[Control Center] Show security subview with a warning for unsecure connections

VERIFIED FIXED in Firefox 42

Status

()

P1
normal
Rank:
1
VERIFIED FIXED
3 years ago
2 years ago

People

(Reporter: ttaubert, Assigned: ttaubert)

Tracking

Trunk
Firefox 42
Points:
2
Bug Flags:
firefox-backlog +
qe-verify +

Firefox Tracking Flags

(firefox42 verified)

Details

(Whiteboard: [fxprivacy] [campaign])

Attachments

(2 attachments)

(Assignee)

Description

3 years ago
Created attachment 8626195 [details]
Design for subview

We currently hide the subview but should show it. Additionally there should be a warning explaining users they might expose sensitive information.
(Assignee)

Updated

3 years ago
Blocks: 1170759
(Assignee)

Updated

3 years ago
Points: --- → 2
Flags: qe-verify+
Flags: firefox-backlog+
(Assignee)

Updated

3 years ago
Version: 34 Branch → Trunk

Updated

3 years ago
Whiteboard: [fxprivacy]

Updated

3 years ago
Priority: -- → P1

Updated

3 years ago
Priority: P1 → P2

Comment 1

3 years ago
So, first hide this in a subview, and then unhide it?
(Assignee)

Comment 2

3 years ago
Created attachment 8627076 [details] [diff] [review]
0001-Bug-1177437-Control-Center-Show-security-subview-wit.patch
Assignee: nobody → ttaubert
Status: NEW → ASSIGNED
Attachment #8627076 - Flags: review?(MattN+bmo)
(Assignee)

Updated

3 years ago
Iteration: --- → 41.3 - Jun 29
(Assignee)

Comment 3

3 years ago
(In reply to Alfred Kayser from comment #1)
> So, first hide this in a subview, and then unhide it?

I don't understand this comment. This bug is about adding a subview to the control center for unencrypted sites.
(Assignee)

Comment 4

3 years ago
"Your connection to this site is not private. Sensitive information submitted could be exposed to hackers."

Aislinn, is this the final text? I just seems weird to reference to hackers when ISPs and middle boxes are the more likely problem here. Also I think we don't use the term 'hacker' anywhere else :)
Flags: needinfo?(agrigas)
Comment on attachment 8627076 [details] [diff] [review]
0001-Bug-1177437-Control-Center-Show-security-subview-wit.patch

Review of attachment 8627076 [details] [diff] [review]:
-----------------------------------------------------------------

::: browser/base/content/browser.js
@@ +6989,5 @@
>          supplemental += iData.country;
>        break;
>      }
> +    case this.IDENTITY_MODE_UNKNOWN:
> +      supplemental = gNavigatorBundle.getString("identity.not_secure");

In a follow-up can you fix this and the existing doorhanger contents for file: URIs as it says "Connection is not secure" in red text which doesn't seem useful.

::: browser/locales/en-US/chrome/browser/browser.properties
@@ +328,5 @@
>  identity.identified.verifier=Verified by: %S
>  identity.identified.verified_by_you=You have added a security exception for this site.
>  identity.identified.state_and_country=%S, %S
>  
> +identity.not_secure=Your connection to this site is not private. Sensitive information submitted could be exposed to hackers.

I agree with Tim that this text is unusual. I think the word attackers would be preferred over hackers.
Attachment #8627076 - Flags: review?(MattN+bmo) → review+
(Assignee)

Comment 6

3 years ago
(In reply to Matthew N. [:MattN] from comment #5)
> In a follow-up can you fix this and the existing doorhanger contents for
> file: URIs as it says "Connection is not secure" in red text which doesn't
> seem useful.

Filed bug 1178163.

Comment 7

3 years ago
(In reply to Matthew N. [:MattN] from comment #5)
> Comment on attachment 8627076 [details] [diff] [review]
> 0001-Bug-1177437-Control-Center-Show-security-subview-wit.patch
> 
> Review of attachment 8627076 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> ::: browser/base/content/browser.js
> @@ +6989,5 @@
> >          supplemental += iData.country;
> >        break;
> >      }
> > +    case this.IDENTITY_MODE_UNKNOWN:
> > +      supplemental = gNavigatorBundle.getString("identity.not_secure");
> 
> In a follow-up can you fix this and the existing doorhanger contents for
> file: URIs as it says "Connection is not secure" in red text which doesn't
> seem useful.
> 
> ::: browser/locales/en-US/chrome/browser/browser.properties
> @@ +328,5 @@
> >  identity.identified.verifier=Verified by: %S
> >  identity.identified.verified_by_you=You have added a security exception for this site.
> >  identity.identified.state_and_country=%S, %S
> >  
> > +identity.not_secure=Your connection to this site is not private. Sensitive information submitted could be exposed to hackers.
> 
> I agree with Tim that this text is unusual. I think the word attackers would
> be preferred over hackers.

Agree - this wasn't reviewed by Matej as he's still working on the document with all the copy needs. For now, we can use the wording we had finalized for the RC4 error page to say: "Your connection to this site is not private. Information you submit could be viewable to others (for example passwords, messages, credit cards, etc.)"

I'll also ping Matej to see where he's at with reviewing the copy for all the 42 items.
Flags: needinfo?(agrigas)
(Assignee)

Comment 8

3 years ago
(In reply to agrigas from comment #7)
> Agree - this wasn't reviewed by Matej as he's still working on the document
> with all the copy needs. For now, we can use the wording we had finalized
> for the RC4 error page to say: "Your connection to this site is not private.
> Information you submit could be viewable to others (for example passwords,
> messages, credit cards, etc.)"

Will take that for now, thanks!

> I'll also ping Matej to see where he's at with reviewing the copy for all
> the 42 items.

Ok, looking forward to have clarity here. The stuff that landed in 41 will have to stick as we just merged yesterday.

Updated

3 years ago
Iteration: 41.3 - Jun 29 → 42.1 - Jul 13

Updated

3 years ago
Rank: 1
Priority: P2 → P1
https://hg.mozilla.org/mozilla-central/rev/3727797fe3fc
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
status-firefox42: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 41

Updated

3 years ago
Target Milestone: Firefox 41 → Firefox 42
Side note on the copy: you don't send "credit card", eventually you send "credit card information".
QA Contact: catalin.varga

Updated

3 years ago
QA Contact: catalin.varga → mwobensmith
Verified fixed in Fx42.0a1, 2015-07-06.
Status: RESOLVED → VERIFIED
status-firefox42: fixed → verified

Updated

3 years ago
Whiteboard: [fxprivacy] → [fxprivacy] [campaign]
You need to log in before you can comment on or make changes to this bug.