Open Bug 410274 Opened 18 years ago Updated 3 years ago

Security information confusing when the connection is partially encrypted

Categories

(Firefox :: Page Info Window, defect)

Product:
Firefox
Component:
Page Info Window
Type:
defect

Tracking

()

People

(Reporter: florian, Unassigned)

References

Details

Attachments

(2 files)

Larry says unencrypted, but there is a broken lock in the status bar
88.20 KB, image/png
Details
Page Info/Security
98.77 KB, image/png
Details
Larry tells me the identity of the web site is unknown and the connection is not encrypted. In the status bar there is a broken lock. Then I click on the 'tell me more about this web site' link and Page Info/Security tells me that the connection is partially encrypted, and at the same time that 'This web site does not supply identity information.' and that 'This web site provides a certificate to verify its identity.' See attached screenshots. So we have a few bugs here: * Larry should tell the connection is partially encrypted (there is bug 402195 about that). * Page Info should have a better wording to not say one thing and the opposite at the same time. Maybe we can replace "This web site does not supply identity information." by "The identity of this web site could not be verified." * Gmail should not be displayed as partially encrypted (bug 383369)
Flags: blocking-firefox3?
Attached image Page Info/Security
This does not block the final release of Firefox 3.
Flags: blocking-firefox3? → blocking-firefox3-
(In reply to comment #0) > * Page Info should have a better wording to not say one thing and the opposite > at the same time. Maybe we can replace "This web site does not supply identity > information." by "The identity of this web site could not be verified." This bug really isn't blocking? I care less about the lock icon, but the inconsistency Florian mentions is really bothersome. In this case, I think Larry actually makes our UI *more* confusing than the pre-Larry state.
This issue is indirectly related to bug 424182 , but it is still a separate issue: How should the various security summary messages look when a page view contains elements from multiple sites, whose security status or owner identity is not the same? Should the various displays show a list of answers ("Owner: Yourbank Inc. (thoroughly verified) and evilclick corporation (verified) and www.sillyscripts.example (not verified)" ), or should their be some generic warning message( "This page is talking to sites from multiple owners at the same time, you personal information may be shared in unpleasant ways"), or perhaps some other solution?
(In reply to comment #4) > This issue is indirectly related to bug 424182 , but it is still a separate > issue: How should the various security summary messages look when a page view > contains elements from multiple sites, whose security status or owner identity > is not the same? Our identity information always concerns itself with the identity of the "top level" page. Even if that page includes content from other sources, TLS/SSL allows us to be confident that, for lack of a better term, the "intent" of the top level page has been preserved. The user is seeing what the top level page "wants" them to see, and if that changes the site authors need to change it, we can't really interpret that content on their behalf. The exception to this, of course, is mixed content. When there is unauthenticated subcontent in an https top level page, we no longer have the same confidence that the site is showing up "as intended", since the content from untrusted sources could have been subverted (and indeed in many cases, that subcontent could alter the rest of the page). This bug is something we should fix, the current behaviour is confusing, but we have to be careful here too - talking about "partially encrypted" or "mixed content" presumes mental models of SSL that I am confident our users don't have (nor should they be expected to). Page Info's text is more accurate, and at least talks about "parts of this document" instead of something even more painful, but it still presumes that users view webpages as multi-element assemblages. Maybe "This web site only supplies partial identification" is a route to pursue, though what does "partial identification" mean in the normal sense of things? You either have a driver's license or you don't. It's still closer to human, though, and explains why we can't be more definitive about the site's identity. In any event though, I don't believe our users are served by reporting the identity information of subelements outside of the broad category of mixed mode transmission. When all elements of a page are delivered securely, we have to conclude that this content is what the top level page wants, and should identify that top level page in our UI.
(In reply to comment #5) > > Our identity information always concerns itself with the identity of the "top > level" page. Even if that page includes content from other sources, TLS/SSL > allows us to be confident that, for lack of a better term, the "intent" of the > top level page has been preserved. The user is seeing what the top level page > "wants" them to see, and if that changes the site authors need to change it, we > can't really interpret that content on their behalf. > Actually, interpreting that content is the whole purpose of Firefox (and indeed any Web Browser). > ... > > Maybe "This web site only supplies partial identification" is a route to > pursue, though what does "partial identification" mean in the normal sense of > things? You either have a driver's license or you don't. It's still closer to > human, though, and explains why we can't be more definitive about the site's > identity. In the normal sense of things "partial identification" means that while trustworthy, only some of the usual information is available. For instance the user has a valid ID card that shows name and address, but not age (so by itself it doesn't say if that person is old enough to risk selling him/her alcohol). Whatever phrase is chosen, it should be clear that the adjective "partial" attaches to the page, not to the identification. "Parts of this contract says you owe us your life savings" is quite a different statement from "This contract says you owe us parts of your life savings". > > In any event though, I don't believe our users are served by reporting the > identity information of subelements outside of the broad category of mixed mode > transmission. When all elements of a page are delivered securely, we have to > conclude that this content is what the top level page wants, and should > identify that top level page in our UI. > Those of us who are inclined to install the NoScript plugin may beg to differ. Identity information is about whom you entrust your form entries etc. to, and it is important to know if you are really entrusting it to someone else too. This is why most (non-boilerplate) privacy statements are quite explicit about whom your data may be shared with. I have seen real world cases where high-trust web sites (such as a CA) had been duped by upper management into including 3rd party (https) web tracking bugs on their otherwise high security site, just because those web bugs were used on the big commercial websites of the company.
Related: It would really help if Firefox pointed out which resources are not encrypted (bug 406453). E.g. for me, Twitter tends to move to the "partially encrypted" after a while and even with the developer tool network view, it's really hard to diagnose why, because the culprit doesn't show up there on reload and loading Twitter in a fresh tab goes in to the usual encrypted EV state.
See Also: → 406453
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: