Closed Bug 444980 Opened 16 years ago Closed 10 years ago

Blue security icon: "Which is run by (unknown)" is confusing

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1029862

People

(Reporter: minfrin, Unassigned)

References

(Depends on 1 open bug)

Details

User-Agent:       Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9) Gecko/2008061004 Firefox/3.0
Build Identifier: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10.5; en-US; rv:1.9) Gecko/2008061004 Firefox/3.0

When an attempt is made to connect to a secure website, which a valid secure certificate, signed by a CA trusted for this purpose, the following message is displayed:

"You are connected to domain.com, which is run by (unknown)".

This sends a confusing signal to end users: The string "which is run by (unknown)" sends a strong message that there is something wrong with this website, and that it should not be trusted.

This also sends a confusing signal to system administrators, who immediately think there is something wrong with their certificate.

The message should state what the certificate asserts, and *nothing more*.

While the person who programmed this code probably thought that the string "which is run by (unknown)" would be interpreted from the browser's perspective, instead the end user and administrator interpret the string from the CA's perspective.

The certificate contains no assertions about the certificate owner, who may or may not have been checked by the CA, and so the browser cannot make any assertions of it's own.

To fix this, when the certificate owner has not been asserted, no mention of the owner should be made.

In other words, the string should read:

"You are connected to domain.com".


Reproducible: Always

Steps to Reproduce:
xxx
From johnath in bug 429021 comment 1:

"The argument has been made before that we should just drop the text for
ownership if we don't have a verified owner.  The purpose of the current
treatment is to call deliberate attention to the fact that there is this
absence."

The string used by Firefox could probably be improved, but I agree with johnath that simply dropping "(unkonwn)" probably isn't the right thing to do.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Blue security icon: "Which is run by (unknown)" → Blue security icon: "Which is run by (unknown)" is confusing
If the intention is to call deliberate attention to the fact that the owner of the domain is not verified, then the string "which is run by (unknown)" fails completely at this purpose.

The message is structured in the form of an error message, end users will (and have already, according to Google) interpret this message as a problem with the website certificate, and will quite correctly conclude that the website should not be trusted.

If you wanted to assert that the owner of the domain has not been verified, then say "The owner of the domain has not been verified".

Even this string is dangerous: Thawte sells a non-EV SSL certificate that offers "Domain and identity authentication and verification". By stating "which is run by (unknown)" you are directly contradicting Thawte's certificate assertion.

I would strongly suggest you make sure that you run this functionality past Mozilla's legal counsel, because in it's current form, you are courting a law suit from annoyed certificate customers.
Depends on: 429021
Firefox ssl cert string  "The owner of the domain has not been verified" is not dangerous, he is simply wrong. VeriSign, Thawte, GeoTrust, GlobalSign issue  
non EV-SSL certs with both domain and organization authentication and verification. 

 
Johnathan has made this point before in other bugs, but as I understand it the problem is that Firefox has no reliable way to differentiate organization validation certs from the rest of the domain validation certs out there, and there are no set standards for what OV really means beyond what various CAs decide to provide. The end result is that we don't differentiate DV and OV certs in the UI.

The purpose of EV was to establish a common baseline for extended validation to ensure that everyone plays by the same rules, and that extra confidence is what enables Firefox to make more confident statements about the identity of the site and it's owner.
Please look at https://www.mozilla.com with Firefox and Opera 


Opera:

Secure Site

The connection to www.mozilla.com is secure.

Cerificate summary

Holder: *.mozilla.com, Mozilla Corporation
Issuer: XRamp Security Services GS CA, XRamp Security Services Inc.


Firefox: 

"The owner of the domain has not been verified"





I see http://people.mozilla.org/~gavin/larry.png and http://people.mozilla.org/~gavin/pageinfo.png when I visit https://www.mozilla.com/en-US/, not sure where you're getting "The owner of the domain has not been verified" from.

