Closed Bug 296249 Opened 16 years ago Closed 1 year ago

Request for a secure site tray/taskbar type Notice/Advisory screen and notification icon.

Categories

(Firefox :: Security, enhancement)

x86
Windows XP
enhancement
Not set
normal

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: CaptainN, Unassigned)

Details

(Whiteboard: WONTFIX?)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

The idea is to create an unspoofable tool for users and developers to point to
to see important security information. I have created a detailed suggestion
below. Everything in here is up for discussion, this is just what I came up with.

When visiting a secure site, Mozilla would display a small “chromeless” window
next to the taskbar area (like Firefox's downloads complete window or
Thunderbird's “You have mail” screen) and be anchored to the taskbar with a
notification icon. It should not be possible to turn this off easily (bury the
setting in the advanced screens in options, or better yet, have it only be
turned off by setting a value in about:config. It shouldn't be possible to turn
off the icon, just the Notice/Advisory screen. 

By adding this window and notification area icon, we make the security
information unspoofable, since neither html/javascript or XUL has access to
those OS specific features (at least I think they don't). For further security,
it should not be possible for extensions to modify this feature (though I
understand that they can pretty much access the whole system after they've been
installed.)

This window would contain security relevant information and should only be
displayed when the user is visiting a secure site. It should not appear any
other time. We want the user to get used to the window and learn to see it as a
warm security blanket, and not as an annoyance, which overuse would surely do.
It should contain only basic information, we don't want to overload the user
with “pompous jargon”. Here are my suggestions for contents:

1. The current domain the user is visiting (perhaps not the whole url) and if it
doesn't match the certificate, the url listed in the certificate.

2. The referring page. This would be useful for secure sites that are not hosted
on the same server or domain as the site they are linked from
(https://bugzilla.mozilla.org/show_bug.cgi?id=22183#c263) 

3. A security rating icon and possibly an appropriate background color (ex. red
for unsecure). 

4. A (tiny) button that hides the Notice/Advisory window, but not the
notification icon – it shouldn't be possible to turn off the icon. 

5. A “more information” button, that would contain more information about the
site you are visiting and the Notification feature. The information in this more
information window should be human readable – it shouldn't just be the Security
tab on the Page Info dialog.

6. In the case when there are severe security updates available (like we've seen
recently with the minor Aviary releases), the availability of the update could
be listed in this window.


This feature would provide a proactive marketable security feature for Mozilla.
It would become a security blanket that no other browser has or has offered, and
could be a significant selling point to help spread Firefox, and increase user
base. It would be the first time that a browser would be completely upfront
about real security risks and do so in a clear and honest way. The status bar
and location bar changes are only effective for the technically savvy who
already know what they mean, and they limit the flexibility of those features
for web developers.

This feature request comes with a bit of a history which can be found in bug #22183.

This bug is intended to be a discussion of the specifics of this feature. It's
goal is to come up with the design of this feature to be implemented. Any
implementation of this bug, or it's parts, should be in a separate bug report.

Reproducible: Always

Steps to Reproduce:
(In reply to comment #0)
> When visiting a secure site, Mozilla would display a small “chromeless” 

I would vote for having this displayed under *any* suspicious or risky securty
condition, inclufing but not limited to SSL. This would give the user a feeling
of having a catch all, security centric widget (ala "watchdog") that they know
where to look for.

However each security items could be chacked as 'do not show this again', so
taht users can elect which items concern them (typically based on their
experience level).

Some other assorted example contexts when this can be displayed (picked at random):

-User loads a secure site but trust is established based on a previously
imported, non-standard root-ca.
-A Phishing style URL is passed to the application by either an external app, or
internal link. 
-User submits form data from secure site to non-secure site.
-Content rating advisories
-A user loads a page with plugins that may not be trusted/signed, like media
players, flash, java applet (all of which are now being used to gather users
stats because of their privileged-operations)

Many or all of the current 'alert' situations could be mirrored in the proposed
'Notice/Advisory' screen, but have separate checkboxes (one for the Notice box,
another for the Alert) - this allows users from flat-out opt to not see the
alert-based ones (being more annoying and their trigger normally is
false-positive based), yet still see the advisory in the Notice box.

I believe an important distinction about this tool is that it fits into what is
in modern applications, being called a 'Notice' or 'Advisory' widget. This is
NOT (and cannot be) the same as the status bar, because:

-The status bar is static and not attention-grabbing.
-The status bar does not raise focus for time delayed events
(javascript:setTimeout); the notity widget does this even when another app has
focus.
-The status bar reports other, benign information and so is not a focal-element
for advisoy information (instead its general purpose)
-The status bar cannot contain lists of items
-The status bar cannot contain controls (radio, checkbox ,etc) or 'what's this'
helper/explanatory links, to change which items are seen, not can it contain
complex HTML styles (colorizations, bullets, tables).

