Mozilla to remove iconic Lock Icon

Bruce Morton

Although not released yet, the latest betas of Firefox 4.0 indicate that Mozilla has removed the https lock icon from the browser. Different forms of the lock icon have been used since the earliest commercial releases of Netscape and Internet Explorer browsers. The lock icon is currently used in all major desktop browsers:  IE, Firefox, Chrome, Safari, and Opera. It is also promoted as a symbol of security by many web-sites; just do a Google image search on SSL lock or SSL padlock and see for yourself.

Mozilla’s rationalization for dropping the lock icon is that it is a misunderstood symbol and doesn’t indicate that the user is safe. That is, although you have a secure SSL connection, it may not be safe if you don’t know who you are connected to. My thinking is although you may not know who you are connected to, at least the lock icon indicates that you are safe from third-party hackers.

Mozilla does offer other indicators to the left of the address bar. These include a blue button highlighting the domain name for site with domain validated (DV) or organization validated (OV) SSL certificates; or a green button for EV SSL certificates. In both cases, if you click on the button, you will get more information about the web-site and SSL certificate.

Bruce Morton
Bruce Morton
Director, Certificate Technology & Standards

Bruce Morton has worked in the public key infrastructure and digital certificate industry for more than 15 years and has focused on SSL and other publicly trusted certificates since 2005. He has been an active member of the CA/Browser Forum that released guidelines for extended validation (EV) certificates and Baseline Requirements for SSL certificates. Bruce oversees the governance and compliance of Entrust’s publicly trusted PKI.


Add to the Conversation