The certificate details you quote are technically accurate representations of the cert data, but I'm not sure they're very useful to most users when trying to make choices about whether or not to trust the content. Saying that the holder is "Mozilla Corporation" without knowing what kind of process was used by the cert issuer to verify that information is potentially misleading.
If you click on "More informations" next page display "The owner of the
domain has not been verified".

If Firefox is afraid of misleading information, why not adding correct 
cert data together with a link to 
Issuers CPS (Certification Practice Statement).

Pushing EV SSL certs never ever is the business of an (open source) browser.
 

"The *owner of the domain* has not been verified" might actually in itself be confusing or even misleading, since *domain ownership* has been verified (the minimal requirement of any CA in NSS). It's perhaps an unlucky formulation of the intended, similar as the "which is run by (unknown)".

In the context of EV it "might" make some sense, but since secure sites are accessed without this context usually, the statements are everything else than helpful really.

Well, if I wouldn't bang against a wall on this issue, I would even make some suggestions for the better....like the one from Graham.

In addition to the previous comments, the documentation is also misleading and incorrect. From this page: https://support.mozilla.com/en-US/kb/Site%20Identity%20Button#w_blue-basic-identity-information

"There is no guarantee that td.com is actually owned by the Toronto Dominion Bank. The only things that are guaranteed is that the domain is a valid domain, and that the connection to it is encrypted."

The first sentence is correct. The second is *not*.

If "td.com" is using a self-signed certificate (or a certificate that's not verifiable by a CA known to the browser), the browser will still resolve the DNS entry for "td.com" (i.e. "td.com" is a valid domain) and the connection to this site will also be encrypted.

In this example in the documentation, the certificate was issued by Verisign, which has at least checked they issued the certificate to the legitimate domain owner by sending an e-mail to its whois registered address.

Something like this would be better:
"There is no guarantee that td.com is actually owned by the Toronto Dominion Bank. The only things that are guaranteed is that the certificate was issued to the legitimate owner of td.com, and that the connection to it is encrypted."
Hi - I totally agree with everyone saying that information "run by (unknown)" is incorrect. Why does is say "unknown" even when in certificate details there are statements about the certificate owner.

Even on this site (https://bugzilla.mozilla.org) when clicked on the lock icon  we have "run by (unknown)", but when we look into certificate details we can read that it's issued for:

Common name: bugzilla.mozilla.org
Organization: Mozilla Corporation

So why does Firefox show untrue information when the organization can be read from certificate?
Just to clarify my point of view - Firefox should show "run by (unknown)" only if the certificate owner data are not part of certificate. Otherwise it should show run by (What's found in certificate) or don't mention about the owner.
Mozilla's position has been and remains that we only wish to display information from the certificate's O field for EV certificates. EV was created to provide a verifiable and auditable baseline for making sure that certificate information was correct. Some CAs fill in these fields with less-than-EV levels of checking. They are of course entitled to do that if they wish, but we don't accept that information as reliable enough to display it in the UI. 

Then there is the question of what we _do_ say if sufficiently-validated O field information is not present. At the moment, we explicitly disclaim having verifiable knowledge. Some have suggested that we simply say nothing at all (e.g. bug 795963). Making that change, or not, is what this bug is about.

I don't have strong opinions about exactly what it says because I suspect not many users bother to read that dialog. I think the current statement is accurate, albeit an abbreviated form of "Firefox doesn't have any O field information it feels comfortable about giving you, which is the same as not having any." I feel strongly that our treatment of DV and OV certs should be the same, for the reasons given above. (If OV were good enough to display, then we wouldn't have needed to invent EV.) 

