1341051 - Update support article about connection security indicators (padlock)

Status: RESOLVED WONTFIX

(support.mozilla.org :: Knowledge Base Content, task, P1)

Description

[sworddragon2]

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0
Build ID: 20170131094117



Actual results:

Since the information of https://support.mozilla.org/t5/Protect-your-privacy/How-do-I-tell-if-my-connection-to-a-website-is-secure/ta-p/1637 isn't accurate anymore (as I do see a gray padlock with a red strikethrough while I shouldn't) I'm a bit confused about the padlocks. For example on making a detailed look over the padlock at the "Security" register of a site with a gray padlock that has a red striketrough it tells me that the site does not support encryption at all. But some other http sites are not showing a padlock at all which makes this just confusing.


Expected results:

The padlocks should provide more information why they exist. In the example above it would be nice to know what the gray padlock with a red striketrough makes it different from no padlock.

Comment 1

[Johann Hofmann [:johannh]]

I guess that just means that the SUMO page needs to be updated. Happy to help with this. 

The "broken lock" icon generally means there's something insecurely non-encrypted about that page. This section: https://support.mozilla.org/t5/Protect-your-privacy/How-do-I-tell-if-my-connection-to-a-website-is-secure/ta-p/1637#w_gray-padlock-with-red-strikethrough already mentions that the lock appears e.g. when mixed content blocking is disabled.

I suppose you're seeing this on an HTTP page with a login form. We need to update the article to mention that as well.

Comment 2

[sworddragon2]

(In reply to Johann Hofmann [:johannh] from comment #1)
> I guess that just means that the SUMO page needs to be updated.

Probably, but I think Firefox still needs changes to make things more clear.


(In reply to Johann Hofmann [:johannh] from comment #1)
> already mentions that the lock appears e.g. when mixed content
> blocking is disabled.
> 
> I suppose you're seeing this on an HTTP page with a login form. We need to
> update the article to mention that as well.

Settings for mixed content blocking were never changed here and if I'm not wrong the permission panel has also not provided the button to en-/disable it while I have seen the gray padlock with a red striketrough.

So the padlock can now also appear if the connection is completely unencrypted and does additionaly provide a login form? Then this is probably the reason why I saw the padlock with the red striketrough.


Besides of updating the support page I think the security panel in Firefox should also provide the details why the gray padlock with the red striketrough is shown (for example because mixed content blocking was disabled or a login form was detected that has a high potential to leak very sensitive data).

But in my opinion this is made too confusing. Without secific user interaction that one completely unencrypted site can now show the gray padlock with a red striketrough while another page can't could lead to the wrong believing of the user that the site with the padlock is more secure while actually the opposite is the case. At least what should be done is designing the gray padlock with a red striketrough to be more obvious that it is a warning. Many users will probably not interpret a single red strikethrough correctly so I would recommend to mirror it to form a red cross because this should be really foolproof.

But actually it would probably make more sense to show a padlock on every http and https site. Either:
a) The padlock with the red strikethrough/cross could also be used for http sites without a login form as being unencrypted is already problematic enough as the site could easily leak sensitive data (private messages, etc.) and the integrity is not protected so the content could be manipulated for example with malicious download links (also users seeing the padlock on every site eventually causes web site owners to migrate to https even faster - based on a news I have read today over the half of the web sites are now using https).

b) http sites that do currently show no padlock could show a new padlock which reflects that the site is unencrypted but being not as problematic as if there would be a login form on it. For example this could be simply a gray padlock whose shackle is clearly drawn open to reflect that the site is "unlocked" (unencrypted). Optionally in cases where the gray padlock with a red striketrough/cross would be shown because of a login form it could be redrawn to show a gray padlock with an opened shackle where the shackle would be drawn red to reflect that it is more dangerous than the pure gray unlocked padlock (because of the login form).

