Closed Bug 431495 Opened 12 years ago Closed 9 years ago

Split favicon and security indication

Categories

(Firefox :: Security, enhancement)

enhancement
Not set

Tracking

()

VERIFIED DUPLICATE of bug 610048

People

(Reporter: pontije.pilat, Unassigned)

References

Details

Attachments

(1 file)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9pre) Gecko/2008042806 Minefield/3.0pre
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9pre) Gecko/2008042806 Minefield/3.0pre

Merging favicon and security information does little good, and creates lots of problems. 
In current state, site security is indicated by colors - green and blue respectively. Both are nightmares to use as a background and favicons are hard to see or are just looking plain ugly. 
Also, it is bad as a concept to mix 3rd party changeable content with something important as security indicator, there are probably users that could be fooled into believing they are on secure site just by crafting favicon of right shade of blue.

Solution: Move site icon back to location bar. Add specific indicator - wireframe/white simplified larry or padlock or whatever to current button. 


Reproducible: Always

Steps to Reproduce:
1.
2.
3.
Probably too late now to change this for Fx3, but I personally hope that this matter will be considered for the next version.

IMHO, the best solution would be the opposite of what you suggest: keep the favicon on the left in the old Firefox 2 style and move all security indicators to the end of the location bar on the right.  This is what IE and Opera does, and some consistency here between vendors would be nice, so people will not have to learn to look one place if they use Browser A and in another place if they use Browser B.
Status: UNCONFIRMED → NEW
Component: Theme → Security
Ever confirmed: true
OS: Windows XP → All
QA Contact: theme → firefox
Hardware: PC → All
Version: unspecified → Trunk
Yes, I agree, I didn't really want to impose a solution, any position is all right with me as long as concept of unified favicon/indicator is rethinked :)
Blocks: 433412
See also bug 433412.  I hope I'm not starting a food fight, but I'd rather see the opposite.  I hate to think of letting the Web site control what's attached to the location bar.  Too easy to add a padlock.
Sorry, I need to clarify my comment.  I agree with the bug summary, but in my opinion, the Web site icon needs to be on the tab only, instead of on the location bar.
(In reply to comment #4)
> Sorry, I need to clarify my comment.  I agree with the bug summary, but in my
> opinion, the Web site icon needs to be on the tab only, instead of on the
> location bar.
> 

Then how would the favicon be shown for users who have the tabstrip hidden?

Personally, I think that it's best if there aren't too many attempts to reinvent the wheel unless there is a clear-cut benefit to doing so.  The favicon has been at the left end of the location bar for many years.  That's where it is in IE, Opera, and Safari.  I'm not saying that Firefox should always blindly do what other vendors do, but if Firefox does decide to break with what has become a de facto standard of the the web browser interface, then it had better have a very, very compelling reason.  It is good for the users to have some degree of consistency, so that the interface feels comfortable and familiar.

This argument for the preservation of the favicon on the left also supports moving the security information over to the right (see comment 1).  User education with respect to security indicators is already very difficult, and having users learn to look on the left if they are using Firefox but look on the right if they are using any other browser just makes things worse.  The security information has always been on the right in previous versions of Firefox.

Moving security/identity to the right would also address the input-position-shift issues raised in bug 414627.
That's why I've always taught others to look for/trust the padlock on the status bar not in other location. And that's a de facto standard too.
I for one like "Larry" the way it is and it would be easy to educate mom to only put her credit card in a website if the button is a big green one AND the padlock is in the status bar.
I agree that the use as a padlock as fav icon might be crafted to deceive users, but it would not be possible to hack the blue/green shadows underneath, right?
And there the power of this approach, users won't trust just the icon, but also the colors associated.
(In reply to comment #5)
> Then how would the favicon be shown for users who have the tabstrip hidden?

My point was actually that the Larry button sure doesn't belong on the tab strip.  Each to his own, I guess.  I wouldn't get too upset by changes from the existing beta 5 unless you start shortening the location bar a lot.  I already have it shortened, and you'd be amazed how much vertical space that saves.

