Open Bug 1372658 Opened 8 years ago Updated 3 years ago

Update string for insecure password warning based on user research results

Categories

(Firefox :: Security, enhancement, P3)

Product:
Firefox
Component:
Security
Version:
55 Branch
Type:
enhancement

Tracking

()

People

(Reporter: rfeeley, Unassigned)

References

(
URL
)

Details

Attachments

(1 file)

Bug 1372658 - Changing login string to new text.
59 bytes, text/x-review-board-request
Details
Based on user research (URL attached), we are recommending copy updates to the insecure password string. CURRENT This connection is not secure. Logins entered here could be compromised. Learn More PROPOSED Firefox has detected an insecure site. Your password may not be safe. Learn more
Assignee: nobody → jkt
Hi Johnathan: Please the current string with the proposed string? Thanks!
Matt are you the right person to review this. In the latest try everything seems to be working fine. https://treeherder.mozilla.org/#/jobs?repo=try&revision=8f6a487cd775922d0091ac86724281c6eee5dc7d&selectedJob=108806049 I was stung by the whitespace linting rule I wrote hah, so added a comment in the latest revision.
Flags: needinfo?(MattN+bmo)
Comment on attachment 8879898 [details] Bug 1372658 - Changing login string to new text. https://reviewboard.mozilla.org/r/151306/#review163192 ::: toolkit/components/passwordmgr/LoginManagerContent.jsm:15 (Diff revision 3) > +const BRAND_SHORT_NAME = Cc["@mozilla.org/intl/stringbundle;1"] > + .getService(Ci.nsIStringBundleService) Use `Services.strings.createBundle…` ::: toolkit/components/passwordmgr/test/mochitest/test_insecure_form_field_autocomplete.html:22 (Diff revision 3) > + var bs = Cc["@mozilla.org/intl/stringbundle;1"]. > + getService(Ci.nsIStringBundleService); > + var brandName = bs.createBundle("chrome://branding/locale/brand.properties"). `Services.strings` ::: toolkit/components/passwordmgr/test/mochitest/test_password_field_autocomplete.html:100 (Diff revision 3) > +var bs = SpecialPowers.Cc["@mozilla.org/intl/stringbundle;1"]. > + getService(SpecialPowers.Ci.nsIStringBundleService); > +var brandName = bs.createBundle("chrome://branding/locale/brand.properties"). Services.strings ::: toolkit/locales/en-US/chrome/passwordmgr/passwordmgr.properties:77 (Diff revision 3) > insecureFieldWarningDescription2 = This connection is not secure. Logins entered here could be compromised. %1$S > insecureFieldWarningDescription3 = Logins entered here could be compromised. %1$S > +insecureFieldWarningDescription4 = %2$S has detected an insecure site. Your password may not be safe. %1$S Normally we would delete the old strings. Any reason not to do that now? Are we not confident in the new one?
Attachment #8879898 - Flags: review?(MattN+bmo)
We know the new string has issues (e.g. safe is confused with password strength), but performed better in user testing than the original. Would love to keep both so we can avoid the original string riding the trains again.
Hold fire on the review MattN the Services is not always available :(
I'm seeing: 0:00.31 LOG: Thread-1 INFO "CONSOLE_MESSAGE: (error) [JavaScript Error: "ReferenceError: Services is not defined" {file: "resource://gre/modules/LoginManagerContent.jsm" line: 15}]" Locally in the tests which I think is then triggering: 0:00.48 LOG: Thread-3 ERROR ReferenceError: Services is not defined at resource://gre/modules/LoginManagerContent.jsm:15 @resource://gre/modules/LoginManagerContent.jsm:15:7 Pushing to try to see if I am getting the same there.
(In reply to Ryan Feeley [:rfeeley] from comment #0) > PROPOSED > Firefox has detected an insecure site. Your password may not be safe. Learn > more This is a factually unsupported statement, and the site owners who have most publicly complained about the original string misinterpreted it as exactly this and threatened to sue us for defamation. Probably spurious (the internet piled on and tried to teach the site owners why they were wrong) but it's not going to help if we give them more ammunition. Unlike in the previous study on the existing long warning strings and proposed shorter string, none of the participants interpreted the message to mean that the warning was triggered by an insecure internet connection and instead understood that it was related to the webpage they were visiting. But the warning _is_ triggered by an insecure connection. We don't know that the site itself is insecure; all we know is that we have made an insecure connection to that site (which, granted, reflects poorly on the site). In fact, some sites are available over both http: _and_ https:, and faced with an accurate warning a user might get enough information to think of changing the protocol themselves to fix the problem. I do very much like that the new warning clarifies that this is a statement from "Firefox". Would we need a new study to suggest a one-word change? Firefox has detected an insecure connection. Your password may not be safe. Learn more Longer but better blame placing: Firefox has detected this site uses an insecure connection. Your password may not be safe. Learn more
