Closed Bug 1358918 Opened 3 years ago Closed 2 years ago

[ux] error: insecure connection certificate error copy, design and illustration update

Categories

(Firefox :: General, defect, P1)

defect

Tracking

()

RESOLVED FIXED
Firefox 57
Tracking Status
firefox57 --- wontfix

People

(Reporter: mheubusch, Assigned: mheubusch)

References

(Blocks 1 open bug)

Details

(Whiteboard: [reserve-photon-visual] [ux])

Update page design, illustration and copy of https://mozilla.invisionapp.com/share/ZKBC94BPQ#/screens/229470847 (Certificate Errors where a user can add an exception) and https://mozilla.invisionapp.com/share/ZKBC94BPQ#/screens/229470852(Certificate Errors where a user cannot add an exception)


Copy for errors where a user can add an exception: 

<title>Insecure Connection

<h1>This connection is not secure.

<text>Firefox did not connect to <URL> because this website is not configured properly and may not protect your personal information.  <a href="https://support.mozilla.org/en-US/kb/what-does-your-connection-is-not-secure-mean"Learn more about secure connection errors and how they protect you online. </a>
[ ] Report this error and others like it to Mozilla so we can help block malicious websites.
[Go Back]  [Try to Connect]

Copy for errors where a user cannot add an exception:
<title>Insecure Connection

<h1>This connection is not secure.

<text>Firefox will not connect to <URL> because this website is not configured properly and may not protect your personal information. <a href="https://support.mozilla.org/en-US/kb/what-does-your-connection-is-not-secure-mean"Learn more about secure connection errors and how they protect you online. </a>
[ ] Report this error and others like it to Mozilla so we can help block malicious websites.
[Go Back]  [See Details]
Status: NEW → ASSIGNED
Flags: qe-verify-
Iteration: 55.4 - May 1 → 55.5 - May 15
Depreciated initial description because the buttons on both types of pages should be identical: Go Back and See Details.

Update page design, illustration and copy of https://mozilla.invisionapp.com/share/ZKBC94BPQ#/screens/229470847 (Certificate Errors where a user can add an exception) and https://mozilla.invisionapp.com/share/ZKBC94BPQ#/screens/229470852(Certificate Errors where a user cannot add an exception)


Copy for errors where a user can add an exception: 

<title>Insecure Connection

<h1>This connection is not secure.

<text>Firefox did not connect to <URL> because this website is not configured properly and may not protect your personal information.  <a href="https://support.mozilla.org/en-US/kb/what-does-your-connection-is-not-secure-mean"Learn more about secure connection errors and how they protect you online. </a>
[ ] Report this error and others like it to Mozilla so we can help block malicious websites.
[Go Back]  [See Details]

Copy for errors where a user cannot add an exception:
<title>Insecure Connection

<h1>This connection is not secure.

<text>Firefox will not connect to <URL> because this website is not configured properly and may not protect your personal information. <a href="https://support.mozilla.org/en-US/kb/what-does-your-connection-is-not-secure-mean"Learn more about secure connection errors and how they protect you online. </a>
[ ] Report this error and others like it to Mozilla so we can help block malicious websites.
[Go Back]  [See Details]
Iteration: 55.5 - May 15 → 55.6 - May 29
Why does the insecure certificate page (and the blocked website and Private Browsing pages) have a different layout than the other content issue pages like https://mozilla.invisionapp.com/share/ZKBC94BPQ#/screens/229484287?

I.e. they have symbolic icons instead of an animal and the icon layout doesn't fit to the drawing layout of the animals. And their text is centered instead of being aligned to the right.

Those differences make the UI inconsistent.

Sebastian
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Flags: needinfo?(mheubusch)
(In reply to Sebastian Zartner [:sebo] from comment #2)
> Why does the insecure certificate page (and the blocked website and Private
> Browsing pages) have a different layout than the other content issue pages
> like https://mozilla.invisionapp.com/share/ZKBC94BPQ#/screens/229484287?
> 
> I.e. they have symbolic icons instead of an animal and the icon layout
> doesn't fit to the drawing layout of the animals. And their text is centered
> instead of being aligned to the right.
> 
> Those differences make the UI inconsistent.

Hi Sebastian, I’ll try to answer your question.

Those pages have a different layout and iconography because they communicate different things.

The ones you saw with the animal communicate problems that aren’t dangerous. On the other hand, the certificate and malware pages communicate problems that may or most definitely threaten your online security. They could install a malicious program, get you to enter your credit card information, or a whole host of other things.

When the problems are simply good to be aware of, we can be friendly (and even whimsical) and want you to take action when appropriate (try again later, restore tabs, etc.). But when the problems are dangerous, we want to be very serious and always want you to go back to safety, because the risk of going forward is real.
Flags: needinfo?(mheubusch)
Blocks: 1394463
Duplicate of this bug: 1394463
Michelle, as I mentioned before, the copy provided in comment 1 is not sufficient for updating the certificate error pages. There are a lot of error states/cases we're currently not covering (see https://revoked.badssl.com/). You mentioned you were in contact with keeler about this, so I would expect that you folks went through the possible states. Is there a document I'm missing? Otherwise I'm happy to help you get a complete overview.

