Closed Bug 288693 Opened 20 years ago Closed 12 years ago

Warn on low security SSL sites

Categories

(Core Graveyard :: Security: UI, enhancement)

Product:
Core Graveyard
Component:
Security: UI
Platform:
x86
Windows XP
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 799007

People

(Reporter: bugzilla1, Unassigned)

References

(
URL
)

Details

When visiting 'secure' sites that use outdated encryption, Firefox/Thunderbird
should give a big ugly warning about the dangers of submitting information to
this site.

For reference: the latest Opera 8 beta does this and displays the message

'This site is using an outdated encryption method currently classified as
insecure. It cannot sufficiently protect sensitive data. Do you wish to continue?'

In Opera, the message must be OKed/cancelled *before the site is even rendered*

My personal preference would be a dialog with a delayed OK button (like
XPInstall) to force people to read it.

(URL is to a Opera forum thread discussing this)
Flags: blocking-aviary1.1?
Just FYI, delayed OK buttons are not about forcing people to read the dialog.

We should roll this idea into our thinking about how to change the SSL UI, but
it's not a 1.1 blocker.

Gerv
Flags: blocking-aviary1.1?
This bug depends on bug 62178, which is about being able to cancel a transition
between secure and insecure sites.
Depends on: 62178
While we still need bug 62178 to address Gerv's point that canceling is
currently not possible, I just remember we already have this "low security
warning" feature!

In SSL prefs there is a checkbox to enable low grade encryption warnings.

However, the barrier between low grade and high grade encryption is currently
set to be at 90 encryption bits.

See security/manager/ssl/src/nsNSSCallbacks.cpp in HandshakeCallback.

Nelson, do you think this barrier should be changed?
What value would you suggest?

FWIW, my current thinking is that sites with poor encryption should be treated
as if they were plain HTTP in terms of the UI.

Gerv

Kai, Good to hear from you again.
90 bits seem slike a good threshhold to me.
QA Contact: ui
This was fixed in bug 236933 was it not?
reassign bug owner.
mass-update-kaie-20120918
Assignee: kaie → nobody
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.