Closed Bug 1412658 Opened 7 years ago Closed 7 years ago

Introduce a separate "TLS works but it's horrible" state for bad sites

Categories

(Firefox :: Site Identity, defect)

Product:
Firefox
Component:
Site Identity
Version:
58 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 942136

People

(Reporter: u580221, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:58.0) Gecko/20100101 Firefox/58.0
Build ID: 20171028100423

Steps to reproduce:

When discussing the removal of 3DES, example like this site were brought up as compatibility reason why it couldn't be disabled:

https://www.ssllabs.com/ssltest/analyze.html?d=client00.chat.mibbit.com&latest (in case this changes later: currently it shows rating "F" due to the abysmal server configuration)

While I understand people still need to use such sites, I don't understand AT ALL why this needs to be rewarded the green padlock to allow people to do that. The very minimum for such super broken sites should be that while they might be still allowed to work, is a super clear indication that communicating with them is nevertheless most likely NOT notably safe.

Therefore, I suggest you sit down and make a list of the ciphers that are actually regarded safe by industry standards, then for the others show a broken padlock like HTTP or something else that indicates that while connecting is possible, it is not safe. The proper operation of a useful security indicator (green padlock) shouldn't be thrown out of the window entirely just because some folks can't keep their server configurations up-to-date.
Component: Untriaged → Site Identity and Permission Panels
This is bug 942136 but the other way around, so I think I can safely dupe :)
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.