Closed Bug 1391612 Opened 7 years ago Closed 7 years ago

add button on http websites to change to https

Categories

(Firefox :: Site Identity, defect)

Product:
Firefox
Component:
Site Identity
Version:
55 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: dev, Unassigned)

References

(Blocks 1 open bug)

Details

Attachments

(2 files)

Connection_is_not_secure.png
10.88 KB, image/png
Details
disable_tracking_protection.png
9.73 KB, image/png
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.90 Safari/537.36 Build ID: 20170814061754 Expected results: Firefox displays a gray lock icon, if you connect to a website using HTTP. If there is a login form, the icon is even stroked. It was nice if there was a way to change to the HTTPS page with only 1 (or 2) clicks. There could be a button "Change to secure website", when you click on the stroked lock icon below the text "Connection is Not Secure".
Blocks: https-everything
Component: Untriaged → Site Identity and Permission Panels
(In reply to sedrubal from comment #0) > It was nice if there was a way to change to the HTTPS page with only 1 (or 2) clicks. > > There could be a button "Change to secure website", when you click on the > stroked lock icon below the text "Connection is Not Secure". (I'm just a Nightly user.) Hi, every step to more https is good. I think this addon should fit your expectations: https://addons.mozilla.org/firefox/addon/add-https/ Personally, I like this addon: https://addons.mozilla.org/firefox/addon/smart-https-revived/ Or look here for other https addons: https://addons.mozilla.org/firefox/search/?q=https&appver=57.0 Firefox itself could do bug 1002724 at first and bug 1158191 later. So I plead for wontfix.
I agree that this is better left for an add-on and that if we have a good way of determining when we can actually offer this button (it's quite a complex question), we could solve the bugs for doing this automatically (without explicit user action).
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
Thanks for your opinions. I also think that bug 1158191 would make this feature unnecessary, but as we can see in the comments, it's very hard to implement and might take some months/years. I think bug 1002724 is imho unrelated. I thought this button might be the consequent next step. It mostly helps non power users (which will never install such HTTPS plugins, even if I agree, that most of them are very nice). Currently Firefox says "This connection is not secure - Logins entered on this page could be compromised", but there is no way shown to solve this problem. A normal user, which doesn't know HTTPS, may think kthxbai. A button in this panel gives an intuitive way to solve the problem. It's ok for me if you decide to keep this closed, but I'd happy if you think about it.
(In reply to sedrubal from comment #3) > I also think that bug 1158191 would make this feature unnecessary I would say that bug is more about performance when you open a website, so you wouldn't have to wait for a redirection (if the website doesn't use HSTS and/or HSTS preloading). > I thought this button might be the consequent next step. It mostly helps non power users (which will never install such HTTPS plugins, even if I agree, that most of them are very nice). Non-power users should just install https://addons.mozilla.org/firefox/addon/https-everywhere/ to don't get upset about possible errors etc. > Currently Firefox says "This connection is not secure - Logins entered on this page could be compromised", but there is no way shown to solve this problem. First of all site operators should do it right. If they offer http + https without a redirection from http to https you have to ask yourself why they are that crazy. Maybe they're doing a lot more wrong. > Created attachment 8898760 [details] Regarding your screenshot of vgn.de: https://www.hardenize.com/report/vgn.de Would you mind mailing them their report? You could go around and test some other websites and mail the report to the site operator, if you want to have a huge impact towards more (and secure) https. Thank you. My local public transport also has bad results, but at least they have a http-to-https redirection: https://www.hardenize.com/report/uestra.de/1503064304#www_http An example how it could/should look like: https://www.hardenize.com/report/perfektesgewicht.de (Hardenize is from the founder of SSL Labs, so I think it's okay to link to it here.)
I'm thinking of a button like it is used to temporary disable tracking protection. It seamlessly integrates in the UI and it shows a way to solve problems when the page looks broken because of tracking protection.
> Non-power users should just install https://addons.mozilla.org/firefox/addon/https-everywhere/ Non-power users don't know what HTTPS is and they will never install any addon and this is ok. > First of all site operators should do it right. They will never do it right. > Maybe they're doing a lot more wrong. The user can't change this but they most often have to use this service. > Would you mind mailing them their report? This does not solve the issue, that there are thousands of sites with the same problem. > a good way of determining when we can actually offer this button I think, if the text says something like "Try reloading this page using a secure connection" the button can always be displayed without determining if HTTPS is working properly. --- To make it more clear and to show an example where Firefox already shows a way to solve another problem in exactly the same way I suggested, I added a screenshot of the "Disable protection on this site" for tracking protection.
This is no forum and we should keep it brief, otherwise we get exhorted. :/ (In reply to sedrubal from comment #6) > They will never do it right. At least in Germany we have laws that you *must* do it "state of the art". § 13 (7) TMG If such a site operator makes many more mistakes, your private data could be open to the internet. Inacceptable. > This does not solve the issue, that there are thousands of sites with the same problem. Mail them their report and criticize that they are breaking laws. Otherwise you would contact people that will enforce the laws and/or inform the press then. In the most cases they will fix it. There are business associations. You could mail them to tell their members. > I think, if the text says something like "Try reloading this page using a secure connection" the button can always be displayed without determining if HTTPS is working properly. You said "Non-power users don't know what HTTPS is". You are suggesting something on the client side of https that can't solve the underlying problems. :/ An addon can perfectly provide the desired functionality for you. You could install HTTPS Everywhere in your friends' browsers and that's it. The rest of the work has to be done on the server side. And it's already getting better with time.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: