Root Causes 300: Chrome Eliminates the Lock Icon

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  We want to talk about a blog post from the Chromium project. This is on the Chromium blog and the date is Tuesday, May 2, 2023. And before I get into this, let me just emphasize since we’ve been talking a lot about posts from Google that the Moving Forward Together page is managed by the Chrome Root Store and the Chromium blog are different groups inside of Google. It’s a different set of individuals that are writing these posts and I’m sure that they coordinate with each other but these are two different sources.

  So, the May 2 post on the Chromium blog, 2023, says An Update on the Lock Icon. The lock icon. So, I don’t know if we should start with a history of the lock icon or we should talk about what they say. Maybe we will start with, Jason, what does this blog post say in a nutshell?

• 

  Jason Soroko

  It basically says that the Chrome browser – is going to change its user interface element that indicates that you are on a website that has an SSL certificate and traditionally back in the day when you had EV certificates you might remember that when you typed in a website, PayPal.com for the longest time had an extended validation certificate and the UI element was not only just a lock but you would actually see a green shading within the address bar and when you clicked the lock you’d actually be able to dig in and actually take a look at the certificate information. With the change that took out the UI element of the green shading, you were left with the lock and so that lock would indicate that you are on any kind of SSL protected website and now what they are talking about is removing that completely and replacing it with another type of UI element and having to have you dig a little deeper if you wanted to find the certificate information.

• 

  Tim Callan

  The picture of the lock is going to go away and it is going to replaced with something that kind of looks like a pair of sliders and they have a word for it. They call it the tune icon, which is not a term I was familiar with before I read this blog post but it looks like a pair of sliders as if you are gonna access some controls and it’s there to say that you are gonna access controls and I understand from this post that it will sit or it’s expected to sit in the same place that the lock sits right now which is immediately to the left of the URL and that’s what they plan on doing. So, the lock itself, the padlock icon goes back to 1995 - - goes back to NetScape and I think this is the first time in nearly 30 years that a major browser with the possible exception of some on mobile phones is expecting not to contain a padlock when an SSL encrypted session is in place.

• 

  Jason Soroko

  That’s right, Tim. So, I think part of what was being talked about and maybe part of this is also my imagination but it’s worth talking about is every element, every user interface element on any piece of software that you might interact with as a human being, you might wonder what the heck it’s for. We’ve kind of been trained that if you see three dots, it’s some kind of settings; if you happen to see something that looks a little bit like a hamburger which is three sort of horizontal bars – some people call that the hamburger – then perhaps that gets you into some kind of different menu and I think that people who are into UI design sometimes tend to like those kinds of repeated visual patterns. But I can tell you that whenever I’ve, even myself sometimes looking at these user interface and I see these little symbols that I’m supposed to know what they are, I don’t always fully understand. You gotta click around and guess and go, oh geez, this is for the settings or, oh geez, a whole new menu pulled up here and you end up learning the interface by hunting and pecking and you don’t necessarily intuitively understand what some of these symbols are.

  I always thought that a lock symbol was kind of obvious. It would kind of signal you as a user to think about what are the security settings of this within the address bar and now we are moving to this – you even had to look it up, Tim. I had to look it up. The tune icon.

  It’s like geez, I don’t know. I don’t know what the means and is it settings? Is it the settings of Chrome? Is it the settings of the website that I’m - - like who knows. It’s not super clear to me.

• 

  Tim Callan

  I think what you’ve touched on is something really important here in terms of a window into the thinking of the Chrome interface team which is they have stepped away from the idea of proactively indicating that a security or trust element is present. So, if you go all the way back to the beginning in 1995 – why did they do this? Because many web pages, most web pages, originally all web pages, were not secure. There was not SSL. There was not an encrypted communication. There was not a cryptographically secured assurance that you were on the domain name that you wanted to be on and the lock was to say in this case there is. And the Chrome team has been maintaining for a number of years now that they’re basically looking to reverse that. What they want to do is they want to indicate when something is awry and the analogy they often use is they’ll use the analogy of the dashboard light where in the car you don’t have a whole Christmas tree of lights saying everything is fine, you have a single light that comes on when something isn’t fine. Or an alarm they use as another analogy - that the alarm isn’t constantly ringing to tell you things are ok; the alarm rings when things aren’t ok. And that’s what they want the interface to do in the browser and so they are of the opinion that the lock is that second kind of thing. The lock is the signal it’s ok that’s always on and rather, they want the signal that says something is wrong when it’s not on. And, I’ve seen a number of posts and live presentations from people including some of the authors of this blog post where they’ve been very clear that that’s what their philosophy is. What I think is interesting here, of course, is that the lock is such a very well-known element. It’s one of the few consistent elements in these browsers going all the way back and there’s a whole generation of computer users who have always had that as long as they have access to website. And I feel like we are throwing away one of the few places where we’ve done a good job of providing widespread, ubiquitous, global language independent user education.