Having said that, I am skeptical that many people really need the favicon on the location bar.  I have the tab strip hidden, and if I only have one tab open, I'm never in doubt as to which one it is.  If I needed the icon to identify the window, then I'd really be clueless.  Consistency is nice, but only up to a point.  
Here's something I hacked up; it's a bit crude, but it should illustrate what I think may be a viable plan.

I propose adding a security indicator on the right as a part of the #urlbar-icons tray, and making that the primary indicator (complete with text and icon; the grid of dots is a placeholder for an appropriate icon).  This would address the issue of cross-browser consistency, the issue of the favicon being mixed in with the primary security indicator, and the problem of the SSL text shifting the start of the input location.

With the primary security indicator moved to the right, we could also keep the site button on the left as a secondary security indicator.  This indicator would not have text, would show the favicon, and would just change background color.  I think it would be nice to have an extra indicator (esp. if the space is going to be taken up by the favicon anyway), and it would make the transition from the current implementation to the proposed implementation easier.  Since this is a secondary indicator, I think it's okay for us to have the favicon here.  (If people think that's problematic, we could just dump the whole idea of making the favicon a secondary indicator and have only the indicator on the right while doing the favicon in the Fx2 style; I would prefer that over getting rid of the favicon on the left, as that's a well-established de facto standard.)

Either indicator, when clicked, will bring up the Larry dialog.
(In reply to comment #8)
OK, let me say again, I don't think the favicon belongs on the left.  It's too easy to put a padlock there, and it's going to fool people who have been taught to look for a padlock.  As far as I can figure, it also doesn't serve any great purpose.

As for changing the icon background, (1) why complicate everything; (2) what about color-blind people; (3) what about visually impaired people; why require the user to parse variations on an icon according to some color scheme?  Just keep it simple, and keep it clear.

> Created an attachment (id=320737) [details]
> one possible way of doing this
> 
> Here's something I hacked up; it's a bit crude, but it should illustrate what I
> think may be a viable plan.
> 
> I propose adding a security indicator on the right as a part of the
> #urlbar-icons tray, and making that the primary indicator (complete with text
> and icon; the grid of dots is a placeholder for an appropriate icon).  This
> would address the issue of cross-browser consistency, the issue of the favicon
> being mixed in with the primary security indicator, and the problem of the SSL
> text shifting the start of the input location.
> 
> With the primary security indicator moved to the right, we could also keep the
> site button on the left as a secondary security indicator.  This indicator
> would not have text, would show the favicon, and would just change background
> color.  I think it would be nice to have an extra indicator (esp. if the space
> is going to be taken up by the favicon anyway), and it would make the
> transition from the current implementation to the proposed implementation
> easier.  Since this is a secondary indicator, I think it's okay for us to have
> the favicon here.  (If people think that's problematic, we could just dump the
> whole idea of making the favicon a secondary indicator and have only the
> indicator on the right while doing the favicon in the Fx2 style; I would prefer
> that over getting rid of the favicon on the left, as that's a well-established
> de facto standard.)
> 
> Either indicator, when clicked, will bring up the Larry dialog.
> 

(In reply to comment #9)
> OK, let me say again, I don't think the favicon belongs on the left.  It's too
> easy to put a padlock there, and it's going to fool people who have been taught
> to look for a padlock.
Phishing sites have had the ability to plunk a padlock down on the left for all these years, and AFAICT, it hadn't ever become a problem--they almost always elect to plunk down the target site's icon instead.  The harm from having the favicon at all on the location bar is mostly speculative, and unless there is hard evidence to back it up, I personally don't think it's worth the cost of removing it.

> As far as I can figure, it also doesn't serve any great
> purpose.
I think many would disagree.  Even if the purpose that it serves is decorative, it still serves a purpose.

