Closed Bug 1354297 Opened 3 years ago Closed 3 years ago

Display certificate expiry in the page info screen

Categories

(Firefox :: Page Info Window, enhancement, P3)

enhancement

Tracking

()

VERIFIED FIXED
Firefox 56
Tracking Status
firefox56 --- verified

People

(Reporter: francois, Assigned: prathiksha, Mentored)

Details

Attachments

(3 files)

Attached image UI proposal
As a developer, I often want to know how much time I have before I need to renew my Let's Encrypt certificate.

Right now, to do this for my site (e.g. https://fmarier.org/), I need to:

1. Click the lock icon to open the control center.
2. Click on the arrow next to "Secure connection" to display the name of the CA.
3. Click on "More information" to open the Security tab of the Page Info dialog.
4. Click on the "View certificate" button.
5. Look for "Expires On" in the "Period of Validity" section of the General tab in the certificate viewer.

I would like to suggest that we display the expiry next to the name of the CA, right in the identity section of the control center. See attached screenshot.
Sounds like a good idea to me! For most non-EV pages this section is mostly whitespace anyway.
We could make this a mentored bug I believe, the information should be available in https://searchfox.org/mozilla-central/source/browser/base/content/browser.js#7057

Jacqueline, are you fine with adding this? One could argue that we should not overload our security information but I would say that the use case is valid and IIRC only a really small amount of users actually used that panel, so the risk of misunderstanding shouldn't be too high.

What do you think?
Mentor: jhofmann
Flags: needinfo?(jsavory)
Priority: -- → P3
Attached image Smaller_Version.png
Hey Johann,

This sounds like a good idea to me, I just have a couple thoughts 

I think this works fine in the case shown, however I'm worried about breaking the height in the smaller versions of the control center, when tracking protection is not enabled (See screenshot). Right now it visually works nicely by keeping the height of the drop down, by adding the expiry date I think it would increase slightly when the user presses the arrow. This is not a blocker if this information is valuable but I wanted to point it out. 

Roughly how often is this information checked? I'm wondering if we could surface the expiry date up to the Page Info level and display it in the website identity section, instead of on the drop down itself. Its only reducing the numbers of clicks by one instead of two but its an option. What do you think?
Flags: needinfo?(jsavory) → needinfo?(jhofmann)
(In reply to Jacqueline Savory [:jsavory] UX from comment #3)
> I think this works fine in the case shown, however I'm worried about
> breaking the height in the smaller versions of the control center, when
> tracking protection is not enabled (See screenshot). Right now it visually
> works nicely by keeping the height of the drop down, by adding the expiry
> date I think it would increase slightly when the user presses the arrow.

It already expands automatically when you visit a site with an EV certificate. Try https://bugzilla.mozilla.org for example (with or without tracking protection).
Right, I was just meaning that in the case that there is no EV certificate, the default view will include a small expansion. Again, this is just a small visual change to consider. Unless this information only shows up on EV certificates? In which case I think its fine to add, sorry I'm still learning about all the different cases. 

Since you guys probably have a better sense than I do about how often this is used, I was just wondering if placing it on the Page info level would be good enough in this case, or if its needed on the control center itself. I'm open to keeping it where you have proposed, just exploring options. :)
(In reply to Jacqueline Savory [:jsavory] UX from comment #5)
> Unless this information only shows up on EV certificates?

Sorry, I didn't mean to suggest it should be restricted to EV. I just found a cool animation we have in the EV case, which I wanted to point out in case you hadn't seen it :)

> Since you guys probably have a better sense than I do about how often this
> is used

It's hard to say because it's not something that one uses very often. For myself, I'd say at least 3/4 of the time I go in there, it's to check expiration dates.
Assignee: nobody → prathikshaprasadsuman
Hm revisiting this and thinking about how often a user would actually be interested in this data (really only occasionally and only for your own page), I think the use case might be so small that it would make more sense to go with jsavory's suggestion of promoting the expiry date in the page info dialog instead. If someone wants this prominently featured they're probably better served with an extension that displays this directly in the UI (which is a nice idea).
Flags: needinfo?(jhofmann)
Comment on attachment 8887372 [details]
Bug 1354297 - Certificate expiry date is displayed in the page info dialog.

