Identify extended validation (high assurance) https sites (maybe turn address bar green)

RESOLVED DUPLICATE of bug 383183

Status

()

Firefox
Security
--
enhancement
RESOLVED DUPLICATE of bug 383183
11 years ago
10 years ago

People

(Reporter: Collin Jackson, Assigned: gerv)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(3 attachments)

(Reporter)

Description

11 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1b1) Gecko/20060710 Firefox/2.0b1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1b1) Gecko/20060710 Firefox/2.0b1

Internet Explorer 7 has a feature that identifies "extended validation" (also known as "high assurance") certificates, which have been more thoroughly vetted by certificate authorities than regular certificates. The exact way to integrate this information with Firefox's browser chrome may still be under debate, but it would be nice to recognize when an extended validation certificate is encountered and provide the user with some way to know that an extended validation site has occurred. On the "Security" tab of "Page Info" would be a good place to start.

Reproducible: Always

Steps to Reproduce:
1. Install Microsoft Testing Root Certificate Authority certificate
(http://crypto.stanford.edu/~collinj/testingroot.cer)
3. Visit https://www.woodgrovebank.com/

Actual Results:  
Address bar turns yellow with lock icon. Nothing particularly unusual is shown if you click on the lock icon.

Expected Results:  
Address bar turns green (maybe) and organization name (and possibly CA identity) from certificate is displayed. Or, if that's too radical of a change, at least show some information about the fact that extended validation is present when you click the lock icon.

You can also get the Microsoft Testing Root Certificate Authority certificate here:

http://www.microsoft.com/downloads/details.aspx?FamilyId=0742AE7E-6E7F-47D3-8327-E20D94AF2794&displaylang=en

If you install it using that tool, you'll need to export it to Firefox using the certificates snap-in in the Microsoft Management Console (C:\WINDOWS\system32\mmc.exe).

More information about extended validation certificates:

http://blogs.msdn.com/ie/archive/2005/11/21/495507.aspx
I think we've got this one somewhere already. We probably aren't going to turn the address bar green, but the actual UI plan has yet to be finalized.
Assignee: nobody → gerv
(Reporter)

Updated

11 years ago
Summary: Turn address bar green for extended validation (high assurance) https sites → Identify extended validation (high assurance) https sites (maybe turn address bar green)
(Assignee)

Comment 2

11 years ago
I don't think this bug is a duplicate.

The exact UI will depend on a lot of things - not least of which is whether we just expose this as-is, or we incorporate the information into some greater "site trust" metric which uses other data sources to help make the decision. I know some people favour that idea.

Gerv

Comment 3

11 years ago
Reported here : <http://www.theregister.co.uk/2006/10/25/verisign_extended_validation/>. Mostly FUD obviously.

Is there a NSS bug for extended validation SSL ?

Comment 4

11 years ago
More information on EV SSL at http://www.cabforum.org/.  

EV capabilities (i.e., the "green bar" and "enhanced security report") are expected to be turned on in IE7 by February 2007, and Opera has expressed its intention to add EV "when it's ready" (see http://labs.opera.com/news/2006/10/09/).

EV-approved CAs (ie CAs who have passed the WebTrust for CA's EV readiness audit for complaince with the EV Guidelines) have begun pre-selling the EV certs.

Updated

10 years ago
Status: UNCONFIRMED → NEW
Ever confirmed: true

Updated

10 years ago
Depends on: 374336

Comment 5

10 years ago
Created attachment 259216 [details]
light green vs. light yellow / entire urlbar vs. security bar only (plus IE7 & Opera solutions)

Updated

10 years ago
OS: Windows XP → All
Hardware: PC → All
Version: unspecified → Trunk
For people with red-green color blindness (~20% of caucasian males),
there is effectively NO DIFFERENCE between the green and yellow colors 
shown in the attached sample image, except when spatially juxtaposed.  
A difference can be seen when the two colors are juxtaposed, but the 
two are indistinguishable when seen separately from the other.  To be 
differentiable when not juxtaposed, two colors must differ significantly 
from each other in luminance, or be rather highly saturated and differ
significantly in hue (e.g. at least 30 degrees).  

Let me suggest #F6F87C and #6EDC6E for more obviously different 
yellow and green values.

Comment 7

10 years ago
Created attachment 259258 [details]
non-EV case

Comment 8

10 years ago
Created attachment 259260 [details]
#F6F87C / #6EDC6E

Updated

10 years ago
Attachment #259216 - Attachment description: green vs. yellow / entire urlbar vs. security bar only → light green vs. light yellow / entire urlbar vs. security bar only (plus IE7 & Opera solutions)

Comment 9

10 years ago
Implemented the IE functionality via an add-on: https://addons.mozilla.org/en-US/firefox/addon/4828

It would be easy enough to change the colour in the add-on CSS.
On what platforms does this extension work?  Vista?  WinXP?  Mac OS/X? Linux?
(In reply to comment #10)
> On what platforms does this extension work?  Vista?  WinXP?  Mac OS/X? Linux?

All.
This feature is now a FF3 PRD line item (SPI-001b) being tracked in bug 383183.  Some of these mockups are pretty sharp, I'd be interested to get impressions of the current test extension over in bug 383183.
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 383183
You need to log in before you can comment on or make changes to this bug.