> As for changing the icon background, (1) why complicate everything; (2) what
> about color-blind people; (3) what about visually impaired people; why require
> the user to parse variations on an icon according to some color scheme?  Just
> keep it simple, and keep it clear.
Which is why the indicator on the right in my proposal would be a 3-part indicator: icon, background color, and text.  The background color is important because background colors are easier to visually parse and notice.
(In reply to comment #6)
> I agree that the use as a padlock as fav icon might be crafted to deceive
> users, but it would not be possible to hack the blue/green shadows underneath,
> right?

What blue/green shadows underneath?  If it's not encrypted, the background is
gray.  Incredibly easy to spoof, with or without the fancy scheme.


(In reply to comment #10)
> AFAICT, it hadn't ever become a problem--they almost always
elect to plunk down the target site's icon instead.

Maybe not the greatest security issue, but I've actually seen it in the wild.


> Even if the purpose that it serves is decorative, it still serves a purpose.

The limited space of the location bar is not a great place for decoration.


> The background color is important because background colors are easier to visually parse and notice.

Like a blue icon with a blue background, for example?  There goes the decoration.

Besides, requiring users to figure out complicated background colors schemes that they don't understand is asking a lot of users.
(In reply to comment #11)
> What blue/green shadows underneath?  If it's not encrypted, the background is
> gray.  Incredibly easy to spoof, with or without the fancy scheme.
> 
FWIW, one of the reasons for going to a color-coded scheme is to avoid the "lock favicon" problem.  The lock has been entirely removed from the location bar, and even if someone does put up a lock favicon, it would not show up on blue or green.  Yes, removing the favicon entirely would be an even stronger solution, but it won't be that much stronger now that Fx3 has removed the lock and added the color schemes.  Does the benefit justify the cost?  IMHO, no.

> The limited space of the location bar is not a great place for decoration.
> 
That is a matter of opinion (likewise, so is my affinity for the favicon).  The default should be to keep the status quo unless there is strong justification otherwise; the burden of proof lies on your end of things.  The favicon does serve a real purpose, too, as it's a well-established and widely-used way of making bookmarks and shortcuts (drag it around to the appropriate location), so if the favicon does get killed, *something* (probably a generic page icon) will still have to take its place, so if saving ~20px or so of space is what you're after, it's not going to happen.

> Besides, requiring users to figure out complicated background colors schemes
> that they don't understand is asking a lot of users.
> 
Requiring users to rely on *any* scheme that leaves the user in the loop is asking a lot.  This is why the primary defense is the phishing/malware protection, and the rest is really secondary.
(In reply to comment #12)
> ...even if someone does put up a lock favicon, it would not show up on
> blue or green.

Yes, precisely.  I don't think this is getting through, but if you put a nice yellow lock on a gray background, it makes a convincing icon.  I just checked.  Example:  www.emergentchaos.com .  Nothing about that icon OR the gray background suggests that there's a problem, unless you are one of those users who happen to be immersed in Firefox UI details.

For what it's worth, I have seen fraudulent examples in the wild.

As for the rest of this, I just checked a nightly build, and it's different from beta 5.  The colored background been checked in, so we're wasting our breath and apamming Bugzilla over nothing.
I suggested using the Larry icon consistently here: bug 430790 (comment 31+32).
Blocks: 430790
Flags: blocking-firefox3?
There is no way we're holding ship of Firefox 3 for this. I'm also not sure I think this is a better design, as eye-tracking data shows us that the eyes go to the left edge of the URL bar, not the right.
Flags: blocking-firefox3? → blocking-firefox3-
That is most likely correct, however for some reason (because of the historic location of the site icon?) other vendors opted for setting the indicator to the right. With setting browser.identity.ssl_domain_display to 0 by default, there is simply too much of a confusion and the favicon never buried additional information underneath. Maybe an easier solution would be to turn browser.identity.ssl_domain_display to 1, at least it would make it clear that there might be more information. Or have a small Larry to the right.
(In reply to comment #15)
> I'm also not sure I
> think this is a better design, as eye-tracking data shows us that the eyes go
> to the left edge of the URL bar, not the right.
>

Yes, exactly, security icon on the left, as in bug 433412.  Attachment https://bugzilla.mozilla.org/attachment.cgi?id=320670 , for example.  I want to make sure it's clear what that's about.

