Closed Bug 1549605 Opened 7 months ago Closed 6 months ago

Add an indicator in the identity popup for when the site is verified by an imported root certificate

Categories

(Firefox :: Site Identity, enhancement, P1)

enhancement

Tracking

()

RESOLVED FIXED
Firefox 68
Tracking Status
firefox68 --- fixed

People

(Reporter: johannh, Assigned: johannh)

References

Details

Attachments

(3 files)

We are planning to enable automatically importing custom root certificates from the OS store if it would fix a MitM error. To give the user more visibility into whether an imported issuer is verifying their connection security, we want to add a new message in the identity popup.

Unfortunately, writing tests for this isn't really supported by our infrastructure AFAICT. The feature is simple enough that I can live with that.

Betsy, Wayne, we're about a week away from string freeze, so as mentioned on Slack I just made up my own copy for this and would love get to feedback:

The connection to this page has been verified by a third party that is not known to Firefox.

and

This certificate issuer is not known to Firefox. It could be a software on your computer or network.

(See screenshots above)

It would be great if both of you could briefly either sign it off or make suggestions for improvement. I'm happy to answer any questions you might have.

Thank you!

Flags: needinfo?(wthayer)
Flags: needinfo?(bmikel)

(In reply to Johann Hofmann [:johannh] from comment #4)

Unfortunately, writing tests for this isn't really supported by our infrastructure AFAICT. The feature is simple enough that I can live with that.

Ok, backtracking on this, try just made me realize that this indicator will in fact be shown on literally all our https test pages because our test roots are also not treated as built-in. Since this is an identity popup only thing that's probably fine, the number of failing tests is quite low (seems to be only one about focus order).

So I'll fix that test up and add a small new one for the feature, then we should be good to go.

(In reply to Johann Hofmann [:johannh] from comment #5)

Betsy, Wayne, we're about a week away from string freeze, so as mentioned on Slack I just made up my own copy for this and would love get to feedback:

The connection to this page has been verified by a third party that is not known to Firefox.

and

This certificate issuer is not known to Firefox. It could be a software on your computer or network.

(See screenshots above)

It would be great if both of you could briefly either sign it off or make suggestions for improvement. I'm happy to answer any questions you might have.

Thank you!

Drive-by English review: "a software" is "wrong" in the sense that generally "software" is an uncountable noun[1] - it's analogous to hardware and it wouldn't feel right to say "a hardware". Suggestions: "software", "a piece of software", "other software", etc. - but I'll stop there with my drive-by.

[1] https://english.stackexchange.com/questions/12990/why-dont-we-use-the-indefinite-article-with-software

Ok, thanks, we can just drop the "a", I think.

My opinion is that we'd be better off with a statement aimed at a more technical user, such as:

Firefox imported this trust anchor from your operating system.

My thinking is that most users won't understand the message, but those who care will be confused by "It could be software on your computer or network".

Flags: needinfo?(wthayer)

(In reply to Wayne Thayer [:wayne] from comment #9)

My opinion is that we'd be better off with a statement aimed at a more technical user, such as:

Firefox imported this trust anchor from your operating system.

We don't know this for sure, we just know that it was imported by someone. We're not storing information on who imported it, exactly.

My thinking is that most users won't understand the message, but those who care will be confused by "It could be software on your computer or network".

Why? :)

(In reply to Johann Hofmann [:johannh] from comment #10)

(In reply to Wayne Thayer [:wayne] from comment #9)

My opinion is that we'd be better off with a statement aimed at a more technical user, such as:

Firefox imported this trust anchor from your operating system.

We don't know this for sure, we just know that it was imported by someone. We're not storing information on who imported it, exactly.

Okay, that makes sense.

My thinking is that most users won't understand the message, but those who care will be confused by "It could be software on your computer or network".

Why? :)

The connection between an unknown issuer and software on my computer isn't obvious. My first thought would be malware (which is of course a possibility). Also, I don't make the connection between "software on my network" and a MitM proxy.

How about:

'This certificate issuer is not native to Firefox. It may have been imported from your operating system or added by an administrator'

Ok, that sounds like a good wording to me, so, just to avoid misunderstandings, the full set of strings would be:

The connection to this page has been verified by a third party that is not known to Firefox.

(stays the same?)

and

This certificate issuer is not native to Firefox. It may have been imported from your operating system or added by an administrator.

Yes, I am satisfied with both of those. Hopefully "not native to Firefox" is a phrase that is not too difficult to translate.

The "not native" in the second string strikes me as odd, but the following sentence clears it up.

The first string sounds dangerously close to "unknown issuer". Folks might wonder if it's not known to us (implied "at all") then why did we accept the connection? And technically the issuer is "known" to Firefox (by virtue of being installed locally), it's just not known by Mozilla. Maybe "built into Firefox" would be better for both strings?

If we go that way (either "known to Mozilla" or "built into Firefox") then there's the edge case of having an alternate PKCS11 module. Those aren't known by Mozilla or "built in", but they won't count as individually-installed MITM roots either. Then again, people who have those probably won't see this string and won't be bothered. Do we have telemetry on the use of pkcs11 modules? Even if we do we may not trust the numbers because I would expect it to be most common in enterprise settings which have a higher rate of turning off telemetry.