https://reviewboard.mozilla.org/r/158220/#review163468

::: browser/base/content/pageinfo/security.js:223
(Diff revision 1)
>      // We don't have valid identity credentials.
>      owner = pageInfoBundle.getString("securityNoOwner");
>      verifier = pageInfoBundle.getString("notset");
>    }
>  
> +  setText("security-identity-validity-value", info.cert.validity.notAfterLocalDay);

info.cert might be null (e.g. for HTTP pages), you'll need to assign this string in the same way that owner and verifier are assigned (see above).
Attachment #8887372 - Flags: review?(jhofmann) → review-
Status: NEW → ASSIGNED
Component: Site Identity and Permission Panels → Page Info Window
Flags: qe-verify+
Summary: Display certificate expiry in the site identity section of the control center → Display certificate expiry in the page info screen
Comment on attachment 8887372 [details]
Bug 1354297 - Certificate expiry date is displayed in the page info dialog.

https://reviewboard.mozilla.org/r/158220/#review167732

::: browser/base/content/pageinfo/security.js:223
(Diff revision 2)
>      }
>    } else {
>      // We don't have valid identity credentials.
>      owner = pageInfoBundle.getString("securityNoOwner");
>      verifier = pageInfoBundle.getString("notset");
> +    validity = "";

We should probably hide the security-identity-validity-row here, it looks a bit weird when it's empty :)
Attachment #8887372 - Flags: review?(jhofmann)
Comment on attachment 8887372 [details]
Bug 1354297 - Certificate expiry date is displayed in the page info dialog.

https://reviewboard.mozilla.org/r/158220/#review167760

Looks good, thank you.

It's a bit unfortunate that we don't have tests for the security part of page info (as far as I know), can you open a bug about this in the Page Info component?

::: browser/base/content/pageinfo/security.js:230
(Diff revision 3)
>    setText("security-identity-owner-value", owner);
>    setText("security-identity-verifier-value", verifier);
> +  if (validity) {
> +    setText("security-identity-validity-value", validity);
> +  } else {
> +    document.getElementById("security-identity-validity-row").setAttribute("hidden", "true");

Nit: Other code in this file just sets .hidden = true, which is also shorter, so you could do that instead of setAttribute.
Attachment #8887372 - Flags: review?(jhofmann) → review+
Comment on attachment 8887372 [details]
Bug 1354297 - Certificate expiry date is displayed in the page info dialog.

https://reviewboard.mozilla.org/r/158220/#review167778

::: browser/base/content/pageinfo/security.js:203
(Diff revision 3)
> -  var owner, verifier;
> +  var owner, verifier, validity;
>    if (info.cert && !info.isBroken) {
>      // Try to pull out meaningful values.  Technically these fields are optional
>      // so we'll employ fallbacks where appropriate.  The EV spec states that Org
>      // fields must be specified for subject and issuer so that case is simpler.
> +    validity = info.cert.validity.notAfterLocalDay;

Another nit: Please re-order this line so that the above comment applies to the if condition below.
Keywords: checkin-needed
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/8a21a385ae02
Certificate expiry date is displayed in the page info dialog. r=johannh
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/8a21a385ae02
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 56
I can see certificate "Expires on" in security tab of page info dialog in latest Nightly in Linux(64bit)

Build ID 	20170731100325
User Agent 	Mozilla/5.0 (X11; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/56.0
QA Whiteboard: [bugday-20170726]
This bug was about "Display certificate expiry in the page info screen" and I have seen the feature being implemented with latest Nightly on Windows 7, 64 Bit!


Build ID   : 20170731100325
User Agent : Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0

[bugday-20170726]
As this bug is verified as fixed in both Linux (comment 19) and windows (comment 20), I am marking this bug as verified fixed.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.