Gerv
OS: Mac OS X → All
Hardware: PowerPC → All
I think that the EV verification process is already clearly identified with the different colour and the name of the company right beside it. What should be implemented are more levels:

- Extended Verification (implemented)
- Limited Verification (is missing)
- No verification (implemented)

At the moment Limited Verification and No verfication have the same indication, which seems unfair and too black/white in this grey world. Programmers tend to think digital, A or B, 1 or 0. The user however lives in the real world with shades of meaning. Let Firefox become just a little bit more human. As a bonus it might even attract some more users too!
I totally agree with above.
And let me say that I don't quite accept the statement presented by Gervase Markham. By saying "we only wish to display information from the certificate's O field for EV certificates" you get into the role of Certification Authority. I mean - it's not browsers role to decide whether information in certificate is true or not - it's CA responsibility.
And as written in previous post Firefox is making the world less colorful by not discerning all types (classes) of certificates and stating: "it's only EV cerfificates and the rest of them, nothing inbetween".
Please stop persisting in not recognizing what's really quite obvious and acknowledged by all other browsers and the industry, that there are:
1) simple DOMAIN VALIDATION (class 1) cerfificates
2) ORGANIZATION VALIDATION (class 2/3) certificates which by no means should be displayed as "run  by unknown"
3) EXTENDED VALIDATION certificates
(In reply to mcinp from comment #15)
> And let me say that I don't quite accept the statement presented by Gervase
> Markham. By saying "we only wish to display information from the
> certificate's O field for EV certificates" you get into the role of
> Certification Authority. I mean - it's not browsers role to decide whether
> information in certificate is true or not - it's CA responsibility.

Certificate Authorities make assertions. It's entirely up to us whether we trust a particular CA at all, or if we do trust it, whether we trust every assertion it makes. That's the entire point of PKI - you get to choose who and what you trust. (And Mozilla does that, at least in terms of the defaults, on behalf of its users.)

Gerv
>you get to choose who and what you trust
Mozilla doesn't trust any CA and it's even fooling the users that site owner is unknown when it's known for sure and verified by CA.
It's fooling the users by showing class 2/3 certificates as if they were class 1.


>And Mozilla does that, at least in terms of the defaults, on behalf of its users
Sorry, not on my behalf, and not on many others'

Please - you seem to have stuck at your position which is nowhere near reality.
Maybe you should also stop displaying EV certificates "on behalf of the users". That would provide another level of "security". And another stop from usability to madness.
I meant "trusting EV certificates" not "displaying EV certificates"
I think there are general fundamental issues in the way the HTTPS-related UI has evolved.

When it comes to the "Which is run by (unknown)" problem, the main subject of this issue, I think Firefox simply shouldn't display anything for certificates that don't have that piece of information (or for certificates that are not EV certs).

Whatever the verification state is, saying "Which is run by (unknown)" is just confusing for most users. The subtleties of PKI are complicated enough as it is, and the documentation from CAs themselves is sufficiently confusing without needing Firefox to make users even more confused.

(In reply to Gervase Markham [:gerv] from comment #13)
> (If OV were good enough to display,
> then we wouldn't have needed to invent EV.)

EV certs can be an improvement, but they certainly don't solve all the problems of PKIs, and non-EV certs certainly shouldn't be dismissed because of EV certs.

I think EV certs already get some special treatment (in particular because their root CA cert fingerprints are hard-coded into the code base, as opposed to being a configurable option). The fact that they're they only ones to have some sort of visible indication in the UI to show that HTTPS is used seems to be a step too far.

Please bring back some clearly visible blue indicator (or equivalent) for non-EV certificates too. Using non-EV certificates can be perfectly acceptable and not necessarily less secure.

Currently, a correctly configured HTTPS connection with a non-EV certificate is barely distinguishable from a connection with mixed content (see #775242) or from an plain HTTP connection, actually (see #680811). Removing the favicon (to prevent padlock-looking favicons) is certainly a good thing, but some of the recent changes mentioned in <https://blog.mozilla.org/ux/2012/06/site-identity-ui-updates/> seem to have made things worse.
From bug 740571:

(In reply to Rob Stradling from comment #11)
> (In reply to Brian Smith (:bsmith) from comment #10)
> > I strongly agree that we should stop showing "This website does not supply
> > ownership information" and "which is run by (unknown)". The simplest way to
> > do that is to just remove both of those fields in the UI. I am not sure we
> > need do do anything more than that right away.
> 
> +1

(In reply to Kathleen Wilson from comment #12)
> (In reply to Brian Smith (:bsmith) from comment #10)
> > I strongly agree that we should stop showing "This website does not supply
> > ownership information" and "which is run by (unknown)". The simplest way to
> > do that is to just remove both of those fields in the UI. I am not sure we
> > need do do anything more than that right away.
> 
> +1 if this can be done for non-EV.  
> I think we would still want to show the run-by/owner info for EV.
Completely removing the message would make things worse.

