The padlock icon should have retired years ago.
Not redesigned. Not moved. Not given a softer color palette and a tooltip. Removed.
The case against it is embarrassingly simple. The padlock means the browser has established a TLS connection to the site. Your data is encrypted in transit. No one between you and the server can read or modify the traffic.
That’s it. Full stop.
The padlock says nothing about whether the website is legitimate, whether the business behind it exists, whether your data is stored securely on the server, or whether the domain was registered ten minutes ago to impersonate your bank. A phishing site with a valid TLS certificate — which costs nothing and takes thirty seconds to obtain — gets the exact same padlock as your actual bank. Identical icon. Identical position.
Users read all of those meanings into it anyway. That is not a minor UX misunderstanding. That is the whole problem.
The Padlock Is an Accomplice
Ask a normal person what the padlock says about a site and you’ll hear some version of “it is safe,” “it is verified,” “it is the real one.” Chrome’s 2021 research found only 11% of participants correctly understood the precise meaning of the lock icon. Chromium also wrote, bluntly, that nearly all phishing sites use HTTPS and therefore display the lock.
Read that again because it should have ended the debate on the spot: nearly all phishing sites use HTTPS.
This wasn’t always true. In 2015, less than 1% of phishing sites used HTTPS. By 2019, over 80%. Today, a phishing site without HTTPS would look suspicious — ironically, it’s the absence of the padlock that now raises flags. The icon went from “positive signal” to “no signal” to “actively misleading” in about five years.
For twenty years, every security awareness campaign, every “how to stay safe online” guide, every well-meaning IT department repeated the same mantra: “Look for the padlock.” Banks put it in their emails. Government sites referenced it. The advice made sense in 2005, when certificates cost money and phishing sites were plain HTTP. It became actively harmful around 2017. The advice never got updated.
We trained an entire generation of internet users to look for the lock as a sign of trust. Now, attackers use our own trusted UI element against us. The padlock guarantees that nobody else can steal your data while it is being stolen by the person you are actively giving it to.
Chrome Already Knows This
Google’s Chrome team has been slowly de-emphasizing the padlock for years. In Chrome 117 (2023), they replaced it with a neutral “tune” icon — a settings indicator that doesn’t imply trust. On iOS, Chrome removed the lock entirely.
The reasoning was explicit. Chrome’s security team published research showing the padlock misled users. Their conclusion: the icon does more harm than good.
But even after the change, clicking the icon still shows “Connection is secure.” Users trained for twenty years don’t unlearn that because Google shipped a UI update. The mental model persists. The half-measure isn’t enough.
”But How Will Users Know?”
They shouldn’t need to.
HTTPS should be invisible infrastructure, like TCP. You don’t get a little icon confirming that TCP is working. You don’t see a badge that says “this site used DNS successfully.” Nobody asks how users will know whether packets were fragmented in a standards-compliant way. These are transport-layer protocols. They work. You don’t think about them.
Over 95% of web traffic is encrypted. You don’t get a gold star for doing the bare minimum. When you pick up a telephone, you don’t hear a special beep to let you know the line isn’t actively wiretapped. You just expect it to work.
The browser already knows how to communicate failure. Chrome shows a “Not secure” warning for HTTP sites. That’s the right model: silence for the baseline, alarm for the exception. You don’t praise every car on the road for having seatbelts. You flag the one that doesn’t.
What Should Replace It
Nothing. That’s the correct answer, and it makes people uncomfortable.
A normal HTTPS page should look normal. No locks, no sliders, no “Secure” text. Connection details can remain available for people who want them. The browser should continue to warn loudly on HTTP and certificate failures. But there’s no reason for an everyday secure connection to carry a tiny medal in the address bar.
The counter-argument sounds better than it is. “The lock provides reassurance, and reassurance has value.” Sure. But the question is whether the reassurance is true. If the icon reassured users that coffee-shop WiFi can’t read their traffic, fine. But that’s not how it works in the real world. It reassures users about the site itself — about identity, legitimacy, whether they should hand over their password. In those categories the padlock is not merely incomplete. It is actively misleading.
If your icon requires a public education campaign to explain that it does not mean what almost everyone thinks it means, the icon is bad.
The lock made sense in the 1990s when HTTPS was rare. That era is over. Encryption in transit is table stakes. Security gets worse when the browser hands out trust-shaped stickers for doing the bare minimum.