Welcome to the bikeshed! :)

(In reply to Daniel Veditz [:dveditz] from comment #14)

The "not native" in the second string strikes me as odd, but the following sentence clears it up.

I agree that "native" feels odd in that context.

The first string sounds dangerously close to "unknown issuer". Folks might wonder if it's not known to us (implied "at all") then why did we accept the connection? And technically the issuer is "known" to Firefox (by virtue of being installed locally), it's just not known by Mozilla. Maybe "built into Firefox" would be better for both strings?

Yeah, when I write "not known to Firefox" I really mean "the makers of Firefox" so I wouldn't mind writing "not known to Mozilla" or "not built into Firefox". Or maybe "not integrated into Firefox"?

If we go that way (either "known to Mozilla" or "built into Firefox") then there's the edge case of having an alternate PKCS11 module. Those aren't known by Mozilla or "built in", but they won't count as individually-installed MITM roots either. Then again, people who have those probably won't see this string and won't be bothered. Do we have telemetry on the use of pkcs11 modules? Even if we do we may not trust the numbers because I would expect it to be most common in enterprise settings which have a higher rate of turning off telemetry.

Right, my gut feeling says we can safely disregard that for now and fix this edge case if it ever comes up. The important thing to remember is also that this is a secondary UI warning which can easily be ignored.

I'll ping Betsy as we should really land this week...

Hi Johann - Betsy and I just chatted about this. How does this work?

This connection has been verified by a certificate issuer that is not native to Firefox.

Firefox has trusted this certificate. It may have been imported from your operating system or added by an administrator.

Thanks Michelle, just to make sure we're on the same page, there are two pieces of copy here, one is on the first panel of the identity popup (see comment 2) and the other on the sub-panel (see comment 3), the copy you provided in comment 16 looks like it's meant for the sub-panel. Do you think the proposed text for the main panel (The connection to this page has been verified by a third party that is not known to Firefox.) is fine then? :)

Flags: needinfo?(mheubusch)

No - I meant for this sentence to be on the main panel:This connection has been verified by a certificate issuer that is not native to Firefox.

"not known" seems sketchy - i changed it to not native because it seems to be more descriptive and may raise fewer questions.

Flags: needinfo?(mheubusch)

Thanks! I'm going to assume that "Firefox has trusted this certificate. It may have been imported from your operating system or added by an administrator." is supposed to mean "Firefox has trusted this certificate issuer. It may have been imported from your operating system or added by an administrator."

I don't really see any reason to include the trust part, though. It strikes me as odd in the visual context shown in comment 3. There needs to be some form of warning. Can we settle on:

This connection has been verified by a certificate issuer that is not native to Firefox.

and

This certificate issuer is not native to Firefox. It may have been imported from your operating system or added by an administrator.

I still kind of dislike the word "native", but I would take it as a compromise.

I'll land this tonight unless anyone wants to veto.

Thoughts?

Comment 2 has a too long text IMO.

Secure Connection
⚠ Not trusted by Mozilla. Local exception found.

Verified by: Snake Oil
⚠ This certificate issuer is not trusted by default. It may have been imported from your operating system or added by an administrator. Learn more

(In reply to Jan Andre Ikenmeyer [:darkspirit] from comment #20)

Comment 2 has a too long text IMO.

Secure Connection
⚠ Not trusted by Mozilla. Local exception found.

Verified by: Snake Oil
⚠ This certificate issuer is not trusted by default. It may have been imported from your operating system or added by an administrator. Learn more

Yeah, I somewhat agree but this is difficult to get perfectly right. "Trust" is a complicated and overloaded term in PKI that I would personally like to avoid.

Ok, I talked with Michelle for a while and we settled on the following strings for landing in 68:

Connection verified by a certificate issuer that is not recognized by Mozilla.

and

Mozilla does not recognize this certificate issuer. It may have been added from your operating system or by an administrator. [Learn More]

If anyone has strong feelings about this we can still talk about it more later, but for now I'm making the call on landing this before we miss merge day.

Flags: needinfo?(bmikel)
Attachment #9063088 - Attachment description: Bug 1549605 - Add an indicator in the identity popup for when the site is verified by an imported root certificate. r=nhnt11,keeler → Bug 1549605 - Add an indicator in the identity popup for when the site is verified by an imported root certificate. r=nhnt11
Pushed by jhofmann@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/56f2b4cb0818
Add an indicator in the identity popup for when the site is verified by an imported root certificate. r=nhnt11
Status: ASSIGNED → RESOLVED
Closed: 6 months ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 68
See Also: → 1567114

I know this already went live, but in light of #1567114, has there been any thought given to whether the "secure" indicator (green padlock) should be given a different appearance? It's not specific to the current political situation, of course. I'd love to see a more obvious visible difference between "gmail.com, signed by Google" and "gmail.com, signed by Your Company's IT Department" (or of course "signed by Your Government's Secret Police").

When I add a per-site security exception for a self-signed cert, I get a black/dark-gray padlock with an overlaid yellow "warn" triangle. Would that be "too severe" for a user-installed root CA?

You need to log in before you can comment on or make changes to this bug.