Question from Mike: Chrome used to display the word “Secure” in the address bar to indicate that the webpage you’re viewing is encrypted.
I really liked that because I didn’t have to worry about hackers stealing my info if I typed anything into a form on that page.
A while back I noticed that Google has removed that “Secure” indicator from Chrome’s address bar.
Why on earth did they get rid of it?
Rick’s answer: I understand where you’re coming from, Mike.
I too used to get a warm and fuzzy feeling every time I would see that “Secure” indicator pop up while visiting a page that was asking me to submit some kind of info.
However, Google had a good reason for removing the word “Secure” from the address bar and using the little padlock instead.
In a nutshell, the word “Secure” ended up being extremely misleading as an indicator of a web page’s true level of security.
Before we get to why that is, let’s start with a bit of history for some context…
Not all that long ago it wasn’t all that easy (or cheap) to get a security certificate installed on a website. In actuality, it required all of the following…
First, you had to qualify for a security certificate.
Before you could purchase a security certificate, you had to qualify for one. And in the early days of the World Wide Web not every website (or website owner) qualified for one.
Back then if you wanted to purchase a security certificate for a site you owned you had to jump through some pretty small hoops to prove that the site (and you) could be trusted with someone else’s information.
If you managed to meet the qualifications you had to pay a yearly fee for the certificate.
Next, there was the cost. The prices charged for security certificates were substantial, typically running anywhere from $80 to $150 per year, and sometimes more.
That was a rather expensive add-on for a small site that didn’t generate a lot of revenue in the first place.
If you were able to purchase a certificate you (probably) had to pay a pro to install it.
And finally, there was the cost involved with getting the certificate installed on a site.
Installing a security certificate on a website and getting all the pages of that site operating correctly with the certificate was quite an undertaking that usually required hiring a pro to do the work.
Sure, some site owners were savvy enough to figure it out and do it themselves, but if something went wrong their sites would be go offline and stay offline until the error was resolved or the certificate was removed.
Where things stand today
Virtually all of the hurdles mentioned above were removed from the process of obtaining and installing security certificates back in 2016 when a consortium of Internet companies helped develop and sponsor a free encryption scheme known as Let’s Encrypt.
In a nutshell, Let’s Encrypt will supply a security certificate to virtually anyone on the planet just for the asking.
And what’s more, they’ll give it to them for free.
There are no standards to meet (either for the website or its owner) in order to qualify for a Let’s Encrypt certificate. Pretty much everyone qualifies.
Soon after Let’s Encrypt starting handing out those free certificates most web hosting companies started including them with their hosting plans.
Some hosts require you enable the certificate in your site’s control panel, but many simply enable it by default. That means virtually every new website that’s created today is encrypted by default.
And therein lies the problem
Since everyone who wants a security certificate can now get one without having to qualify for it, pay for it or even install it, newly-built scam sites are now also encrypted by default from day one.
That led to many innocent people getting scammed out of their cash and/or their identity because they trusted that little “Secure” indicator up in the address bar.
Sure, the sites were encrypted, but that only meant that your data was safe while travelling over the Internet between your web browser and the website you were interacting with.
The thing is, encryption doesn’t protect your information once it’s on a website’s server.
Once the site (and it’s owner) has your information they can use it any way they want to, even if it’s to perpetrate a scam.
In other words, just because a website is encrypted (indicated by the little padlock in the address bar), that doesn’t necessarily mean it’s “secure”.
Bottom line
As you can see, Google had a good reason for removing the word “Secure” from the address bar when you’re visiting an encrypted site.
Simply put, encryption doesn’t automatically equate to security.
That’s why although we can depend on the little padlock icon to let us know a site is encrypted, we’ll still need to use our noggin to try to determine the site’s true level of security.
Never miss a tip! Click here to sign up for my free Daily Tech Tips Email Newsletter!