Move EV cert UI out of URL Bar
Categories
(Firefox :: Site Identity, enhancement, P1)
Tracking
()
People
(Reporter: hanno, Assigned: johannh)
References
(Blocks 1 open bug)
Details
(Keywords: parity-chrome, parity-safari)
Attachments
(1 file)
Extended Validation certificates are shown in Firefox with a special green bar in front of the address with the company name.
There's been extensive discusison in the security community about the usefulness of EV certificates. Chrome developers recently announced plans to change the indicator and move the EV information to the Page Info UI [1].
I believe Firefox should consider similar changes. Here's why:
-
There's little evidence that EV has any usefulness in terms of security and that users understand what it's trying to communicate.
-
The general trend in HTTPS UI has been to move away from positive security indicators and instead consider security the norm and show negative indications for insecurity. Removing special treatment for EV certificate would fall in line with that thinking.
[1] https://groups.google.com/a/chromium.org/forum/m/#!msg/security-dev/h1bTcoTpfeI/jUTk1z7VAAAJ
|
||
Updated•5 years ago
|
|
Reporter | |
Comment 2•5 years ago
|
||
I have seen bug #1572389, but this isn't a duplicate. That bug asks for an option to remove the EV indicator, I'm proposing to remove it (or make it the default).
The first is more a technical issue, while this is asking to consider the justification for the existence of this indicator.
|
||
Updated•5 years ago
|
oops I think I filed a duplicate, I had trouble finding this https://bugzilla.mozilla.org/show_bug.cgi?id=1572989
|
||
Updated•5 years ago
|
|
||
Comment 5•5 years ago
|
||
For disabling EV indicators by default, I did a try run and it looks to me like we don't test this UI feature? Maybe just the wrong set of tests?
https://treeherder.mozilla.org/#/jobs?repo=try&selectedJob=261037535&resultStatus=testfailed%2Cbusted%2Cexception&classifiedState=unclassified&revision=706fb6a4168a91fb257f838d22bf952ee3667cde
|
Assignee | |
Comment 6•5 years ago
|
||
Yup, intent to ship is going out soon, we're just a few days behind the Chrome announcement because weekends :)
(In reply to Tom Schuster [:evilpie] from comment #5)
For disabling EV indicators by default, I did a try run and it looks to me like we don't test this UI feature? Maybe just the wrong set of tests?
https://treeherder.mozilla.org/#/jobs?repo=try&selectedJob=261037535&resultStatus=testfailed%2Cbusted%2Cexception&classifiedState=unclassified&revision=706fb6a4168a91fb257f838d22bf952ee3667cde
There's a functional-ui test failing, but I don't see any mochitest-bc, which is surprising. I'll look into it.
I'll take this bug, if you don't mind :)
|
|
Assignee | |
Comment 8•5 years ago
|
||
|
|
Assignee | |
Comment 9•5 years ago
|
||
Apparently this didn't have any tests other than the ones in functional-ui (of which one is disabled),
but adding new ones for EV at the point where it's being disabled and eventually removed doesn't
really make sense to me.
|
||
Comment 10•5 years ago
|
||
Pushed by jhofmann@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/5b7489190e78 Flip `security.identityblock.show_extended_validation` to false to hide the ev indicators in the identity block. r=Gijs,whimboo
|
||
Comment 11•5 years ago
|
||
| bugherder | ||
|
||
Updated•5 years ago
|
|
||
Comment 12•5 years ago
|
||
Added to release notes for 70 as "The Extended Validation (EV) indicator has been moved to the identity popup that appears when clicking the lock icon" under a heading with a link to https://blog.mozilla.org/security/2019/10/15/improved-security-and-privacy-indicators-in-firefox-70/
Description
•