Closed Bug 296249 Opened 16 years ago Closed 1 year ago
Request for a secure site tray/taskbar type Notice/Advisory screen and notification icon
Just to try to clarify a bit, it sounds like what you are saying is that there should really be two different kinds of windows (both ancored by the taskbar icon). 1. The kind I described in the original post, which is a "ssl status window" that is always there when you are viewing an ssl site, and contains the security icons/info and the like. 2. What you've described - a replacement for the current popup that you get when you first install Mozilla (like the you are submitting unencrypted data alert), that would display the information in the "alert window". This would be more like the traditional "downloads finished" or "you've got mail" screens, where they pop up and fade away automatically on an event bases (is that right). This sounds perfectly reasonable in line with your summary thought (good for consistency and making it easy to turn off alerts). I would add that these two windows should look and behave slightly differently, for example the alert window should show up and then timeout like the downloads complete window, while the ssl status window should stay there for the duration of a visit to a secure site, and should contain a (tiny) "hide me" button. Both windows should contain the easy to read information, and the security threat level icons (only the ssl status window would ever get the all green status I suppose). The concern with the alert window is that it could overload the user, and then they will simply ignore it as an annoyance. I think it's important to think about how much security is too much security in this context. We should consider what is really needed, and make sure that what is eventually presented to the user is very easy to understand. It's important to consider whether or not to add each alert window feature, such as the phishing url detection. Something like that would have to be accurate, or you will be warning people about sites that are perfectly fine, which would cause annoyance. In other words, we should take care before adding new messages to this box, to make sure they represent real threats, are accurate and are free from jargon. Some questions on implementation: What if you have multiple windows/tabs visitting secure sites? Do you just get stacked ssl status windows, and multiple taskbar icons? What happens when you switch back and forth? For the alert Windows, how do you handle situations that require user interaction (like allowing/disallowing submitting unencrypted information - alerts that ask, "would you like to continue")?
Kevin, I see what you're getting at (it appears I interpreted your orig idea in a whole different was perhaps), but NO, I'm not suggesting another window. In fact I'm suggesting consolidation of notfiy methods, into one (while possible leaving all the other speard out ones as-is). In fact I think your suggestion of creating another windows taht only applied to SSL would futher confuse people, becasue it would be the 4th or 5th, separate security tool. The way you interpreted it, as a scroll-away (like the 'downloads complete' or 'you have mail' widgets), is correct, though depending on whether user input is needed, it could hang-around like an alert, until user input - or the users could pick a 'next time show me but accept' option (the fact that it can contain forms allows for this in a very extensible way). However I dont think this should be assumed to be an alert.. Alerts (and Confirms) by their nature are far more invasive (pop-up screen-center and require confimation), and users (even total newbies) *will* eventually peramntely dismiss them because they are unbearable, or they are 'told' to -and so WILL eventually miss an important flag. In other words, alerts are in DESPARATE need of replacement. They are current completely useless (permantly dismissed), or always present and annoying (less a hack on about:config) (example being bookmarks containing valid username:password@hostname URL's) In your closing questions, you used the term 'status window' and 'alert' - I presume you meant 'notify' window? In the case of multiple tabs, thats the beauty of the widget; it can present dynamic, bullted lists of items to flag, and yet be verbose like 'Tab one(1) (bankone.com) is redirecting to a non-trusted SSL site (www.my-spoof.com)' or 'The link you just clicked is attempting to open a user:pass@host format web address which belongs to 'phisher.net' - this could be an attempt to trick you (optional confim dialog)'. If you feel that what I'm proposing is too radically different from your oringinal concept (it may indeed be so), then I could write a separate RFE. What do you think?
I suspect this RFE is obsoleted by the so-called "awesome bar".
Oops, I mean by, er, what's his name again? Larry I think.
Yeah, I'd agree that Larry provides a similar thing for some of the same reasons. I wonder if Kevin is still active in bugzilla and has an opinion on the subject?
Wow, this is old :-) I don't have time to go over the specifics, but original idea was in response to the fact that you can open a popup and create the chrome that mimics the full browser UI to fool someone into thinking they are looking at the original website. I'm not sure that specific problem still exists, since you can no longer turn off the location bar in popups, etc. The awesomebar (or whatever) does provide a nice bright badge for users to look for, and I think it really now falls to the site operators to educate their users about what to look for when conducting online transactions. The core of the problem remains the same - users are not always (usually even) savvy enough to know when they are on a secure connection, let along when they are on a secure connection that points at the right server (or even that they should be on a secure section). I really think the idea here is that website operators should ultimately be accountable for helping their customers know how to spot a spoof/scam, and to make sure they are starting from a secure connection (http://www.sharebuilder.com has a login form right on the unsecured homepage - security is only an option!). There is only so much the browser makers can be responsible for, but the one feature mentioned above that I'd still like to see is some kind of Avast! or Thunderbird like notification area popup/trayicon that comes up with more information when the user connects to a site with a newer SSL cert. That animated notice can't be faked using browser technology, is easy to notice, and would give site operators something to inform their users to look for.
So, this RFE is really a request for an unspoofable and highly noticeable indicator for being "in secure mode", and it suggests use of the taskbar (On windows) for this purpose. I agree with the need for an unspoofable and highly noticeable indicator for being "in secure mode". IMO, Firefox 3 currently does poorly at this. There have been messages in various newsgroups where users complain that FF3 has no secure mode indicator AT ALL, because they can't/don't find/see one that they understand to have that meaning. Larry doesn't appear unless you mouse over a certain area. Users need something whose presence and meaning is blatantly obvious (unlike the mere color of a few pixels surrounding the favicon) and in a place where they're likely to see it. History teaches that the lower right hand corner of the window (in the status bar) is not such a place, even if the lock icon is (by now) pretty obvious. The big problem yet to be overcome is to get an indicator that will be more attractive and more convincing to users than lock icons in the window content. Studies continue to show that users look in the page content rather than in the chrome for security indicators. I think FF can eventually overcome that by supplying something attractive and convincing in top chrome, but I continue to think the favicon background color doesn't meet that requirement. It will take a long time to train users, so we need to get started right away. I think it would be good if browsers could agree on a strategy to solve that problem, but I don't think FF3 should wait for that.
There is a new more noticeable security notification in FireFox 3.0 which I really think does a decent job of increasing communicating to the user that they are on a secure site - it requires a newer version of an SSL certificate. You can see an example of that on sharebuilder https://www.sharebuilder.com/ I would say that I'm not sure that goes far enough though, and that can still be spoofed (even if that means a double location bar - many users would not notice that, or understand why that could be a problem). I think from a UI perspective, you are right, users will tend to only notice what is in the window, but I wonder if there is an exception. Motion can be used to draw attention - the human brain is able to pick up motion more readily than it is to recognize shapes and colors, and is likely to track the users' attention to motion when they catch it even in peripheral vision. That's why blinking task bar buttons and new mail notifications tend to catch your attention when applications utilize those features. If adding a moving alert box to the notification area is considered overkill (or perhaps could be seen as easy to ignore, due to over utilization from other apps - I have no data on users' reaction to that specific use case and users' responses to it) then simply adding some motion or throbbing to the current area might be enough. The reason I personally would still prefer the tray icon and notification area animation is that those things are impossible to spoof from within the browser, while even an SSL trobber or other animation is easy to reproduce with a gif and/or html affects (even if it's not perfect).
This hasn't been discussed since FF 3.0, so I may as well ask-has this been resolved with the "new" lock icon and HTTPS info screen in more recent versions?
Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.