Incorrect and missing informations on partially encrypted pages

NEW
Unassigned

Status

()

Firefox
Address Bar
10 years ago
3 years ago

People

(Reporter: Volkmar Kostka, Unassigned)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

10 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a9pre) Gecko/2007110103 Minefield/3.0a9pre
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a9pre) Gecko/2007110103 Minefield/3.0a9pre

These are probably two bugs.
First, if you view a partially encrypted page there is no info about the used encryption for the base page like for fully encrypted pages. Is this intended behaviour? Sometimes i like to see the encryption for partially encrypted pages but this information is not shown at all.
Second, "Larry" says "not encrypted" for partially encrypted pages. In my eyes this is simply wrong.

Reproducible: Always

Steps to Reproduce:
View the mentioned page.
Double click on the crossed lock. You see no encryption type.
Click on "Larry". "Larry" days "not encrypted" which is wrong.
Actual Results:  
No encryption shown for partially encrypted pages.
"Larry" says "not encrypted".

Expected Results:  
Encryption shown at least for the base page.
"Larry" should say "partially encrypted"

Comment 1

10 years ago
I second this, but it might be better to split it in 2 bugs.

Another example: <https://www.opends.org/>, which calls some Javascript-code (Google ad) at the bottom over http.

I filed bug 406453 for the first issue, and used this one for the second issue (moved to the correct component

For the second issue, Larry shouldn't say "not encrypted", but "partially encrypted" (as shown in Page Info or Larry->more info) or "Contains unauthenticated content" (like the hover-popup). 
Status: UNCONFIRMED → NEW
Component: Security → Location Bar and Autocomplete
Ever confirmed: true
QA Contact: firefox → location.bar
I think too that it should say "partially encrypted" or maybe "not fully encrypted". I guess it depends on if you see the glass as half full or half empty.
The question I have is whether changing the behaviour in this case would help users make better decisions.  "Partially encrypted" is more technically accurate, but does it matter?  Let's take Jo's example in comment 1.  In this case, an otherwise https site includes script from an http source.  So we would say "partially encrypted" to what end?  To tell users things are "probably" okay?  I think that's not the message we want to provide.

One http script is enough to totally rewrite the page with arbitrary content.  So they are certainly not "safe from eavesdropping." Nor do they have any guarantee that the content hasn't been tampered with.  Basically, the promises we can make are precisely those that we could make with http, which is to say, none in particular.

Now, if we had bug 62178 supported, so that we could block http content in an https page load, we'd be in a much better spot, because these sites could be presented with only their https content, at which point they could be trusted like other SSL content.

I understand that the current text is inaccurate, but I would hesitate to put more accurate text in there if it made it harder for users to make good decisions.  Maybe if we talked in terms of "This site uses broken encryption" or otherwise suggested that really, things were no better than http...

Of course, from page info, you can still inspect the certificate, and I agree that that is surprising and inconsistent. If we can find a way to fix that part without letting more truth act as a misleading influence, I'm all for it.
 
Talking about "broken encryption" seems good, it would be consistent with the broken lock displayed in the status bar.

I think telling something about this in the UI can help the user to make better decisions.  I personally think that a partially encrypted page is more alarming than a page with a self signed or expired by only a few days certificate.  It indicates that the site tried to protect the data you are viewing (probably because there is personal data included in the page) and failed.
OS: Windows 2000 → All
Hardware: PC → All
Version: unspecified → Trunk

Updated

9 years ago
Duplicate of this bug: 506417

Comment 6

9 years ago
In Internet Explorer 8, it gives you the option to "view only the webpage that was delivered securely" or to view the whole webpage (with both secure and unsecure material).  Is there a way to do that in Firefox or could it be implemented?
You need to log in before you can comment on or make changes to this bug.