1252852 - [Android] green locks remove ability to distinguish between EV and non-EV on first sight

Status: RESOLVED FIXED

(Firefox for Android Graveyard :: Theme and Visual Design, defect)

Description

[My1]

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:44.0) Gecko/20100101 Firefox/44.0
Build ID: 20160210153822
Firefox for Android

Steps to reproduce:

(also in later versions than 42, but started there)

access an https page without EV Cert

access an https page WITH EV Cert

check the URL bar and compare for differences on first sight.


Actual results:

in both cases a gree lock is visible, the difference between EV or not can only be seen by clicking on the lock.


Expected results:

EV should be visibly different, like before 42 with the green and gray lock colors.

this is espeically important because EV certs are the only type of certs that cannot be spoofed using trust store edits are EV Certs.

Comment 1

[My1]

I understand that there is no space to display the company name in a mobile browser, but there should be something to tall them apart immediately.

Comment 2

[:Gijs (he/him)]

Margaret, is this the right component?

Comment 3

[:Margaret Leibovic]

(In reply to :Gijs Kruitbosch from comment #2)
> Margaret, is this the right component?

Yes, this is fine. We have multiple people who watch all bugs in the Firefox for Android product, so the exact component isn't that important for us.

Anthony/Sebastian, have you thought about this case?

Comment 4

[My1]

I would maybe instead of grey (or green which it, at least on Android absolutely should not be the case) make the lock for non-EV Blue (like the identity bar has been since FF4, and I must say that I liked the bar pretty much, but the lock icon with the mixed content indication in combination would be really epic.) and technicaly the site name (in case of non-EV) helps against domain spoofing, where someone gets an extremely long subdomain and a cert to it which look like a legit domain, for example my.hypovereinsbank.de.evilsite.com. on a phone most of the address will vanish due to the lack of space. the identity bar solved the problem by showing the root domain at one glance. I have no Idea since when but the fact that the root is highlighted in the URLbar ever since then is nice, but as I said it wont help if that part of the domain is never shown in the first place.

Comment 5

[Sebastian Kaspari (:sebastian; :pocmo)]

We addressed long subdomains in bug 1236431 by only showing public suffix + 1 in the URL bar.

Over in bug 1249594 I have a patch waiting (already reviewed) to show the certificate owner in the URL bar for websites with EV certificates.

Comment 6

[My1]

@sebastian Kaspari okay didnt know that it just shows pub suffix + 1.
about the other bug, judging from the screen it seems a bit overkill since you cant even see where you are.
an intresting way to do it without obscuting the location information (I mean it is the LOCATION bar) would be that when connecting to an EV'd site that there would be something like a pop-up near the lock which says that it is EV-owned by company X and mark the lock differently, so the user knows later "okay this is a verified site I can tap and see who it belongs to".
an idea would be for example a lock with a checkmark because an EV cert is very strictly verified.
I personally also like the fact that edge made their DV/OV Locks differently because that way even without directly showing the company (which especially in case of long names like "Mozilla Doundation (US)" takes quite a lot of screen space on smaller devices) name you can see at first glance that it is an EV.

Comment 7

[Sebastian Kaspari (:sebastian; :pocmo)]

This was handled by the changes in bug 1249594.