Consider dropping secure indicators when for know unpatched platforms

RESOLVED WONTFIX
(NeedInfo from)

Status

()

Firefox
Security
P3
enhancement
RESOLVED WONTFIX
a year ago
2 months ago

People

(Reporter: jkt, Unassigned, NeedInfo)

Tracking

49 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [fxprivacy])

(Reporter)

Description

a year ago
On platforms such as Windows XP where the service is no longer patched by the vendor we should consider dropping any security indicators.

So when browsing on XP we would likely see only two icons in the URL bar:
- for non secure traffic: a strike through lock
- for secure traffic: no lock or grey lock

A mixed content icon could be considered but perhaps trailing the two might be simpler.

If we use a grey lock clicking on it could be used to explain why we have given them this status.

Dropping all locks for a strike through at all times would probably be too aggressive however.
I think Firefox :: Security is a more appropriate product/component for this (Core :: Security: UI is a bit defunct and will hopefully be going away).
Component: Security: UI → Security
Product: Core → Firefox
(Reporter)

Comment 2

a year ago
Thanks :keeler, I just copied some old bug that was messing with similar code :).

To clarify this suggestion is for compile targets that we actively support however the vendor of the platform has stopped support (not for older platforms we don't support either). The focus is on XP as it's the biggest of the deprecated platforms. This is to inform and educate the users that they are of high chance of being actively attacked and to be careful logging into sites etc.
(Reporter)

Updated

a year ago
Whiteboard: [fxprivacy]
Whiteboard: [fxprivacy] → [fxprivacy][triage]
We're in the process of actually gathering some survey results from Chrome XP users to see what their perceptions are around the messaging in the product (that support has ended).  While it's not the same thing (since Chrome is EOL'd on XP), I think it may inform what we should do here.  Let's wait for those results. (should be a few weeks max)
Flags: needinfo?(pdolanjski)
Whiteboard: [fxprivacy][triage] → [fxprivacy]
So we ran a survey on Chrome Windows XP users (English only) to see if they've noticed Chrome's end of life message and to see how they interpreted it.  Most users did notice it.
50% plan to stick with Chrome despite the end of life (and lack of security updates), but the rest plan to take action as a result.

As such, there is good evidence that a scary lack of further security updates warning will prompt action.  I'd support some sort of UI to inform users of the risks of using a no longer supported OS.  When we end of life, we'll obviously be much more in the user's face about it.
Flags: needinfo?(pdolanjski)
(In reply to David Keeler [:keeler] (use needinfo?) from comment #1)
> I think Firefox :: Security is a more appropriate product/component for this
> (Core :: Security: UI is a bit defunct and will hopefully be going away).

Since "Security" attracts such a grab-bag of misplaced bugs, I was hoping "Security UI" could be a thing to contain the real UI bugs the security team wants to work on (though maybe Firefox::Security: UI).

(In reply to Peter Dolanjski [:pdol] from comment #4)
> So we ran a survey on Chrome Windows XP users (English only) to see if
> they've noticed Chrome's end of life message [...]
> 
> As such, there is good evidence that a scary lack of further security
> updates warning will prompt action.

Which is this bug about? Jonathan proposes not showing the secure-site lock icon (which I think people will not even notice), and you're talking about an in-your-face announcement (which I agree they will notice, though some will then live with). If it's the original concept I'd say just WONTFIX it -- those folks are going away eventually anyway.
Severity: normal → enhancement
Flags: needinfo?(jkt)
Priority: -- → P3
(Reporter)

Comment 6

2 months ago
I agree, I think we have missed the opportunity here unless I understand the timelines incorrectly.
Perhaps an in-your-face announcement would make more sence at the point when we stop patching? Whatever the least work to do may make the most sense.

I'm going to WONTFIX for now, :pdol do you agree?
Status: NEW → RESOLVED
Last Resolved: 2 months ago
Flags: needinfo?(jkt) → needinfo?(pdolanjski)
Resolution: --- → WONTFIX
jkt, would dropping the secure-site lock be very a very simple patch/or pref flip for XP/Vista?  If so, we could just ship it.  If it's any more work, then yes, I agree to WONTFIX.  We'll be publishing a new blog post about the EOL date and then will have some in product prompts the EOL, in general.
Flags: needinfo?(pdolanjski) → needinfo?(jkt)
(In reply to Peter Dolanjski [:pdol] from comment #7)
> jkt, would dropping the secure-site lock be very a very simple patch/or pref
> flip for XP/Vista?  If so, we could just ship it.  If it's any more work,
> then yes, I agree to WONTFIX.  We'll be publishing a new blog post about the
> EOL date and then will have some in product prompts the EOL, in general.

Didn't we say that hiding the icon is unlikely to get the right message across? In any case, I don't think it's worth it at this point.
You need to log in before you can comment on or make changes to this bug.