I was hoping we could test "form" (see example) but there was not time. https://ryanfeeley.github.io/password-dropdown/index.html?v=trial-b I have NI:ed our copy writer and user researcher for input.
Flags: needinfo?(mheubusch)
Flags: needinfo?(hmcgaw)
I'd go with the shorter string Daniel proposes: Firefox has detected an insecure connection. Your password may not be safe. Learn more This solves two of the three issues - 1. it indicates the warning comes from Firefox and 2. it highlights the ramification "password not safe" Would it be true to say Firefox has detected an insecure site connection. Your password may not be safe. Learn more That way its not too much longer but includes site and hopefully solves the third problem, which is that many users see connection and think it is their wifi not the http protocol. Daniel, what thinks you?
Flags: needinfo?(mheubusch) → needinfo?(dveditz)
It's true. If it helps solve the third issue and fits better I can live with it. (I personally like the longer "more blamey" form but I understand UX space constraints are strict)
Flags: needinfo?(dveditz)
Changed latest commit to have: Firefox has detected an insecure site connection. Your password may not be safe. Learn more I think it's a little wordy personally maybe there isn't anything perfect here. > This is a factually unsupported statement, and the site owners who have most publicly complained about the original string misinterpreted it as exactly this and threatened to sue us for defamation. I wonder if just checking with legal if we can drop the "connection" word here.
Flags: needinfo?(hmcgaw)
Comment on attachment 8879898 [details] Bug 1372658 - Changing login string to new text. Clearing review since Ryan is talking with the Shield team about a study on this.
Flags: needinfo?(MattN+bmo)
Attachment #8879898 - Flags: review?(MattN+bmo)
Priority: -- → P1
This is blocked on feedback from user research I don't know if it needs to be a P1. If it does we should probably find the right person to assign it to, the code has been implemented etc.
Flags: needinfo?(rfeeley)
Flags: needinfo?(rfeeley) → needinfo?(jsavory)
Jacqueline will be working with Matt Grimes and team to figure out the ideal strings. Hopefully we can find one that works well for credit cards and other information too.
Just getting back and haven't read this whole thread, but saw an issue I thought I would point out right away: (In reply to Ryan Feeley [:rfeeley] from comment #0) > PROPOSED > Firefox has detected an insecure site. Your password may not be safe. Learn > more Many have taken issue with the context of the word "insecure" here. Saying that "insecure" is more of an emotional feeling than a security state. And that instead, we should use "not secure" when referring to the connection state. I've never been 100% convinced of this, so it is hard for me to argue the position, but we should probably take it up with ekr or dveditz and see what they say.
The actual string change is the slightly longer "Firefox has detected an insecure site connection. Your password may not be safe. Learn more" (see comment 17) It's a compromise string that seems to be an improvement based on the previous study, but as that study points out we need to do more studies of various alternatives. I've never heard of anyone interpreting "insecure" as the mental state of the server. The literal "not secure" meaning is ancient compared to the psychological meaning. Since there's no human in this context (or even anthropomorphic robot) it seems like a leap to apply to this warning.
I tend to agree with dveditz that "insecure" isn't great and it does in fact seem even less great when applied to the site and not to the connection. Given that Chrome is moving towards "Not secure" for their iconography, wouldn't that be sensible for us to stick with
I have no problem using "insecure" as a synonym for "not secure" -- that's what it literally means! -- but if the fashion is to spell it "not secure" that's fine, too. That word choice doesn't change the murkiness of blaming the site vs. the connection. The limited user studies we've done seem to say that users get a more accurate sense of the problem when we blame the site (the site should fix this) vs. the connection (better not log in from Starbucks. is my home network hacked?).
Removing me as the assign until the wording has been agreed on.
Assignee: jkt → nobody
Moving to p3 because no activity for at least 24 weeks.
Priority: P1 → P3
See Also: → 1601442

What if we focus on the risk that HTTP connection implies? "Insecure" or "not secure" is an opinion. What users need to know is that

Connection is not encrypted. Your username and password will be visible to anyone between your computer and web site.

Clear a needinfo that is pending on an inactive user.

Inactive users most likely will not respond; if the missing information is essential and cannot be collected another way, the bug maybe should be closed as INCOMPLETE.

For more information, please visit auto_nag documentation.

Flags: needinfo?(jsavory)
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: