Closed
Bug 1241292
Opened 9 years ago
Closed 9 years ago
Revisit "Your login could be compromised" string for Insecure Password Warning
Categories
(Firefox :: Security, defect, P1)
Firefox
Security
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox46 | --- | fixed |
People
(Reporter: tanvi, Assigned: tanvi)
References
(Blocks 1 open bug, )
Details
(Whiteboard: [fxprivacy])
Attachments
(2 files, 2 obsolete files)
|
303.15 KB,
image/png
|
Details | |
|
2.94 KB,
patch
|
MattN
:
review+
|
Details | Diff | Splinter Review |
insecure-password-main-panel.png
When you visit an HTTP page that has a password field, Nightly (and soon dev edition) will show a degraded UI (lock with strikethrough). When you click on that to open the Control Center, the message says:
"Your login could be compromised".
Matt proposes that we change that string (either in general or just for dev edition) to something that is aimed more at developers. When we are ready to move the feature to the release channel, we can switch to a different string for general users. A couple ideas:
"The login page could be compromised"
"This login page could be compromised" (although this might be a general purpose page that happens to also have a login form)
"Login pages should be served over HTTP"
"Passwords/(Credentials) should not be collected over HTTP"
"Passwords/(Credentials) should be collected over HTTPS"
It depends on who our audience is. We could even have two separate strings - one for dev edition and one for everything else.
Matej, what do you think?
|
Assignee | |
Updated•9 years ago
|
|
||
Comment 1•9 years ago
|
||
Ideas:
* "Logins on this page could be compromised."
* "Logins entered on this page could be compromised."
|
|
||
Comment 2•9 years ago
|
||
I don't want people to think we're saying the site is compromised and I think that saying "your login" in a message targeted to developers could be confusing.
|
||
Updated•9 years ago
|
|
||
Comment 3•9 years ago
|
||
I personally like...
> "Login pages should not be served over HTTP"
It lets the user know exactly why they're receiving the error with a single click of the strict-through lock icon. If they need more information, they can expand the CC via ">" to get more information on the error.
|
||
Comment 4•9 years ago
|
||
I'm not as familiar with this audience or what will be right for them, but here are the two that sound best to me:
"Logins on this page could be compromised."
"Login pages should not be served over HTTP."
|
|
Assignee | |
Comment 5•9 years ago
|
||
(In reply to Matej Novak [:matej] from comment #4)
> I'm not as familiar with this audience or what will be right for them, but
> here are the two that sound best to me:
>
> "Logins on this page could be compromised."
>
"Logins entered on this page could be compromised." is a little more clear, but longer by 8 characters. What do you think?
> "Login pages should not be served over HTTP."
We will use this version for Nightly and Dev Edition
|
|
Assignee | |
Comment 6•9 years ago
|
||
All of the strings proposed in comment 5 are two lines instead of one in the Control Center main view. (At least on my mac)
|
|
Assignee | |
Comment 7•9 years ago
|
||
Attachment #8711095 -
Flags: review?(MattN+bmo)
|
|
Assignee | |
Comment 8•9 years ago
|
||
|
|
Assignee | |
Comment 9•9 years ago
|
||
|
|
||
Comment 10•9 years ago
|
||
How about:
> "Logins should not be served over HTTP"
|
|
Assignee | |
Comment 11•9 years ago
|
||
Hmm; trying the patch on a beta build I still see the dev edition warning. So maybe the ifndef doesn't work? We could take that out for now in an attempt to land this before uplift, and just land the dev edition string change.
|
|
||
Comment 12•9 years ago
|
||
Comment on attachment 8711095 [details] [diff] [review]
Bug1241292-01-22-16.patch
Review of attachment 8711095 [details] [diff] [review]:
-----------------------------------------------------------------
::: browser/locales/en-US/chrome/browser/browser.dtd
@@ +748,5 @@
> <!ENTITY identity.connectionFile "This page is stored on your computer.">
> <!ENTITY identity.connectionVerified1 "You are securely connected to this site, run by:">
> <!ENTITY identity.connectionInternal "This is a secure &brandShortName; page.">
> +<!ENTITY identity.insecureLoginFormsDevEdition "Login pages should not be served over HTTP.">
> +<!ENTITY identity.insecureLoginFormsRelease "Logins entered on this page could be compromised.">
I would prefer the 2nd one for dev edition too. "Login pages should not be served over HTTP" feels too jargony even for Dev Edition IMO.
|
|
Assignee | |
Comment 13•9 years ago
|
||
Updated to just use one string everywhere:
Logins entered on this page could be compromised.
Attachment #8711095 -
Attachment is obsolete: true
Attachment #8711095 -
Flags: review?(MattN+bmo)
Attachment #8711230 -
Flags: review?(MattN+bmo)
|
|
Assignee | |
Updated•9 years ago
|
Attachment #8711096 -
Attachment is obsolete: true
|
|
||
Updated•9 years ago
|
Attachment #8711230 -
Flags: review?(MattN+bmo) → review+
|
|
Assignee | |
Updated•9 years ago
|
Assignee: nobody → tanvi
|
||
Comment 14•9 years ago
|
||
|
||
Comment 15•9 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox46:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 46
|
|
||
Updated•9 years ago
|
Iteration: --- → 46.3 - Jan 25
Priority: P3 → P1
|
||
Comment 16•9 years ago
|
||
[bugday-20160323]
Status: RESOLVED,FIXED -> UNVERIFIED
Comments:
STR: Not clear.
Developer specific testing
Component:
Name Firefox
Version 46.0b9
Build ID 20160322075646
Update Channel beta
User Agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
OS Windows 7 SP1 x86_64
Expected Results:
Developer specific testing
Actual Results:
As expected
You need to log in
before you can comment on or make changes to this bug.
Description
•