Last Comment Bug 348677 - Identify extended validation (high assurance) https sites (maybe turn address bar green)
: Identify extended validation (high assurance) https sites (maybe turn address...
Status: RESOLVED DUPLICATE of bug 383183
:
Product: Firefox
Classification: Client Software
Component: Security (show other bugs)
: Trunk
: All All
: -- enhancement (vote)
: ---
Assigned To: Gervase Markham [:gerv]
:
:
Mentors:
https://www.verisign.com/
Depends on: 374336
Blocks:
  Show dependency treegraph
 
Reported: 2006-08-14 17:44 PDT by Collin Jackson
Modified: 2007-10-01 22:39 PDT (History)
16 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
light green vs. light yellow / entire urlbar vs. security bar only (plus IE7 & Opera solutions) (141.09 KB, image/png)
2007-03-21 09:19 PDT, Dão Gottwald [:dao]
no flags Details
non-EV case (21.30 KB, image/png)
2007-03-21 15:51 PDT, Dão Gottwald [:dao]
no flags Details
#F6F87C / #6EDC6E (45.62 KB, image/png)
2007-03-21 15:53 PDT, Dão Gottwald [:dao]
no flags Details

Description Collin Jackson 2006-08-14 17:44:26 PDT
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1b1) Gecko/20060710 Firefox/2.0b1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1b1) Gecko/20060710 Firefox/2.0b1

Internet Explorer 7 has a feature that identifies "extended validation" (also known as "high assurance") certificates, which have been more thoroughly vetted by certificate authorities than regular certificates. The exact way to integrate this information with Firefox's browser chrome may still be under debate, but it would be nice to recognize when an extended validation certificate is encountered and provide the user with some way to know that an extended validation site has occurred. On the "Security" tab of "Page Info" would be a good place to start.

Reproducible: Always

Steps to Reproduce:
1. Install Microsoft Testing Root Certificate Authority certificate
(http://crypto.stanford.edu/~collinj/testingroot.cer)
3. Visit https://www.woodgrovebank.com/

Actual Results:  
Address bar turns yellow with lock icon. Nothing particularly unusual is shown if you click on the lock icon.

Expected Results:  
Address bar turns green (maybe) and organization name (and possibly CA identity) from certificate is displayed. Or, if that's too radical of a change, at least show some information about the fact that extended validation is present when you click the lock icon.

You can also get the Microsoft Testing Root Certificate Authority certificate here:

http://www.microsoft.com/downloads/details.aspx?FamilyId=0742AE7E-6E7F-47D3-8327-E20D94AF2794&displaylang=en

If you install it using that tool, you'll need to export it to Firefox using the certificates snap-in in the Microsoft Management Console (C:\WINDOWS\system32\mmc.exe).

More information about extended validation certificates:

http://blogs.msdn.com/ie/archive/2005/11/21/495507.aspx
Comment 1 Daniel Veditz [:dveditz] 2006-08-14 23:48:25 PDT
I think we've got this one somewhere already. We probably aren't going to turn the address bar green, but the actual UI plan has yet to be finalized.
Comment 2 Gervase Markham [:gerv] 2006-08-15 06:43:57 PDT
I don't think this bug is a duplicate.

The exact UI will depend on a lot of things - not least of which is whether we just expose this as-is, or we incorporate the information into some greater "site trust" metric which uses other data sources to help make the decision. I know some people favour that idea.

Gerv
Comment 3 Jo Hermans 2006-10-26 03:28:04 PDT
Reported here : <http://www.theregister.co.uk/2006/10/25/verisign_extended_validation/>. Mostly FUD obviously.

Is there a NSS bug for extended validation SSL ?
Comment 4 Stephen Davidson 2006-12-29 05:20:17 PST
More information on EV SSL at http://www.cabforum.org/.  

EV capabilities (i.e., the "green bar" and "enhanced security report") are expected to be turned on in IE7 by February 2007, and Opera has expressed its intention to add EV "when it's ready" (see http://labs.opera.com/news/2006/10/09/).

EV-approved CAs (ie CAs who have passed the WebTrust for CA's EV readiness audit for complaince with the EV Guidelines) have begun pre-selling the EV certs.
Comment 5 Dão Gottwald [:dao] 2007-03-21 09:19:29 PDT
Created attachment 259216 [details]
light green vs. light yellow / entire urlbar vs. security bar only (plus IE7 & Opera solutions)
Comment 6 Nelson Bolyard (seldom reads bugmail) 2007-03-21 13:47:58 PDT
For people with red-green color blindness (~20% of caucasian males),
there is effectively NO DIFFERENCE between the green and yellow colors 
shown in the attached sample image, except when spatially juxtaposed.  
A difference can be seen when the two colors are juxtaposed, but the 
two are indistinguishable when seen separately from the other.  To be 
differentiable when not juxtaposed, two colors must differ significantly 
from each other in luminance, or be rather highly saturated and differ
significantly in hue (e.g. at least 30 degrees).  

Let me suggest #F6F87C and #6EDC6E for more obviously different 
yellow and green values.
Comment 7 Dão Gottwald [:dao] 2007-03-21 15:51:53 PDT
Created attachment 259258 [details]
non-EV case
Comment 8 Dão Gottwald [:dao] 2007-03-21 15:53:02 PDT
Created attachment 259260 [details]
#F6F87C / #6EDC6E
Comment 9 Barry Ferg 2007-05-24 20:36:35 PDT
Implemented the IE functionality via an add-on: https://addons.mozilla.org/en-US/firefox/addon/4828

It would be easy enough to change the colour in the add-on CSS.
Comment 10 Nelson Bolyard (seldom reads bugmail) 2007-05-24 22:34:03 PDT
On what platforms does this extension work?  Vista?  WinXP?  Mac OS/X? Linux?
Comment 11 Dão Gottwald [:dao] 2007-05-25 00:14:59 PDT
(In reply to comment #10)
> On what platforms does this extension work?  Vista?  WinXP?  Mac OS/X? Linux?

All.
Comment 12 Johnathan Nightingale [:johnath] 2007-07-03 06:31:26 PDT
This feature is now a FF3 PRD line item (SPI-001b) being tracked in bug 383183.  Some of these mockups are pretty sharp, I'd be interested to get impressions of the current test extension over in bug 383183.

*** This bug has been marked as a duplicate of bug 383183 ***

Note You need to log in before you can comment on or make changes to this bug.