Add links for certification providers

RESOLVED WONTFIX

Status

--
enhancement
RESOLVED WONTFIX
4 years ago
4 years ago

People

(Reporter: rshadow, Unassigned)

Tracking

Details

(Reporter)

Description

4 years ago
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.98 Safari/537.36

Steps to reproduce:

When entering the https sites I see the lock icon. If you click on it will open a description of the certificate.


Actual results:

I see that the certificate is not trusted. But I do not know how to fix it on my website.


Expected results:

Please add a list of CAs that if "icon is not green." Possibly in the form of sponsored links.
(Reporter)

Updated

4 years ago
Severity: normal → enhancement

Comment 1

4 years ago
Please clarify the STR, Actual results and Expected results.

Do you would to add an troubleshooting help link for users, or you would to add a recommendation of CA provider? (and why).
Flags: needinfo?(rshadow)
(Reporter)

Comment 2

4 years ago
I think it would be good to show recommendations certification providers. Should be similar to what is set as the default search provider.
I would like this to bring Mozilla income for the development of their products that I use and love.
Flags: needinfo?(rshadow)

Comment 3

4 years ago
I feel this will damage the neutrality and reputation of foundations...

Anyway, moved to a suitable component, I think.
Assignee: nobody → chofmann
Component: Untriaged → Business Development
Product: Firefox → Marketing
Version: 32 Branch → unspecified
(Reporter)

Comment 4

4 years ago
It is possible to do otherwise. Add one more component in the developer tools. It will be even more correct than my earlier proposal. Since it is necessary to obtain a certificate to the developer.

Comment 5

4 years ago
I'm not the right owner for this.  We have always steered away from trying to raise money related to handling of certs do to the possibility of conflict of interest.  gerv or kathleen might have ideas on where to take the discussion or mark as wontfix.
Assignee: chofmann → nobody

Comment 6

4 years ago
Actually, I think the problem is that when the SSL cert fails for some reason, the error that is given doesn't provide useful guidance about what the user and/or site administrator can do to fix the problem. Additionally, there are several types of errors that are not over-rideable, so the user is just stuck (cannot browse to the website in Firefox) without any guidance about what to do.
Is that correct?

Also, it looks like another part of the problem is that the world-icon doorhanger needs to provide useful guidance when the user clicks on "More Info" and sees in the Website Identity box "This website does not supply ownership information." or such. Correct?

If yes to either of those, then I think we should modify the title of this bug to "Provide guidance when SSL cert validation fails".

Perhaps a good place to start would be to add links to 
https://wiki.mozilla.org/SecurityEngineering/x509Certs#Error_Codes_in_Firefox
and to update that wiki page to have a section about root certs -- If an organization wants to have their cert used by people outside of their organization, without having to manually import the root certificate, then they need to get a cert from one of the included CAs...
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/included/
(In reply to Kathleen Wilson from comment #6)
> Actually, I think the problem is that when the SSL cert fails for some
> reason, the error that is given doesn't provide useful guidance about what
> the user and/or site administrator can do to fix the problem. Additionally,
> there are several types of errors that are not over-rideable, so the user is
> just stuck (cannot browse to the website in Firefox) without any guidance
> about what to do.
> Is that correct?

Yes, but that's in part because the user-education/security/ux balance is really hard here. Changing how "stuck" people get has security implications, and we should not do it lightly.

If we think we're not getting the balance right, I think you and/or Gerv, someone (or two) from the UX team, and someone (or two) from the security team, should talk this over and come up with concrete proposals on what to do instead - we can talk to Gavin/Madhava/Chad I don't think turning this bug ("promote some CAs on non-signed websites") into something it isn't ("make it easier for users to get unstuck when they encounter cert failures") is helpful in this.

> Perhaps a good place to start would be to add links to 
> https://wiki.mozilla.org/SecurityEngineering/x509Certs#Error_Codes_in_Firefox
> and to update that wiki page to have a section about root certs -- If an
> organization wants to have their cert used by people outside of their
> organization, without having to manually import the root certificate, then
> they need to get a cert from one of the included CAs...
> https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/
> included/

This sounds great - please feel free! wiki.m.o is a wiki, so anyone can update that page if they think that's a good idea. :-)

... but that, too, doesn't really address comment #0.

I think comment #5 is correct, and furthermore, from a Firefox UI perspective, I think "buy a cert here" links are useless for the average user - they only have a use for the developer of that particular site (surely less than 0.01% of the people viewing the site), and we shouldn't be including them in such prominent UI. For these reasons, as a Firefox peer, I think this is WONTFIX.

Even for the web developer tools, I would have serious misgivings both because of comment #5 and because of the UI use. The devtools are already pretty full on lower resolutions, and your average web developer should either have a devops person for certs, or be able to search the web for "firefox ssl certificate" or whatever and find what they need. I don't think we need a special section that offers CA suggestions.

I'm going to be bold and mark this as wontfix as originally specified, and if Gerv/Kathleen disagree with the reasoning outlined above, they can reopen.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → WONTFIX
(In reply to :Gijs Kruitbosch from comment #7)
> If we think we're not getting the balance right, I think you and/or Gerv,
> someone (or two) from the UX team, and someone (or two) from the security
> team, should talk this over and come up with concrete proposals on what to
> do instead - we can talk to Gavin/Madhava/Chad

I got distracted mid-comment-editing - I meant to say, we can talk to Gavin/Madhava/Chad about prioritizing adjusting that UI if we believe that's necessary/good.

Comment 9

4 years ago
Just to close this bug out...

>> I see that the certificate is not trusted. But I do not know how to fix it on my website.
 
Bug #1064399 - add a link to more documentation/information on certificate error pages (particularly for non-overridable errors)
We're planning to move https://wiki.mozilla.org/SecurityEngineering/x509Certs into MDN, and then have a "more info" link point to it.


>> Please add a list of CAs 

I added info about CAs here:
https://wiki.mozilla.org/SecurityEngineering/x509Certs#CAs_Included_in_Firefox
(So it'll eventually become part of the MDN page that the "more info" link will point to.)
You need to log in before you can comment on or make changes to this bug.