• 

  Jason Soroko

  Yes, sir.

• 

  Tim Callan

  And throwing that away just – I don’t know. I feel like you are giving away a lot.

• 

  Jason Soroko

  This tune icon when you click on it, the example that’s being given in the blog post shows that the very next thing that you will see is another thing to click on which will then a second click you have to do in order to then get to the significant information which is what you would have gotten anyway if you would have clicked on the lock icon.

• 

  Tim Callan

  And part of their argument is that the lock icon it’s not obvious that you should click on and then they feel that the tune icon is their nomenclature for you can click here. They say that in the post.

• 

  Jason Soroko

  Which I think is funny because I understand it even less. As you said, Tim, I think that the lock icon was very clear in terms of, hey, it’s a lock. It must have something to do with security. So if I am curious about that maybe I can click that lock.

• 

  Tim Callan

  Or my contention, my response to that would be, yes, except that you have had, again, an entire generation of users who have been trained that that lock is clickable. That lock is there and it’s clickable and there is relevant information under it and, I don’t know. Every single computer user I know knows what that lock means and that seems to be something that they are just going to prepare to just walk away from.

• 

  Jason Soroko

  I experienced another kind of UI element just this morning, Tim. What perfect timing for this podcast. The city where I live experiencing a little bit of Springtime so we are getting close to potential flood conditions and I heard that there were potential floods happening and so I went to my little cool city website and I clicked on a link that showed where there is gonna be a flood map and I wanted to have a look at that and I was not allowed to go to that site, Tim. All I got was, as part of the UI element, and by way, I was using Microsoft Edge and because of the fact that the subdomain of this website was not protected with an SSL certificate – the main city site was but the subdomain was not – I was not allowed.

• 

  Tim Callan

  You were blocked. Now were you able to get around that?

• 

  Jason Soroko

  I looked. There was no clickable link to say, hey, this is just a warning. We will let you bypass this if you click this link but you gotta know that you are on your own here. There was no clickable link to let me through.

• 

  Tim Callan

  Because when they first rolled out those roadblocks there was something down below that would say, I understand this is risky and I am prepared to continue or something like that and even that’s gone now?

• 

  Jason Soroko

  That was a surprise to me. I did not see it and so, this was not some kind of scientific investigation of can I recreate this. I literally was just quickly trying to look for flood map and I was not allowed to get to it.

• 

  Tim Callan

  I’m not crazy about that because it still is the fact that most of what you are gonna access on the web is a one-way broadcast of information to you that isn’t in any way secret that it wouldn’t be in any way bad if people knew that you were looking at that information. And, I appreciate the sentiment toward SSL everywhere but preventing a knowledgeable user from accessing a one-way broadcast of harmless information under those circumstances due to the let’s say the lack of technical sophistication from someone who is just trying to publish some information, That doesn’t feel to me like it’s really in the user’s best interest.

• 

  Jason Soroko

  And I can tell what this was. It was quite literally a mild form of an emergency communication by the City and so they threw up the subdomain very, very quickly and the poor bedraggled IT administrator over at the City who is probably not extremely sophisticated, they just were told get this information out and all of the sudden nobody can look at his website. Great.

• 

  Tim Callan

  And who maybe is dealing with the disaster conditions?

• 

  Jason Soroko

  Right.

• 

  Tim Callan

  Exactly.

  I get it. I understand that it is their browser and they get to do what they want and, when I can go get 65% or 70% or whatever it is of the user in the world to use my browser then I get to do what I want too. I understand all that. This one I just I’m skeptical that’s it’s really better for users just based on the huge amount of knowledge that already exists in this existing UX.

• 

  Jason Soroko

  I don’t think I’m dreaming this, Tim, but I think there was a blog post. I don’t know if it was somebody working at Google proper who had basically said, look, we want to eventually get rid of this address bar thing anyway and I don’t use my browser this way but I’ve seen people do it. Let’s say they want to go to Facebook and they would actually right from the default screen which happened to be a Google search input screen, they would type in the word Facebook and then they would be presented with a link and they would click on the link. Whereas, you and I might just simply - - I’m so used to - - I’m so old. I am so decrepitly old. I’m the type of guy who would actually type in the actual domain name. Facebook.com and I would go right there.

• 

  Tim Callan

  I think it’s some of both. I think it depends on kind of what you are doing and where you are going. The places I know perfectly well where I’m navigating to, I frequently just type in the address. Just type in the address and hit enter. Yep. Yep.

• 

  Jason Soroko

  And I would expect that to be fairly normal behavior to do a little bit of both but I find there’s some people, some people, who have literally been convinced that their interface to the internet is literally the Google search engine and I think Google knows that and I can see how they could be motivated to like, hey, this address bar thing is of no value to us. Let’s push the world through our search. And I can see that.

• 

  Tim Callan

  I’ve been sitting here racking my brain. I have heard a similar thing, Jason, and like you, I do believe it actually came from people who work on Chrome and I do believe there was at least a vision transmitted of, you know, we’d like to get to a point where there is an address bar. Like you, I can’t vouch for that for sure so, listeners, don’t necessarily take that to the bank. Maybe we will try to do a little bit of research offline so if we could find it maybe we could follow up and if we find something, that could be a future episode. But I do recall something very similar to that and I recall being aware of this just within the last let’s say five years of them communicating this kind of desire or this kind of intention. So, we are not talking about ancient history either.

• 

  Jason Soroko

  And the only reason I bring it up – it’s not about conspiracy theories or even saying anything is good or bad. It really is understanding motivations and it’s like why are you breaking down what are fairly natural elements of UI that are well-known and if your motivation is you want to get rid of the whole thing anyway, well, then that is one way of doing it.

• 

  Tim Callan

  Well, and that would be in keeping with what we’ve observed, right? One of the things we’ve observed is a deemphasis of the URL bar. Like, if you go back to early days of browsers or even early days of Chrome, the URL bar was very, very, very important and we even saw a period of time where in various ways browsers enhanced it. The green address bar was one example. Another example was that there were versions of Microsoft browsers that would put a bold on the main domain name as opposed to subdomains and various other things went on. The lock icon went through an evolution and a lot of this was about trying to make that more useful as a tool but while some browsers or some vendors like Microsoft are trying to increase the amount of information in that, we did see that Chrome – and not only Chrome, right? I think we saw a similar thing from Apple. Just sort of a paring away and a stripping down of the functionality and the information density of that particular part of the interface. And this has been going on for a decade. I mean this has been a long, long program to deemphasize that particular part of the UX and it does feel like this is the next step in that kind of long, slow, gradual progression towards some kind of ideal which very well may be that there is not a visible URL. I mean you probably could click to it, drill down to it, but it may very well be that there is not a visible URL at the most basic level on the address bar and, someone who has just been watching how especially Chrome, but other browsers like Safari have evolved over the years, and everything that’s built on Chromium how these things have evolved over the years, I think it’s easy to speculate that that’s the end goal.

• 

  Jason Soroko

  Tim, maybe it’s time for you and I to go into business. We are gonna start up a retro browser, 1990s era browser.

• 

  Tim Callan

  For old cranks like us. You know, kids get off my lawn.

• 

  Jason Soroko

  I’m almost thinking now it’s time to go back to Linx which was still to this day the fastest browser I ever used and maybe I enjoyed that one the most.

• 

  Tim Callan

  Oh sure. I’m sure it was. So anyway, probably the last data point is September 2023 is the announce date that is going to be the 117 version of Chrome which is due in September and that’s where you should see this change take place. So, if you like your lock icon and you are also using Chrome, enjoy it while you got it because in September you should be replaced with the tune icon.

• 

  Jason Soroko

  Thanks for that, Tim. That’s great. Anyway, interesting. Just thought we would bring it up.