Closed Bug 1196117 Opened 9 years ago Closed 5 years ago

Mixed content icon not consistently displayed

Categories

(Firefox :: General, defect, P4)

defect

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: annevk, Unassigned)

References

Details

(Whiteboard: [fxprivacy])

On a page with mixed content, the address bar contains the mixed content icon, but if you then click on it, you get the lock icon followed by the domain in the dropdown, rather than the mixed content icon followed by the domain. (It does say "Not Secure", but this should be evident from the icon too I think.)
Whiteboard: [fxprivacy] → [fxprivacy] [triage]
Is the behavior you're describing the one that happens with the following page?

https://people.mozilla.org/~tvyas/mixeddisplay.html

We display a separate yellow triangle in the main panel in that case.
Right, the problem is that the lock appears unbroken.
Visually, this looks consistent with the icon we show in the location bar, where the lock is still closed and has the yellow triangle. However I agree the closed lock icon is inconsistent with the "Connection Is Not Secure" messaging.

I'd like to get confirmation from UX and Tanvi if they see this inconsistency as well.

I'm not sure how we might want to proceed here, maybe show an open lock when the connection is insecure because there is mixed passive content present.
(I tend to think we should go with Chrome and not treat mixed content differently from http:// content. But that might be a tad out of scope.)
I see a few options here for what we can show in the control center:
1) lock with a yellow triangle superimposed over it - the way it is in the url bar.
I think the reason UX decided to have separate icons was to show the user exactly what the meaning of the yellow triangle was with text next to (i.e. mixed passive content or weak crypto).

2) replace the lock with the globe icon and put the yellow triangle underneath it.
This is better because we don't show a full lock for a weak connection.  But, we end up with a lot of different images for the user to process - there's a lock, a yellow triangle, and a globe.

3) Just use the yellow triangle in control center and don't have a lock there at all.

4) Replace the closed lock icon with an open lock icon and leave the yellow triangle as is.
The strikethrough lock is too alarming for the mixed passive case and may hinder HTTPS adoption, but the open lock is not so bad.

Needinfo'ing Aislinn, who is out this week.  Let's see what she thinks.
Flags: needinfo?(agrigas)
(In reply to Tanvi Vyas [:tanvi] from comment #5)
> I see a few options here for what we can show in the control center:
> 1) lock with a yellow triangle superimposed over it - the way it is in the
> url bar.
> I think the reason UX decided to have separate icons was to show the user
> exactly what the meaning of the yellow triangle was with text next to (i.e.
> mixed passive content or weak crypto).
> 
> 2) replace the lock with the globe icon and put the yellow triangle
> underneath it.
> This is better because we don't show a full lock for a weak connection. 
> But, we end up with a lot of different images for the user to process -
> there's a lock, a yellow triangle, and a globe.
> 
> 3) Just use the yellow triangle in control center and don't have a lock
> there at all.
> 
> 4) Replace the closed lock icon with an open lock icon and leave the yellow
> triangle as is.
> The strikethrough lock is too alarming for the mixed passive case and may
> hinder HTTPS adoption, but the open lock is not so bad.
> 
> Needinfo'ing Aislinn, who is out this week.  Let's see what she thinks.

So looking at this again after a while, I do see the issue and am confused as to why we're labeling this as Connection is Not Secure. If it is an https connection isn't that inherently secure even though it has passive mixed content (images) that may not be secure elements? Can we just change the text itself? I don't see an issue with the lock being separated from the yield sign - that is our paradigm for explaining each icon. 

If Google labels their mixed content as 'secure connection' why are we deviating?
Flags: needinfo?(agrigas)
Flags: needinfo?(tanvi)
From https://mixed.badssl.com/ you can see that Chrome (latest builds anyway) does not show the lock icon at all. It does say that your connection to the site is private, which seems wrong given the insecure elements.
(In reply to Anne (:annevk) from comment #7)
> From https://mixed.badssl.com/ you can see that Chrome (latest builds
> anyway) does not show the lock icon at all. It does say that your connection
> to the site is private, which seems wrong given the insecure elements.

They do show the green lock in the dropdown and the closed gray lock in the url bar
https://www.dropbox.com/s/ef2anjfft9014gk/Screenshot%202015-08-25%2012.01.51.png?dl=0

What we need to answer is 'is the connection itself SECURE or not?' - my understanding was that it was but some page elements are not...
In a more recent Chrome the address bar no longer shows a closed gray lock. It shows the same UI as for HTTP. The dropdown is still somewhat confusing though.

For most sites there is no single connection so what the UI needs to answer is whether all connections collectively are secure or not. Any indication that gives the impression mixed content is secure is wrong. We actively want to get rid of it.
(In reply to Anne (:annevk) from comment #9)
> In a more recent Chrome the address bar no longer shows a closed gray lock.
> It shows the same UI as for HTTP. The dropdown is still somewhat confusing
> though.
> 
> For most sites there is no single connection so what the UI needs to answer
> is whether all connections collectively are secure or not. Any indication
> that gives the impression mixed content is secure is wrong. We actively want
> to get rid of it.

Hmmm I have the latest version for Mac and don't see it. I thought Tanvi had talked with Chrome and they were interested in mimicking our mixed content approach.

If the connection isn't secure - why do we show http in the url bar?
Chrome is thinking about moving mixed active content unblocking to their Origin Information Bubble (i.e. our Control Center).

This bug is about mixed passive content.  Looking at Chrome Release vs Chrome Canary I see different behavior more this mixed passive only test case: https://people.mozilla.org/~tvyas/mixeddisplay.html

* Chrome Release shows a lock with a yellow triangle over it.  Similar to our new UI and the UI they've had for a very long time.

* Chrome Canary shows the icon they use for HTTP pages - a document or white page.

I'm not sure if this change is going to hit release and I hadn't heard about it before.  There has been a lot of discussion about how HTTPS Mixed Passive Content pages look worse than HTTP pages, so maybe they are making this change in an attempt to increase HTTPS adoption.

Anyway, enough about Chrome.  In Firefox, we used to say that the connection was not fully secure.  Now with the new Control Center UI we either say secure, not secure, or local file.  If we say "Secure Connection" in green the way we do for full HTTPS pages, then the user may assume they are browsing a secure site and ignore the yellow triangle and further text.  So the alternative is to say "Connection is Not Secure" which is equivalent to a message on an HTTP page but not worse.  Another thing we could do is add a "Connection partially secure" but that is just confusing.
Flags: needinfo?(tanvi)
Priority: -- → P4
Whiteboard: [fxprivacy] [triage] → [fxprivacy]
We think the design is sufficient as is for the current release scheduled for 42. We will revisit this after that time.
Blocks: 1216897
No longer blocks: 1188565
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.