> other time. We want the user to get used to the window and learn to see it as a
> warm security blanket, and not as an annoyance, which overuse would surely do.

I take exception to this - the newbie users, especially, need to have an
advisory 'friend' offering all the advise it can - they can then elect to not
see specific items (or groups-of) only when they feel comfortable with the
sematics of the web and a browser. In fact initially having a full degree of
verbosity will instill trust and confidence. On the other hand a partial display
of information would mislead the user about if (and where) a discrepency can be
expected to be caught, or, the widget would have to somehow indicate 'I only
work for SSL sites'.

> 6. In the case when there are severe security updates available (like we've seen

Excellent example!!

My summary thought - this RFE implementation should present all potential
security information, until the users opts out. Right now, secuity advisories
are spread out over several different presentation areas in the app, and there
is no single place to expect advisories - this complicates the learning process
for new users, is error prone (too many permant dismaissals of alert dialogs
because of annoyance factor). A centralized 'Advisory' widget is also becoming a
de facto part of modern contextual/"zone" GUI applications, and is arguably
fully *mandatory* in secure applications.
Just to try to clarify a bit, it sounds like what you are saying is that there
should really be two different kinds of windows (both ancored by the taskbar icon).

1. The kind I described in the original post, which is a "ssl status window"
that is always there when you are viewing an ssl site, and contains the security
icons/info and the like.

2. What you've described - a replacement for the current popup that you get when
you first install Mozilla (like the you are submitting unencrypted data alert),
that would display the information in the "alert window". This would be more
like the traditional "downloads finished" or "you've got mail" screens, where
they pop up and fade away automatically on an event bases (is that right).

This sounds perfectly reasonable in line with your summary thought (good for
consistency and making it easy to turn off alerts). I would add that these two
windows should look and behave slightly differently, for example the alert
window should show up and then timeout like the downloads complete window, while
the ssl status window should stay there for the duration of a visit to a secure
site, and should contain a (tiny) "hide me" button. Both windows should contain
the easy to read information, and the security threat level icons (only the ssl
status window would ever get the all green status I suppose).

The concern with the alert window is that it could overload the user, and then
they will simply ignore it as an annoyance. I think it's important to think
about how much security is too much security in this context. We should consider
what is really needed, and make sure that what is eventually presented to the
user is very easy to understand.

It's important to consider whether or not to add each alert window feature, such
as the phishing url detection. Something like that would have to be accurate, or
you will be warning people about sites that are perfectly fine, which would
cause annoyance. In other words, we should take care before adding new messages
to this box, to make sure they represent real threats, are accurate and are free
from jargon.



Some questions on implementation:

What if you have multiple windows/tabs visitting secure sites? Do you just get
stacked ssl status windows, and multiple taskbar icons? What happens when you
switch back and forth?

For the alert Windows, how do you handle situations that require user
interaction (like allowing/disallowing submitting unencrypted information -
alerts that ask, "would you like to continue")?
Kevin,

I see what you're getting at (it appears I interpreted your orig idea in a whole
different was perhaps), but NO, I'm not suggesting another window. In fact I'm
suggesting consolidation of notfiy methods, into one (while possible leaving all
the other speard out ones as-is). In fact I think your suggestion of creating
another windows taht only applied to SSL would futher confuse people, becasue it
would be the 4th or 5th, separate security tool.

The way you interpreted it, as a scroll-away (like the 'downloads complete' or
'you have mail' widgets), is correct, though depending on whether user input is
needed, it could hang-around like an alert, until user input - or the users
could pick a 'next time show me but accept' option (the fact that it can contain
forms allows for this in a very extensible way).

However I dont think this should be assumed to be an alert.. Alerts (and
Confirms) by their nature are far more invasive (pop-up screen-center and
require confimation), and users (even total newbies) *will* eventually
peramntely dismiss them because they are unbearable, or they are 'told' to -and
so WILL eventually miss an important flag. In other words, alerts are in
DESPARATE need of replacement. They are current completely useless (permantly
dismissed), or always present and annoying (less a hack on about:config)
(example being bookmarks containing valid username:password@hostname URL's)

In your closing questions, you used the term 'status window' and 'alert' - I
presume you meant 'notify' window? In the case of multiple tabs, thats the
beauty of the widget; it can present dynamic, bullted lists of items to flag,
and yet be verbose like 'Tab one(1) (bankone.com) is redirecting to a
non-trusted SSL site (www.my-spoof.com)' or 'The link you just clicked is
attempting to open a user:pass@host format web address which belongs to
'phisher.net' - this could be an attempt to trick you (optional confim dialog)'.

