Closed Bug 1335970 Opened 4 years ago Closed 3 years ago

Consider additional URL bar text to describe not secure status

Categories

(Firefox :: Site Identity, defect, P3)

defect

Tracking

()

RESOLVED FIXED
Firefox 60
Tracking Status
firefox60 --- fixed

People

(Reporter: jkt, Assigned: jkt)

References

(Blocks 1 open bug)

Details

(Keywords: dev-doc-complete, Whiteboard: [fxprivacy] )

Attachments

(2 files)

This bug is to consider the use of "Not Secure" or similar to the changes that Chrome are considering to highlight to users clearly when a website is secure.

This is backed by research and explanation here: https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html

This depends on the bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1310447 to display a warning by default, this is to just increase the visibility of the negative indicator.

We should consider if the wording should be "Insecure" or "Not Secure" or another alternative too.
Whiteboard: [fxprivacy] [triage]
Philipp/Ryan, we'd like UX input on this.  Should we get more explicit than the lock icon?
Flags: needinfo?(rfeeley)
Flags: needinfo?(philipp)
Please don't overlook that this bug is fortunately only for a negative text.
I plead for not showing something like "Secure" (even https pages could be evil in some way. The green lock icon is enough).
If http:// is used, please just show that EV bar in red with a "Not secure" text (or "Interceptable" or whatever). It's red in Chromium, too.
I was careful not to suggest the "Secure" text like I know Google went with (I have not checked if they dropped it). The dependent bug is going to push the broken lock more.

Something like: https://bug1310447.bmoattachments.org/attachment.cgi?id=8832244
I agree that "Secure" doesn't make sense for HTTPS pages.

We could go a similar route with the suggested urlbar text as with the lock icon and (initially?) only show it where login forms are present (and resolve bug 1310447 by showing the icon on all HTTP pages).

OTOH this makes me think that maybe the in-content warning is enough and we should not add extra clutter to the urlbar. Arguably the most direct threat to the user is logins over HTTP, and that should be covered by the in-content warning pretty well, no?
(In reply to Johann Hofmann [:johannh] from comment #5)
> Arguably the most direct threat
> to the user is logins over HTTP, and that should be covered by the
> in-content warning pretty well, no?

The http-is-insecure-icon pref (+ the text from this bug), which initially won't be enabled by default (?), should be the second image (red warning) from https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html and should get enabled by default when the https adoption rate hits 66% (or whatever).

The current situation with the insecure icon and warnings on sensible forms is compareable with the first (white) warning on the googleblog and should be okay for the moment.
We discussed this in a meeting with Philipp.
Given that the current primary use case would be communicating that a site which asks for a username/password is "not secure", we believe the in-context warning that will be shipping soon will be more explicit, making the url bar indicator less necessary.  However, in the future, when we get more aggressive about marking http pages as not being secure, we'll likely want something more explicit in the url bar.  As a result, I'm marking this bug as P3.
Flags: needinfo?(rfeeley)
Flags: needinfo?(philipp)
Priority: -- → P3
Whiteboard: [fxprivacy] [triage] → [fxprivacy]
Depends on: 1351684
Blocks: 1351684
No longer depends on: 1351684
Assignee: nobody → jkt
Comment on attachment 8944218 [details]
Bug 1335970 - Add prefs to add "Not Secure" text to insecure pages.

https://reviewboard.mozilla.org/r/214502/#review220552

r=me with the style issue addressed and with the clear understanding that this is experimental and that turning it on for a broader audience requires product buy-in and another Firefox peer review :)

Thanks!

::: browser/locales/en-US/chrome/browser/browser.properties:518
(Diff revision 1)
>  
>  identity.identified.verifier=Verified by: %S
>  identity.identified.verified_by_you=You have added a security exception for this site.
>  identity.identified.state_and_country=%S, %S
>  
> +identity.notSecure.label=Not Secure

If this ever moves out of experiment stage, we should probably work with localizers to make sure that this is translated the way we expect it to. The text is very prominently displayed in the URL bar and it's crucial to get it right in the most used locales.

::: browser/themes/shared/identity-block/identity-block.inc.css
(Diff revision 1)
>  }
>  
> -#urlbar[pageproxystate=valid] > #identity-box.verifiedIdentity,
> -#urlbar[pageproxystate=valid] > #identity-box.chromeUI,
> -#urlbar[pageproxystate=valid] > #identity-box.extensionPage {
> -  padding-inline-end: 8px;

Why are you removing this padding? That affects e.g. EV text. Shouldn't you just add a rule for .notSecureText here?
Attachment #8944218 - Flags: review?(jhofmann) → review+
Can you add a screenshot?
Attached image screenshot
Tanvi, here's a version with both the lock and the text.
Status: NEW → ASSIGNED
Pushed by jkingston@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/756a472ff5f1
Add prefs to add "Not Secure" text to insecure pages. r=johannh
https://hg.mozilla.org/mozilla-central/rev/756a472ff5f1
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 60
I've added an entry about this to our Experimental features page:

https://developer.mozilla.org/en-US/Firefox/Experimental_features

Search for ""Not secure" text warning for non-HTTPS sites" to find it.

Let me know if that reads OK. Thanks!
Flags: needinfo?(jkt)
LGTM Chris thanks!
Flags: needinfo?(jkt)
You need to log in before you can comment on or make changes to this bug.