 256 pixels. It's a 16x6 square. Not a lot, but what it represents is the final

chapters of a decade's worth of work. The work of hundreds of people in different companies and organizations working together to do the right thing for the web. And most importantly, the right thing by you, people who use it. Thank you so much for listening to my story.

>> Well done. Well done, Serena. Um, so we can take questions via Slido or if anyone wants to raise their hand, we can also do it that way. I'll give people a minute to uh or a moment to submit their questions. And we don't have anything coming in right now, but I have a question. So, go ahead.

The question was um why we decided to replace it instead of just getting rid of it. We did think of um just removing it um but over the years um when you click on the lock icon there's actually functionality inside um that is quite useful. So, we did want a place for people to access the certificate details if they needed to. Um, this is not most people. Um, but we did think that it was important that, you know, you could still get to it somewhere. Uh, inside um that lock icon/ like little settings icon. Now, if you click into it, you also get your permission controls, site level permission controls. Um, and you get toggles for them, which I think is

also quite helpful. Uh if you know a website is has permission to use your camera and you're like, "Oh, actually I don't trust this website anymore. I want to turn it off." You can go straight there and turn it off. Yeah. >> Do we have any other questions?

Yeah, there was a lot of that. Um, so the question is about what the initial reaction was. Uh, it was very much like a like this is very silly. Uh, why would you do this? Um, it is like a crucial piece of information and you're like removing information. Um, and but I I think that's a very natural kind of like response to any change. And the the kind of follow-up reactions that we saw were actually quite understanding and people started to realize, oh, actually, you know, the the information wasn't removed because if you're connecting via not HTTPS, we show like a big not secure button. Um, yeah, it's it's like that for most things. And

Oh, it depends on the experiment that we do. Um, what do you mean by cost in terms of effort? Yeah. effort mostly. Um, uh, I'm very lucky that it's not up to me to think about any dollar cost of things. Um, but th this was very like I just cheap in terms of effort. It's a glyph change. Um, so there's it it was very very easy. Uh, we do some like other more, you know, involved experiments where like there might be some behavioral changes. Um, but this one was >> very cheap.

Oh, that's a great question. The question is um whether Chrome would surface a lock for quantum key exchange. Uh, I don't know. The the tricky thing about the um this kind of like quantum climate change like upcoming thing is that we we don't really know when we will get to a point where we have quantum computers that can break current encryption. Um, so a lot of the work that we're doing now is more under the hood work of um preparing the the underlying systems to be able to um not fall apart with like these new um quantum keys because they're just like so much larger than the the keys that we have right now. And so we're slowly um

kind of building the foundations to make sure that we can support um quantum encryption uh sorry quantum resistant encryption. In terms of the UI, I'm not actually sure if we need to do anything. It depends on what the the real risk is like when it happens. If we find that it does actually like break all of our like current TLS, then maybe we would do something similar to when we were first moving the ecosystem from HTTP to HPS. Um, if we find that the risk is actually not that high, then maybe we won't go much at all. It really depends on the risk. Sorry, I'm being a bit rambly. Stop me at any time. Fine,

>> we have time for one more question. One more question. Hello.

Yeah,

we I don't think we had research around adoption for um for the the warnings. Um we do have research around like um if something is really wrong with the certificate then we actually show like a full page interstitial and we do have a lot of research um showing that that's very very effective but if there is just like no certificate at at all I don't know there's a lot there's a long trail of like perfectly legitimate websites without certificates so we didn't want to you know put a full page thread into special there Um, so with with a little um badge, no, we don't. Fantastic. Thanks everyone for the thoughtful questions and thanks Serena for what happened to your lock icon.

Well done.