Closed Bug 1572936 Opened 3 years ago Closed 3 years ago

Move EV cert UI out of URL Bar

Categories

(Firefox :: Site Identity, enhancement, P1)

enhancement

Tracking

()

RESOLVED FIXED
Firefox 70
Tracking Status
relnote-firefox --- 70+
firefox70 --- fixed

People

(Reporter: hanno, Assigned: johannh)

References

(Blocks 1 open bug)

Details

(Keywords: parity-chrome, parity-safari)

Attachments

(1 file)

Extended Validation certificates are shown in Firefox with a special green bar in front of the address with the company name.

There's been extensive discusison in the security community about the usefulness of EV certificates. Chrome developers recently announced plans to change the indicator and move the EV information to the Page Info UI [1].

I believe Firefox should consider similar changes. Here's why:

  1. There's little evidence that EV has any usefulness in terms of security and that users understand what it's trying to communicate.

  2. The general trend in HTTPS UI has been to move away from positive security indicators and instead consider security the norm and show negative indications for insecurity. Removing special treatment for EV certificate would fall in line with that thinking.

[1] https://groups.google.com/a/chromium.org/forum/m/#!msg/security-dev/h1bTcoTpfeI/jUTk1z7VAAAJ

Status: NEW → RESOLVED
Closed: 3 years ago
Component: Address Bar → Site Identity and Permission Panels
Resolution: --- → DUPLICATE
Duplicate of bug: 1572389

I have seen bug #1572389, but this isn't a duplicate. That bug asks for an option to remove the EV indicator, I'm proposing to remove it (or make it the default).
The first is more a technical issue, while this is asking to consider the justification for the existence of this indicator.

Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---

oops I think I filed a duplicate, I had trouble finding this https://bugzilla.mozilla.org/show_bug.cgi?id=1572989

Duplicate of this bug: 1572989
See Also: → 1218153

For disabling EV indicators by default, I did a try run and it looks to me like we don't test this UI feature? Maybe just the wrong set of tests?
https://treeherder.mozilla.org/#/jobs?repo=try&selectedJob=261037535&resultStatus=testfailed%2Cbusted%2Cexception&classifiedState=unclassified&revision=706fb6a4168a91fb257f838d22bf952ee3667cde

Flags: needinfo?(jhofmann)

Yup, intent to ship is going out soon, we're just a few days behind the Chrome announcement because weekends :)

(In reply to Tom Schuster [:evilpie] from comment #5)

For disabling EV indicators by default, I did a try run and it looks to me like we don't test this UI feature? Maybe just the wrong set of tests?
https://treeherder.mozilla.org/#/jobs?repo=try&selectedJob=261037535&resultStatus=testfailed%2Cbusted%2Cexception&classifiedState=unclassified&revision=706fb6a4168a91fb257f838d22bf952ee3667cde

There's a functional-ui test failing, but I don't see any mochitest-bc, which is surprising. I'll look into it.

I'll take this bug, if you don't mind :)

Assignee: nobody → jhofmann
Status: REOPENED → ASSIGNED
Flags: needinfo?(jhofmann)
Priority: -- → P1
Summary: Consider removing EV / Extended Validation indicator for HTTPS certificates → Move EV cert UI out of URL Bar
Duplicate of this bug: 1432085
Depends on: 1572389

Apparently this didn't have any tests other than the ones in functional-ui (of which one is disabled),
but adding new ones for EV at the point where it's being disabled and eventually removed doesn't
really make sense to me.

Pushed by jhofmann@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/5b7489190e78
Flip `security.identityblock.show_extended_validation` to false to hide the ev indicators in the identity block. r=Gijs,whimboo
Status: ASSIGNED → RESOLVED
Closed: 3 years ago3 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 70
Blocks: 1218153
See Also: 1218153

Added to release notes for 70 as "The Extended Validation (EV) indicator has been moved to the identity popup that appears when clicking the lock icon" under a heading with a link to https://blog.mozilla.org/security/2019/10/15/improved-security-and-privacy-indicators-in-firefox-70/

Blocks: 1588415
Blocks: 1599729
Regressions: 1700334
See Also: → 1700334
You need to log in before you can comment on or make changes to this bug.