Add an indicator in the identity popup for when the site is verified by an imported root certificate
Categories
(Firefox :: Site Identity, enhancement, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox68 | --- | fixed |
People
(Reporter: johannh, Assigned: johannh)
References
Details
Attachments
(3 files)
We are planning to enable automatically importing custom root certificates from the OS store if it would fix a MitM error. To give the user more visibility into whether an imported issuer is verifying their connection security, we want to add a new message in the identity popup.
Assignee | ||
Comment 1•5 years ago
|
||
Assignee | ||
Comment 2•5 years ago
|
||
Assignee | ||
Comment 3•5 years ago
|
||
Assignee | ||
Comment 4•5 years ago
|
||
Unfortunately, writing tests for this isn't really supported by our infrastructure AFAICT. The feature is simple enough that I can live with that.
Assignee | ||
Comment 5•5 years ago
|
||
Betsy, Wayne, we're about a week away from string freeze, so as mentioned on Slack I just made up my own copy for this and would love get to feedback:
The connection to this page has been verified by a third party that is not known to Firefox.
and
This certificate issuer is not known to Firefox. It could be a software on your computer or network.
(See screenshots above)
It would be great if both of you could briefly either sign it off or make suggestions for improvement. I'm happy to answer any questions you might have.
Thank you!
Assignee | ||
Comment 6•5 years ago
|
||
(In reply to Johann Hofmann [:johannh] from comment #4)
Unfortunately, writing tests for this isn't really supported by our infrastructure AFAICT. The feature is simple enough that I can live with that.
Ok, backtracking on this, try just made me realize that this indicator will in fact be shown on literally all our https test pages because our test roots are also not treated as built-in. Since this is an identity popup only thing that's probably fine, the number of failing tests is quite low (seems to be only one about focus order).
So I'll fix that test up and add a small new one for the feature, then we should be good to go.
Comment 7•5 years ago
|
||
(In reply to Johann Hofmann [:johannh] from comment #5)
Betsy, Wayne, we're about a week away from string freeze, so as mentioned on Slack I just made up my own copy for this and would love get to feedback:
The connection to this page has been verified by a third party that is not known to Firefox.
and
This certificate issuer is not known to Firefox. It could be a software on your computer or network.
(See screenshots above)
It would be great if both of you could briefly either sign it off or make suggestions for improvement. I'm happy to answer any questions you might have.
Thank you!
Drive-by English review: "a software" is "wrong" in the sense that generally "software" is an uncountable noun[1] - it's analogous to hardware and it wouldn't feel right to say "a hardware". Suggestions: "software", "a piece of software", "other software", etc. - but I'll stop there with my drive-by.
Assignee | ||
Comment 8•5 years ago
|
||
Ok, thanks, we can just drop the "a", I think.
Comment 9•5 years ago
|
||
My opinion is that we'd be better off with a statement aimed at a more technical user, such as:
Firefox imported this trust anchor from your operating system.
My thinking is that most users won't understand the message, but those who care will be confused by "It could be software on your computer or network".
Assignee | ||
Comment 10•5 years ago
|
||
(In reply to Wayne Thayer [:wayne] from comment #9)
My opinion is that we'd be better off with a statement aimed at a more technical user, such as:
Firefox imported this trust anchor from your operating system.
We don't know this for sure, we just know that it was imported by someone. We're not storing information on who imported it, exactly.
My thinking is that most users won't understand the message, but those who care will be confused by "It could be software on your computer or network".
Why? :)
Comment 11•5 years ago
|
||
(In reply to Johann Hofmann [:johannh] from comment #10)
(In reply to Wayne Thayer [:wayne] from comment #9)
My opinion is that we'd be better off with a statement aimed at a more technical user, such as:
Firefox imported this trust anchor from your operating system.
We don't know this for sure, we just know that it was imported by someone. We're not storing information on who imported it, exactly.
Okay, that makes sense.
My thinking is that most users won't understand the message, but those who care will be confused by "It could be software on your computer or network".
Why? :)
The connection between an unknown issuer and software on my computer isn't obvious. My first thought would be malware (which is of course a possibility). Also, I don't make the connection between "software on my network" and a MitM proxy.
How about:
'This certificate issuer is not native to Firefox. It may have been imported from your operating system or added by an administrator'
Assignee | ||
Comment 12•5 years ago
|
||
Ok, that sounds like a good wording to me, so, just to avoid misunderstandings, the full set of strings would be:
The connection to this page has been verified by a third party that is not known to Firefox.
(stays the same?)
and
This certificate issuer is not native to Firefox. It may have been imported from your operating system or added by an administrator.
Comment 13•5 years ago
|
||
Yes, I am satisfied with both of those. Hopefully "not native to Firefox" is a phrase that is not too difficult to translate.
Comment 14•5 years ago
|
||
The "not native" in the second string strikes me as odd, but the following sentence clears it up.
The first string sounds dangerously close to "unknown issuer". Folks might wonder if it's not known to us (implied "at all") then why did we accept the connection? And technically the issuer is "known" to Firefox (by virtue of being installed locally), it's just not known by Mozilla. Maybe "built into Firefox" would be better for both strings?
If we go that way (either "known to Mozilla" or "built into Firefox") then there's the edge case of having an alternate PKCS11 module. Those aren't known by Mozilla or "built in", but they won't count as individually-installed MITM roots either. Then again, people who have those probably won't see this string and won't be bothered. Do we have telemetry on the use of pkcs11 modules? Even if we do we may not trust the numbers because I would expect it to be most common in enterprise settings which have a higher rate of turning off telemetry.