If you do persist in the madness of ignoring the quality of non-EV certificates, the least you should do is change the message for non-EV certificates to something truly honest such as:

"Which is run by (not fully validated)"

In other words, change "(unknown)" to "(not fully validated)" if you have the info but insist on not telling the user due to EV-fanaticism.

There are other, more complete bugs about getting Mozilla back to displaying the full information.   But at least changing "(unknown)" to "(not fully validated)" changes an outright lie into a (still somewhat demeaning) disclaimer.
If we were able to trust the O field of all non-EV certificates to a degree sufficient for us to display it in the UI, there would be no need for us to have spent multiple years defining the higher vetting standards used for EV.

Gerv
Responding to a private email from Brian: I am against showing non-EV O field information, but I am OK with removing the entire "Which is run by (unknown)" line for non-EV certs.

Gerv
I think there are two distinct cases here: both certs with an O field (OV) and without (DV) show "Which is run by (unknown)".

Removing the message completely for DV certificates shouldn't make things worse. If a message has to be displayed, perhaps something like "No additional validation information was provided for this certificate." would work better. It's honest and doesn't sound negative (and it also has the merits of being a correct sentence, not just "computer form speak").

Certs with an O field are a different problem. Saying "Which is run by (unknown)" makes it pointless for anyone to get an OV cert indeed. I'm not sure that "Which is run by (not fully validated)" is less confusing. Maybe saying "Which is run by <organisation name> (standard validation)." would be a reasonable compromise. It could be "standard validation", "non-extended validation", "basic validation", ... I'm not sure what the right balance would be.
(This being said, I'm not against removing this message there completely either, but I understand OV cert users would want some indication displayed.)

Gerv, I understand some effort was put into defining the EV standards, and it makes sense, but I still think EV certs get a disproportionately favourable treatment.
EV certs can be good, but non-EV certs are not necessarily bad. Denigrating them doesn't really help. As I was saying in comment #19, the current distinction between a site with mixed content (which is bad) or plain HTTP, and correct usage of HTTPS with a non-EV cert is simply a rather small icon (a globe or a lock) in the address bar. Something more immediately visible to distinguish correct HTTPS usage with non-EV cert from plain HTTP or mixed content would be good.

Bruno.
Let me clarify my comment #21:

Changing to actually display the O field for non-EV certs is a completely different bug number (Bug 424182).  To avoid confusion we should limit this bug (Bug 444980) to what can be done to improve the reporting of non-EV messages as long as Mozilla insists on not trusting them.

The message we are discussing is shown in a small tooltip-like box when clicking the padlock in the URL bar, so it needs to stay short.

Removing the message completely would provide even less information to the user, which is the wrong thing to do.

Thus my suggestion to simply change the "(unknown)" to something which is more precise and which hints at its relationship to EV certs would be the way to solve this bug 444980, but not bug 424182.

Possible short strings could be "(Not fully validated)", "(no EV cert)" etc.  Point being the information is not "unknown", it is simply distrusted due to a policy decision by Mozilla bosses.
The point of this bug was to turn a computer-ese message that makes no sense to ordinary people and make the message make sense to ordinary people.

We need to fix the "certificates are hard" perception that is out there, a perception that only exists because the human/computer interfaces are obtuse and confusing.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
This bug is not a duplicate of bug 1029862.  Bug 1029862 is some idiots harmful implementation of the wrongful suggestion in comment 23.  This bug stands and has only been made worse by the patch in Bug 1029862 .
Jakob, name-calling is inappropriate and uncalled-for. If you have a problem with the current implementation, feel free to open a new bug or, better yet, start a discussion on a mailing list.
You need to log in before you can comment on or make changes to this bug.