Actually I'm not sure what should be shown if mixed content blocking got disabled by the user. Doesn't this effectively mean that http and https content are now shown? Maybe this case should just show a similar icon as the gray padlock with the yellow triangle (maybe a red triangle?).

Comment 3

[Johann Hofmann [:johannh]]

> Besides of updating the support page I think the security panel in Firefox should also provide the details why the gray padlock with the red striketrough is shown (for example because mixed content blocking was disabled or a login form was detected that has a high potential to leak very sensitive data).

It does. Check if you see a gray text below the "Connection is not secure" warning that says "Logins on this page could be compromised."

Thanks for your additional input on the lock icon. There are a lot of people working on this already and there are a lot of things to consider when doing this. Bug 1335586 is a meta-bug you can look at if you're interested. tl;dr we're slowly moving away from HTTP / moving towards marking HTTP as more insecure.

Comment 4

[sworddragon2]

(In reply to Johann Hofmann [:johannh] from comment #3)
> It does. Check if you see a gray text below the "Connection is not secure"
> warning that says "Logins on this page could be compromised."

You are right, I have made just a too detailed look at the Security panel. So only the update to the support page is left as I think I should create a new ticket for my padlock suggestions.

Comment 5

[Johann Hofmann [:johannh]]

Reading the SUMO article again, we should really update it in a time manner. Things that need to be updated:

- We removed the green padlock with a grey triangle (we only show the green lock in these situations)
- The grey lock with yellow triangle also shows on pages with self-signed certificates
- The "broken" lock also shows on HTTP pages with login forms now.

Comment 6

[sworddragon2]

(In reply to Johann Hofmann [:johannh] from comment #5)
> - We removed the green padlock with a grey triangle (we only show the green
> lock in these situations)

Couldn't this lead to confusion to the user if a site breaks because http content was silently blocked?

Now I also wonder what would happen if a site mixes https from a trusted certificate and https from an untrusted self-signed certificate as based on https://support.mozilla.org/t5/Protect-your-privacy/Mixed-content-blocking-in-Firefox/ta-p/10990 this seems to not count as mixed content.

Comment 7

[Joni Chan]

We've updated the article. Please take a look and let us know if it needs more changes (need info me).

Comment 8

[Joni Chan]

We've addressed the suggestions above and also looked at the UI to see if we're missing anything. I'm closing this bug but please reopen if we've missed anything.

Comment 9

[sworddragon2]

On making a fast look:

- The green padlock with a gray triangle is still shown as an image while it shouldn't (based on comment #5).
- The gray padlock with a red strikethrough does not mention that it does also appear on http sites with a login form (based on comment #5).

Comment 10

[Johann Hofmann [:johannh]]

Yeah, sorry, this doesn't correctly reflect the state of the UI right now. A couple more things in addition to comment 9:

- I wouldn't call the padlock the "Site Identity Button". In my understanding that's the (i) icon next to it. I like just "padlock" or maybe "Site Identity Block/Section/Area".
- Considering this, we shouldn't use this term in sentences like "The Site Identity button (a padlock) appears in your address bar when you visit a secure website.". That can probably be simplified to "A green padlock appears in your address bar ...".
- All screenshots should be updated to a recent version. We should probably wait until Firefox 57 for that, since it will have a new UI anyway. (There are no major changes to when the icons appear in 57, so the content shouldn't need to change).

> This also appears on websites with self-signed certificates that are not issued by a trusted authority. 

Sorry, I think what I actually meant was pages with a user certificate exception. Not sure what I was thinking. A better way to phrase this is:

> This also appears when you have set a security exception for a website to override a certificate error. You can always remove the security exception by opening the control center and clicking the arrow that opens the "Connection Details" panel.

Feel free to edit. Maybe add a big yellow box on how it's not recommended to override certificates and that users should instead contact the website owner :)

Comment 11

[Seburo]

Closed as per https://blog.mozilla.org/sumo/2019/06/07/sumo-platform-roadmap/