1330152 - Insecure_passwords SUMO page needs to be updated to support new UI

Status: RESOLVED FIXED

(support.mozilla.org :: Knowledge Base Content, task)

Description

[Paul Theriault [:pauljt] (no longer reading bugmail)]

A new feature is landing to warn users about entering their passwords on insecure pages. Previously we have only shown a subtle indicator (a broken lock icon) but bug 1304224 adds a contextual warning [1]. The warning is much more visible, and so is the "learn more" button, which directs the user to [2] for more info.

We need to update the content at [2] to provide helpful guidance to users trying to understand what they should do when they see this warning.

My concern is that warns the user, but it doesn't tell them how to proceed, and current support page doesnt offer any guidance either (instead it tries to explain the feature).I think we provide some guidance on the MDN page helping to user decide how they proceed: i.e. we might counsel them to:
 - avoid entering a password here if you don't need to login
 - if using insecure wifi (airport, coffee shop etc) perhaps wait till you are home before logging in to this page (though in the long run that's not great advice)
 - if creating an account, choose a new password that matters less if it is compromised

Or something along those lines. Freddy can i ask you to come up with some ideas for this, and then I assume that a SUMO person can help us turn this into website copy? Joni, are you the right person to ask for that support?


[1] https://bug1217150.bmoattachments.org/attachment.cgi?id=8791926
[2] https://developer.mozilla.org/en-US/docs/Web/Security/Insecure_passwords

Comment 1

[Matthew N. [:MattN]]

I'm confused… the title and description mention MDN but the bug is filed in the SUMO product. MDN is a wiki that anyone can edit.

I think both https://support.mozilla.org/en-US/kb/insecure-password-warning-firefox and https://developer.mozilla.org/docs/Web/Security/Insecure_passwords may need updating but those seems like they deserve separate bugs.

Comment 2

[Paul Theriault [:pauljt] (no longer reading bugmail)]

Ah ok, looks like Tanvi gave me the wrong URL. Tanvi told me that the [Learn More] link  for insecure passwords goes to MDN - from testing in nightly it ends up at [1] after a redirect.

The reason I filed it in SUMO is that the content needs a technical writer and considered design so that users are actually helped by clicking the [Learn More] link. But actually looking at the content at [1] it looks a lot better and more what I was expecting (as opposed to the MDN  page) so while I agree both need updating I'm not sure there is security team input required here (hence i released ownership)? 

Maybe just updating the screenshots to also show the contextual warning is all thats needed?

[1] https://support.mozilla.org/en-US/kb/insecure-password-warning-firefox

Comment 3

[Kamil Jozwiak [:kjozwiak]]

I'm going to change the title to SUMO as this is already filed under the SUMO product. Joni, any updates on updating the current insecure passwords SUMO page to reflect the new UI [1]? Should we create a separate issue for the MDN page?

[1] https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/

Comment 4

[Tanvi Vyas[:tanvi]]

Kamil, I'm assigning this to you to work with Joni to get this updated by FF 52 release (March 7th).  Thanks!

Comment 5

[Alice Wyman]

Attachment: Fx52-InsecureLogin-signin.png

I attached a Firefox 52 screenshot of the insecure login message in the sign-in box at http://www.foxnews.com (in case it helps)

Comment 6

[Kamil Jozwiak [:kjozwiak]]

Joni, can we update the "Insecure password warning in Firefox" SUMO page [1] to reflect the new UI that's being released tomorrow in FX52. You can take a look at some examples of the new UI in the "Communicating the Dangers of Non-Secure HTTP" [2] blog that both Tanvi and Peter posted under the Mozilla Security Blog. Alice has also attached an example of the new UI in comment#5.

As FX52 is being released tomorrow, it would be nice to have this completed so users who end up clicking on "Learn more" will have up to date information.

[1] https://support.mozilla.org/t5/Protect-your-privacy/Insecure-password-warning-in-Firefox/ta-p/27861
[2] https://blog.mozilla.org/security/2017/01/20/communicating-the-dangers-of-non-secure-http/

Comment 7

[Joni Chan]

We had text in the article to mention the message in the password box, but I've added a screenshot to make it clearer.

https://support.mozilla.org/t5/tkb/articleeditorpage/tkb-id/Protect-Privacy/message-uid/27861

Comment 8

[Kamil Jozwiak [:kjozwiak]]

Whenever I click on the above link while logged in, I get "Access Denied: You do not have sufficient privileges for this resource or its parent to perform this action.". Is there a way that I can access this? Or get the correct permissions?

Comment 9

[Alice Wyman]

(In reply to Kamil Jozwiak [:kjozwiak] from comment #8)
> Whenever I click on the above link while logged in, I get "Access Denied:
> You do not have sufficient privileges for this resource or its parent to
> perform this action.". Is there a way that I can access this? Or get the
> correct permissions?

The link Joni furnished in comment 7 was for the "Edit Article" page.  Joni can grant you the required permission but in the meantime, here's a link to the article itself: https://support.mozilla.org/t5/Protect-your-privacy/Insecure-password-warning-in-Firefox/ta-p/27861

Comment 10

[Kamil Jozwiak [:kjozwiak]]

Awesome, thanks Joni and Alice :) I double checked and made sure that fx52 is correctly loading the updated SUMO page when clicking on the "Learn more" link under the in-context warning message. I'll create a separate bug to address the MDN page [1].

[1] https://developer.mozilla.org/en-US/docs/Web/Security/Insecure_passwords