Closed Bug 1342505 Opened 8 years ago Closed 8 years ago

Enhancing the padlocks in the address bar

Categories

(Firefox :: Site Identity, enhancement)

Product:
Firefox
Component:
Site Identity
Version:
51 Branch
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1310447

People

(Reporter: sworddragon2, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0 Build ID: 20170131094117 Steps to reproduce: Initially I have posted this idea at bug #1341051 but I think it makes more sense to create a new ticket for it. Expected results: Here is the relevant part quoted from the linked ticket: (In reply to sworddragon2 from comment #2) > But in my opinion this is made too confusing. Without secific user > interaction that one completely unencrypted site can now show the gray > padlock with a red striketrough while another page can't could lead to the > wrong believing of the user that the site with the padlock is more secure > while actually the opposite is the case. At least what should be done is > designing the gray padlock with a red striketrough to be more obvious that > it is a warning. Many users will probably not interpret a single red > strikethrough correctly so I would recommend to mirror it to form a red > cross because this should be really foolproof. > > But actually it would probably make more sense to show a padlock on every > http and https site. Either: > a) The padlock with the red strikethrough/cross could also be used for http > sites without a login form as being unencrypted is already problematic > enough as the site could easily leak sensitive data (private messages, etc.) > and the integrity is not protected so the content could be manipulated for > example with malicious download links (also users seeing the padlock on > every site eventually causes web site owners to migrate to https even faster > - based on a news I have read today over the half of the web sites are now > using https). > > b) http sites that do currently show no padlock could show a new padlock > which reflects that the site is unencrypted but being not as problematic as > if there would be a login form on it. For example this could be simply a > gray padlock whose shackle is clearly drawn open to reflect that the site is > "unlocked" (unencrypted). Optionally in cases where the gray padlock with a > red striketrough/cross would be shown because of a login form it could be > redrawn to show a gray padlock with an opened shackle where the shackle > would be drawn red to reflect that it is more dangerous than the pure gray > unlocked padlock (because of the login form). > > Actually I'm not sure what should be shown if mixed content blocking got > disabled by the user. Doesn't this effectively mean that http and https > content are now shown? Maybe this case should just show a similar icon as > the gray padlock with the yellow triangle (maybe a red triangle?).
Severity: normal → enhancement
Component: Untriaged → Site Identity and Permission Panels
Thanks for the input, but I think this is largely covered by bug 1310447 which aims to show the strikethrough lock on any insecure (HTTP) page. > Actually I'm not sure what should be shown if mixed content blocking got > disabled by the user. Doesn't this effectively mean that http and https > content are now shown? Maybe this case should just show a similar icon as > the gray padlock with the yellow triangle (maybe a red triangle?). We show the same lock as for insecure logins and I think that's fine.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.