That looks great! It would solve the issue I'm concerned about! What about the site icon? Only on the tabs or elsewhere? What if there is no open tab? Alternatively have it to the right, together with all other indicators like bookmarks, feeds, etc.
(In reply to comment #18)
> What about the
> site icon? Only on the tabs or elsewhere? What if there is no open tab?

If there is only one tab and the tab bar is not shown, the user should not have any doubt as to which one it is.  If multiple windows are open, the title is still shown on the window bar.  One slight disadvantage is that if the icon is not shown, you can't drag it, but this affects only people who (1) elect to suppress the tab bar; (2) only have one tab open; and (3) customarily drag icons.  Everything has some disadvantage.

I'm a little concerned, however, that maybe this discussion should be in bug 433412 if it continues.
(In reply to comment #18)

I don't think completely removing site icon is an option :)
Mockup from comment 17 is pretty much what I originally had in mind when proposing a solution, in that case right place for site icon should be on the location bar (white part) to the left of the URL.

But as stated, there are many things to consider, Kai Liu made fine argument about that (and lovely mockup too) :)
Who knows maybe devs surprise us with some completely unique brainstorm, that's fine with me, as long as we move on from the current spot :)
 
In response to comment #15 (I'm also not sure I think this is a better design, as eye-tracking data shows us that the eyes go to the left edge of the URL bar, not the right.):

How does eye-tracking data prove anything? In places that read left to right, that's the expected behavior and has nothing to do with what is (or isn't) on the left edge of the URL bar. 

For years, a graphic on the left edge has been associated with a favicon, not a security indicator. Conversely, a graphic on the right edge has been associated with a well known security indicator.

I know this has been argued for many months now (yes, I trudged all the way through bug 417844), but I don't see any value in the (seemingly random) color scheme picked for indicating the type of encryption/trustworthiness of the connection (referring to the blue). There are several reasons for this:

1) Considering that both IE7 and Opera separate favicon (to the left) and security info (to the right), having ff3 do something different is both counterintuitive and, unless a user learns what the blue and green favicon highlighting mean, meaningless. 

2) Colors alone are not indicators of security, IMHO, especially for color blind individuals. Any arguments I've read in favor of how ff3 shipped in this regard always seem to ignore that. If a yellow (or green) URL bar background isn't sufficient to convey security, how would a blue or green favicon highlight be any more significant?

3) Using a combination of uniform colors and text indicating the organization on the security certificate and who issued it is better than just a color or icon. (And all of the data I've seen indicate this, as well) Naturally, that would mean including, for both SSL and EV SSL sites, an indicator on the right edge of the URL bar showing a lock icon + text indicating who the certificate was issued to. Hovering over it could provide info that the current ff3 implementation shows (e.g. Verified by: Equifax) and clicking on it would bring up either a Larry-type info panel (as ff3 has now) or even the full Security Info box.

An off topic question: 

When I visit https://bugzilla.mozilla.org or https://mail.google.com, when I click on the current blue-highlighted favicon in ff3, the info panel for both says "which is run by (unknown)". Clicking on "More Information..." brings up the Security Info box which states (again, for both sites):

"Owner: This web site does not supply identity information."

Then, at the bottom of the Web Site Identify area, says:

"This web site provides a certificate to verify its identity."

Why the confusing and conflicting wording? What exactly does "This web site does not supply identity information" mean in that context when the same info box says that its identity is verified? When answering this question, pretend I'm a typical, naive user who is curious.
See also bug 610048.
That's for the report. We're going to go with the proposal in bug 610048.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 610048
Er, s/That's/Thanks/
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.