Closed
Bug 1335970
Opened 8 years ago
Closed 7 years ago
Consider additional URL bar text to describe not secure status
Categories
(Firefox :: Site Identity, defect, P3)
Firefox
Site Identity
Tracking
()
RESOLVED
FIXED
Firefox 60
Tracking | Status | |
---|---|---|
firefox60 | --- | fixed |
People
(Reporter: jkt, Assigned: jkt)
References
(Blocks 1 open bug)
Details
(Keywords: dev-doc-complete, Whiteboard: [fxprivacy] )
Attachments
(2 files)
This bug is to consider the use of "Not Secure" or similar to the changes that Chrome are considering to highlight to users clearly when a website is secure.
This is backed by research and explanation here: https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html
This depends on the bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1310447 to display a warning by default, this is to just increase the visibility of the negative indicator.
We should consider if the wording should be "Insecure" or "Not Secure" or another alternative too.
Comment 1•8 years ago
|
||
The study[1] linked here[2] is missing words like: Interceptable, Manipulable, Unprotected
[1] https://www.usenix.org/system/files/conference/soups2016/soups2016-paper-porter-felt.pdf
[2] https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html
Updated•8 years ago
|
Whiteboard: [fxprivacy] [triage]
Comment 2•8 years ago
|
||
Philipp/Ryan, we'd like UX input on this. Should we get more explicit than the lock icon?
Flags: needinfo?(rfeeley)
Flags: needinfo?(philipp)
Comment 3•8 years ago
|
||
Please don't overlook that this bug is fortunately only for a negative text.
I plead for not showing something like "Secure" (even https pages could be evil in some way. The green lock icon is enough).
If http:// is used, please just show that EV bar in red with a "Not secure" text (or "Interceptable" or whatever). It's red in Chromium, too.
Assignee | ||
Comment 4•8 years ago
|
||
I was careful not to suggest the "Secure" text like I know Google went with (I have not checked if they dropped it). The dependent bug is going to push the broken lock more.
Something like: https://bug1310447.bmoattachments.org/attachment.cgi?id=8832244
Comment 5•8 years ago
|
||
I agree that "Secure" doesn't make sense for HTTPS pages.
We could go a similar route with the suggested urlbar text as with the lock icon and (initially?) only show it where login forms are present (and resolve bug 1310447 by showing the icon on all HTTP pages).
OTOH this makes me think that maybe the in-content warning is enough and we should not add extra clutter to the urlbar. Arguably the most direct threat to the user is logins over HTTP, and that should be covered by the in-content warning pretty well, no?
Comment 6•8 years ago
|
||
(In reply to Johann Hofmann [:johannh] from comment #5)
> Arguably the most direct threat
> to the user is logins over HTTP, and that should be covered by the
> in-content warning pretty well, no?
The http-is-insecure-icon pref (+ the text from this bug), which initially won't be enabled by default (?), should be the second image (red warning) from https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html and should get enabled by default when the https adoption rate hits 66% (or whatever).
The current situation with the insecure icon and warnings on sensible forms is compareable with the first (white) warning on the googleblog and should be okay for the moment.
Comment 7•8 years ago
|
||
We discussed this in a meeting with Philipp.
Given that the current primary use case would be communicating that a site which asks for a username/password is "not secure", we believe the in-context warning that will be shipping soon will be more explicit, making the url bar indicator less necessary. However, in the future, when we get more aggressive about marking http pages as not being secure, we'll likely want something more explicit in the url bar. As a result, I'm marking this bug as P3.
Flags: needinfo?(rfeeley)
Flags: needinfo?(philipp)
Priority: -- → P3
Updated•8 years ago
|
Whiteboard: [fxprivacy] [triage] → [fxprivacy]
Updated•8 years ago
|
Comment hidden (mozreview-request) |
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → jkt
Comment 9•7 years ago
|
||
mozreview-review |
Comment on attachment 8944218 [details]
Bug 1335970 - Add prefs to add "Not Secure" text to insecure pages.
https://reviewboard.mozilla.org/r/214502/#review220552
r=me with the style issue addressed and with the clear understanding that this is experimental and that turning it on for a broader audience requires product buy-in and another Firefox peer review :)
Thanks!
::: browser/locales/en-US/chrome/browser/browser.properties:518
(Diff revision 1)
>
> identity.identified.verifier=Verified by: %S
> identity.identified.verified_by_you=You have added a security exception for this site.
> identity.identified.state_and_country=%S, %S
>
> +identity.notSecure.label=Not Secure
If this ever moves out of experiment stage, we should probably work with localizers to make sure that this is translated the way we expect it to. The text is very prominently displayed in the URL bar and it's crucial to get it right in the most used locales.
::: browser/themes/shared/identity-block/identity-block.inc.css
(Diff revision 1)
> }
>
> -#urlbar[pageproxystate=valid] > #identity-box.verifiedIdentity,
> -#urlbar[pageproxystate=valid] > #identity-box.chromeUI,
> -#urlbar[pageproxystate=valid] > #identity-box.extensionPage {
> - padding-inline-end: 8px;
Why are you removing this padding? That affects e.g. EV text. Shouldn't you just add a rule for .notSecureText here?
Attachment #8944218 -
Flags: review?(jhofmann) → review+
Comment hidden (mozreview-request) |
Comment 11•7 years ago
|
||
Can you add a screenshot?
Comment 12•7 years ago
|
||
Tanvi, here's a version with both the lock and the text.
Updated•7 years ago
|
Status: NEW → ASSIGNED
Comment 13•7 years ago
|
||
Pushed by jkingston@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/756a472ff5f1
Add prefs to add "Not Secure" text to insecure pages. r=johannh
Comment 14•7 years ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox60:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 60
Assignee | ||
Updated•7 years ago
|
Keywords: dev-doc-needed
Comment 15•7 years ago
|
||
I've added an entry about this to our Experimental features page:
https://developer.mozilla.org/en-US/Firefox/Experimental_features
Search for ""Not secure" text warning for non-HTTPS sites" to find it.
Let me know if that reads OK. Thanks!
Flags: needinfo?(jkt)
Keywords: dev-doc-needed → dev-doc-complete
You need to log in
before you can comment on or make changes to this bug.
Description
•