Assignee | ||
Comment 15•5 years ago
|
||
Welcome to the bikeshed! :)
(In reply to Daniel Veditz [:dveditz] from comment #14)
The "not native" in the second string strikes me as odd, but the following sentence clears it up.
I agree that "native" feels odd in that context.
The first string sounds dangerously close to "unknown issuer". Folks might wonder if it's not known to us (implied "at all") then why did we accept the connection? And technically the issuer is "known" to Firefox (by virtue of being installed locally), it's just not known by Mozilla. Maybe "built into Firefox" would be better for both strings?
Yeah, when I write "not known to Firefox" I really mean "the makers of Firefox" so I wouldn't mind writing "not known to Mozilla" or "not built into Firefox". Or maybe "not integrated into Firefox"?
If we go that way (either "known to Mozilla" or "built into Firefox") then there's the edge case of having an alternate PKCS11 module. Those aren't known by Mozilla or "built in", but they won't count as individually-installed MITM roots either. Then again, people who have those probably won't see this string and won't be bothered. Do we have telemetry on the use of pkcs11 modules? Even if we do we may not trust the numbers because I would expect it to be most common in enterprise settings which have a higher rate of turning off telemetry.
Right, my gut feeling says we can safely disregard that for now and fix this edge case if it ever comes up. The important thing to remember is also that this is a secondary UI warning which can easily be ignored.
I'll ping Betsy as we should really land this week...
Comment 16•5 years ago
|
||
Hi Johann - Betsy and I just chatted about this. How does this work?
This connection has been verified by a certificate issuer that is not native to Firefox.
Firefox has trusted this certificate. It may have been imported from your operating system or added by an administrator.
Assignee | ||
Comment 17•5 years ago
|
||
Thanks Michelle, just to make sure we're on the same page, there are two pieces of copy here, one is on the first panel of the identity popup (see comment 2) and the other on the sub-panel (see comment 3), the copy you provided in comment 16 looks like it's meant for the sub-panel. Do you think the proposed text for the main panel (The connection to this page has been verified by a third party that is not known to Firefox.
) is fine then? :)
Comment 18•5 years ago
|
||
No - I meant for this sentence to be on the main panel:This connection has been verified by a certificate issuer that is not native to Firefox.
"not known" seems sketchy - i changed it to not native because it seems to be more descriptive and may raise fewer questions.
Assignee | ||
Comment 19•5 years ago
|
||
Thanks! I'm going to assume that "Firefox has trusted this certificate. It may have been imported from your operating system or added by an administrator." is supposed to mean "Firefox has trusted this certificate issuer. It may have been imported from your operating system or added by an administrator."
I don't really see any reason to include the trust part, though. It strikes me as odd in the visual context shown in comment 3. There needs to be some form of warning. Can we settle on:
This connection has been verified by a certificate issuer that is not native to Firefox.
and
This certificate issuer is not native to Firefox. It may have been imported from your operating system or added by an administrator.
I still kind of dislike the word "native", but I would take it as a compromise.
I'll land this tonight unless anyone wants to veto.
Thoughts?
Comment 20•5 years ago
•
|
||
Comment 2 has a too long text IMO.
Secure Connection
⚠ Not trusted by Mozilla. Local exception found.
Verified by: Snake Oil
⚠ This certificate issuer is not trusted by default. It may have been imported from your operating system or added by an administrator. Learn more
Assignee | ||
Comment 21•5 years ago
|
||
(In reply to Jan Andre Ikenmeyer [:darkspirit] from comment #20)
Comment 2 has a too long text IMO.
Secure Connection
⚠ Not trusted by Mozilla. Local exception found.
Verified by: Snake Oil
⚠ This certificate issuer is not trusted by default. It may have been imported from your operating system or added by an administrator. Learn more
Yeah, I somewhat agree but this is difficult to get perfectly right. "Trust" is a complicated and overloaded term in PKI that I would personally like to avoid.
Assignee | ||
Comment 22•5 years ago
|
||
Ok, I talked with Michelle for a while and we settled on the following strings for landing in 68:
Connection verified by a certificate issuer that is not recognized by Mozilla.
and
Mozilla does not recognize this certificate issuer. It may have been added from your operating system or by an administrator. [Learn More]
If anyone has strong feelings about this we can still talk about it more later, but for now I'm making the call on landing this before we miss merge day.
Assignee | ||
Updated•5 years ago
|
Updated•5 years ago
|
Comment 23•5 years ago
|
||
Pushed by jhofmann@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/56f2b4cb0818 Add an indicator in the identity popup for when the site is verified by an imported root certificate. r=nhnt11
Comment 24•5 years ago
|
||
bugherder |
Comment 25•5 years ago
|
||
I know this already went live, but in light of #1567114, has there been any thought given to whether the "secure" indicator (green padlock) should be given a different appearance? It's not specific to the current political situation, of course. I'd love to see a more obvious visible difference between "gmail.com, signed by Google" and "gmail.com, signed by Your Company's IT Department" (or of course "signed by Your Government's Secret Police").
When I add a per-site security exception for a self-signed cert, I get a black/dark-gray padlock with an overlaid yellow "warn" triangle. Would that be "too severe" for a user-installed root CA?
Description
•