If this is out of scope for Photon (we have two weeks left to land it), please resolve as WONTFIX.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
(In reply to Johann Hofmann [:johannh] from comment #5)
> (see https://revoked.badssl.com/)

That link was meant to be https://badssl.com/

To clarify, I think what I require mostly is copy for clock skew warnings and HSTS (https://subdomain.preloaded-hsts.badssl.com/) though we _could_ integrate the HSTS message into the details box.

There's also the problem that the link text should not be "Learn more about secure connection errors", since the link destination will be variable depending on the type of error we show. This is also problematic on sites like https://pinning-test.badssl.com/ since the top-level text has no connection to the "learn more" link that we display.

It's been some time since we talked about this, I don't really remember if there were more things missing.
Iteration: 55.6 - May 29 → ---
Whiteboard: [photon-visual][ux] → [reserve-photon-visual] [ux]
(In reply to Johann Hofmann [:johannh] from comment #5)

> If this is out of scope for Photon (we have two weeks left to land it),
> please resolve as WONTFIX.

At this point, there are just a couple of days to land strings for 57, so anything more than trivial copy edits are out of scope at this point.

I believe we have other bugs on file for updating the illustrations on some of the error pages, so other stuff will have to wait for a future release after 57.
Status: REOPENED → ASSIGNED
Hi Bram - Can we revisit these pages holistically together?
Flags: needinfo?(mheubusch) → needinfo?(bram)
Michelle, I’ve set up a meeting time to revisit this bug. Let’s do that, and post the result here.
Flags: needinfo?(bram)
(In reply to Bram Pitoyo [:bram] from comment #9)
> Michelle, I’ve set up a meeting time to revisit this bug. Let’s do that, and
> post the result here.

Have you met?
Flags: needinfo?(bram)
Hi Dao, unfortunately, I had an emergency and was sick, and this prevented Michelle and I from meeting last week (even twice, one day after the other).

On our quick indirect sync-up, we wanted these questions answered, and perhaps you and Panos can help us.


Many months ago, Javaun, David, April and Brian gathered a sort of “Top 10” list of error messages that users are likely to encounter. I proposed a copy for each message, but not all the copy was shipped.

So our first question was: we’d like to know whether this document is still current.
https://docs.google.com/document/d/1f04XGaulK-Bf8_w2Zdu-5CW035Fe_eBPY2FPgrAp3Ts/edit


Once we know that it’s up to date, Michelle was thinking to employ either one of these two strategies to rewrite:

1. Make sure the “can override” and “can't override” copy is general enough for each of these instances – this was the strategy I proposed in the document.

or

2. Write specific copy (warning heading and error details) for each error. It will take longer, but each error page will be more accurate and customised to each case.

(The second strategy is probably useful if a significant number of users encounter a variety of error pages during their Firefox usage.)


So our second question is: are all error pages equally likely to show up during a Firefox session, or are there error pages that show up more often than others?
Flags: needinfo?(past)
Flags: needinfo?(dao+bmo)
Flags: needinfo?(bram)
The only work in that old document that isn't completed is the part in the section titled "v2 strings for future review (all copy designated for Advanced dialog)". The single remaining blocker is the date interpolation issue I note in my comment there. That being said, comment 0 suggests that this bug is about modifying the main content, not the part hidden in the advanced section, so I think we can ignore that for the purposes of this bug.

Wennie and keeler have plans for further work in this area that could solve the interpolation issue above and I think they have data to answer your last question, too.
Flags: needinfo?(past) → needinfo?(wleung)
Hi JC and David, please comment on this. Thanks!
Flags: needinfo?(wleung)
Flags: needinfo?(jjones)
Flags: needinfo?(dkeeler)
According to https://mzl.la/2z7WCue , the most frequent error is SEC_ERROR_UNKNOWN_ISSUER at 70% of errors, followed by SSL_ERROR_BAD_CERT_DOMAIN at 19%, and then SEC_ERROR_EXPIRED_CERTIFICATE at 5%. SEC_ERROR_OCSP_INVALID_SIGNING_CERT and SEC_ERROR_OCSP_FUTURE_RESPONSE are at 2%, and everything else is less than a percent of all errors.
Flags: needinfo?(dkeeler)
Flags: needinfo?(dao+bmo)
Thanks for the update, everybody. Pending confirmation from jjones, I’ll summarise the discussion so far over email to Michelle, and she’ll come up with a good messaging strategy here.
Flags: needinfo?(jjones)
Flags: needinfo?(jjones)
Sorry, I have an additional short clarifying question for David.

Out of these 5 errors, which ones can the user add exception to (ie. bypass the page)?
Flags: needinfo?(dkeeler)
I don't have anything to add. David will confirm which of those 5 errors can be overridden and which are fatal.
Flags: needinfo?(jjones)
If the site in question isn't HSTS, SEC_ERROR_UNKNOWN_ISSUER, SSL_ERROR_BAD_CERT_DOMAIN, and SEC_ERROR_EXPIRED_CERTIFICATE are overridable. The others are not. If a site is HSTS, no error is overridable.
Flags: needinfo?(dkeeler)
I _think_ the stuff here has been completed / superceded by the work jhofmann did.
Status: ASSIGNED → RESOLVED
Closed: 3 years ago2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.