If you feel that what I'm proposing is too radically different from your
oringinal concept (it may indeed be so), then I could write a separate RFE. What
do you think?
I suspect this RFE is obsoleted by the so-called "awesome bar".
Whiteboard: WONTFIX?
Oops, I mean by, er, what's his name again? Larry I think.
Yeah, I'd agree that Larry provides a similar thing for some of the same reasons.  I wonder if Kevin is still active in bugzilla and has an opinion on the subject?
Wow, this is old :-)

I don't have time to go over the specifics, but original idea was in response to the fact that you can open a popup and create the chrome that mimics the full browser UI to fool someone into thinking they are looking at the original website.

I'm not sure that specific problem still exists, since you can no longer turn off the location bar in popups, etc.

The awesomebar (or whatever) does provide a nice bright badge for users to look for, and I think it really now falls to the site operators to educate their users about what to look for when conducting online transactions.

The core of the problem remains the same - users are not always (usually even) savvy enough to know when they are on a secure connection, let along when they are on a secure connection that points at the right server (or even that they should be on a secure section).

I really think the idea here is that website operators should ultimately be accountable for helping their customers know how to spot a spoof/scam, and to make sure they are starting from a secure connection (http://www.sharebuilder.com has a login form right on the unsecured homepage - security is only an option!).

There is only so much the browser makers can be responsible for, but the one feature mentioned above that I'd still like to see is some kind of Avast! or Thunderbird like notification area popup/trayicon that comes up with more information when the user connects to a site with a newer SSL cert. That animated notice can't be faked using browser technology, is easy to notice, and would give site operators something to inform their users to look for.
So, this RFE is really a request for an unspoofable and highly noticeable indicator for being "in secure mode", and it suggests use of the taskbar
(On windows) for this purpose.  

I agree with the need for an unspoofable and highly noticeable indicator for being "in secure mode".  IMO, Firefox 3 currently does poorly at this.
There have been messages in various newsgroups where users complain that FF3 
has no secure mode indicator AT ALL, because they can't/don't find/see one 
that they understand to have that meaning.

Larry doesn't appear unless you mouse over a certain area.  Users need 
something whose presence and meaning is blatantly obvious (unlike the mere 
color of a few pixels surrounding the favicon) and in a place where they're 
likely to see it.  History teaches that the lower right hand corner of the
window (in the status bar) is not such a place, even if the lock icon is
(by now) pretty obvious.  

The big problem yet to be overcome is to get an indicator that will be more
attractive and more convincing to users than lock icons in the window content.
Studies continue to show that users look in the page content rather than in 
the chrome for security indicators. I think FF can eventually overcome that
by supplying something attractive and convincing in top chrome, but I 
continue to think the favicon background color doesn't meet that requirement.

It will take a long time to train users, so we need to get started right away.
I think it would be good if browsers could agree on a strategy to solve that
problem, but I don't think FF3 should wait for that.
There is a new more noticeable security notification in FireFox 3.0 which I really think does a decent job of increasing communicating to the user that they are on a secure site - it requires a newer version of an SSL certificate. You can see an example of that on sharebuilder https://www.sharebuilder.com/ I would say that I'm not sure that goes far enough though, and that can still be spoofed (even if that means a double location bar - many users would not notice that, or understand why that could be a problem).

I think from a UI perspective, you are right, users will tend to only notice what is in the window, but I wonder if there is an exception. Motion can be used to draw attention - the human brain is able to pick up motion more readily than it is to recognize shapes and colors, and is likely to track the users' attention to motion when they catch it even in peripheral vision. That's why blinking task bar buttons and new mail notifications tend to catch your attention when applications utilize those features.

If adding a moving alert box to the notification area is considered overkill (or perhaps could be seen as easy to ignore, due to over utilization from other apps - I have no data on users' reaction to that specific use case and users' responses to it) then simply adding some motion or throbbing to the current area might be enough.

The reason I personally would still prefer the tray icon and notification area animation is that those things are impossible to spoof from within the browser, while even an SSL trobber or other animation is easy to reproduce with a gif and/or html affects (even if it's not perfect).
This hasn't been discussed since FF 3.0, so I may as well ask-has this been resolved with the "new" lock icon and HTTPS info screen in more recent versions?
Status: UNCONFIRMED → RESOLVED
Closed: 1 year ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.