Closed Bug 619921 Opened 14 years ago Closed 14 years ago

No encryption lock icon.

Categories

(Firefox :: Security, defect)

defect
Not set
major

Tracking

()

VERIFIED WONTFIX

People

(Reporter: kie000, Unassigned)

References

()

Details

User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:2.0b7) Gecko/20100101 Firefox/4.0b7 Build Identifier: Mozilla/5.0 (Windows NT 5.1; rv:2.0b7) Gecko/20100101 Firefox/4.0b7 Since the status bar has been removed, I now have no lock-icon representing whether or not the page is properly encrypted. Reproducible: Always Steps to Reproduce: 1. open firefox 2. visit encrypted page Actual Results: Padlock icon representing encryption missing. Expected Results: A padlock icon either full yellow or with an exclamation mark to warn that the page hasn't been properly or fully encrypted. There is nothing that happens that visually represents the fact that broken encryption is in use.
Version: unspecified → Trunk
This has been replaced by the box that surrounds the favicon in the address bar. The colour changes depending on encryption state, and if you click it, further information is given.
Yes, it was removed and replaced with the info in the locationbar. See bug 558551 comment 15 for some of the reasoning.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → WONTFIX
You can't force users to focus their attention on the Site Identity Button and forget about looking for the "lock" that security "experts" say should be present, and every other browser they have ever used, including Firefox, has used to signify a "secure connection". IMO, this "feature", or lack there of, over estimates the intelligence and knowledge of the "average user". IE9 and Opera11 have moved the "lock" from the right-side of the URL bar, and have incorporated the "lock" in their version of the "Site Identity Button" by replacing the website Favicon with a "security lock". I strongly suggest that Mozilla do the same, because users expect to see a "lock" - right, wrong, or indifferent. Clicking in the Site Identity Button to see the "lock" isn't good enough, the "lock" needs to be visible with no user action at all.
Status: RESOLVED → VERIFIED
(In reply to comment #4) > the "lock" needs to be visible with no user action at all. Absolutely. The fact that the change was unannounced is unhelpful, but having to click every time one wants visual reassurance is silly. One changes pages so many times on what hopes is a secure site that status needs to be unambiguous at all times. I have read bug 558551 comment 15: not sure I am convinced. To be honest, I miss the status bar - an overlaid, hard-to-read tool-tip is no substitute. Surely options for both items would satisfy the purists and permit old habits to be maintained? I have installed the padlock add-on, which at least prompts me to check the status.
(In reply to comment #4) > Clicking in the Site Identity Button to see the "lock" isn't good > enough, the "lock" needs to be visible with no user action at all. I also second this. Google Chrome, Opera and IE9 all have this feature.
(In reply to comment #5) (In reply to comment #6) No one has actually provided valid counter arguments to the reasoning in bug 558551; so not quite sure how there is anything to "second". All that has been stated is that "it now requires another click" - which is not true; since SSL/EV state is visible according to the site identity block colour. As of Fx5/6+, this is now even more visible with the new identity block styling. As for IE/Chrome/Opera showing the padlock being used as reasoning for Firefox to keep on doing so: just because browsers have traditionally managed the SSL/EV visibility/user expectation poorly, doesn't mean they should continue to do so. Firefox is rightly setting a sensible direction for this - leading by example rather than just accepting the norm.
Blocks: 558551
> reasoning ... And the general user knows about and understands this? I think I am close, but I am not convinced, and I think I have some grasp. So what about Joe Blow? > As of Fx5/6+, ... Disingenuous, surely, as this is irrelevant to the present situation. It took me ages to find out what that colour code meant - I had not even noticed it as a "feature". > leading by example Fine, when it is apparent what is going on. Updating to FF4 I proceeded as normal. I do not expect to have to read the manual in the hope of finding what has been changed unannounced. Basically, if you have a point it needs being made overtly, not 'we have decided' in the background. (2) Whether or not the change is sensible/meaningful/proper ... etc, it is still harder to decode than before, even if the decoding then was faulty in some respect. You have to educate, not assume total trust and confidence in the rightness of your thinking. Do it better, by all means, but not more obscurely.
(In reply to comment #8) > > As of Fx5/6+, ... > > Disingenuous, surely, as this is irrelevant to the present situation. It took > me ages to find out what that colour code meant - I had not even noticed it as > a "feature". Not really, since major changes are not going to be made to 4.x, due to the new release process (which also means Fx5 will be out within 7 weeks): http://mozilla.github.com/process-releases/draft/development_specifics/ > Do it better, by all means, but not more obscurely. The first search results on support.mozilla.com for "padlock" returns a post linking to: http://support.mozilla.com/en-US/kb/Site%20Identity%20Button It's obviously a balance between being too in-your-face to users about changes (most of whom won't read/care about things like release notes) vs providing the support articles and letting people read them if they are otherwise interested.
Thanks for the prompt reply. > Fx5 will be out within 7 weeks ... Sorry, I fail to see the relevance of this. So the punter needs to keep track of the future to keep control of present uncertainty? The link is not going to be seen my many. > The first search results on support.mozilla.com for "padlock" ... Obviously my route was more circuitous, but it clearly requires a special effort. I do not think this is fair on the average user. > release notes Oddly enough, I try to read these, but it has seemed to me to be harder and harder to find them, they are getting buried layers down. Is it not possible to create a "Read this: Important Changes" that comes up on the first new page instead of going on about trivia like Styles?
https://bugzilla.mozilla.org/show_bug.cgi?id=654714(In reply to comment #7) > No one has actually provided valid counter arguments to the reasoning in bug > 558551; so not quite sure how there is anything to "second". > > All that has been stated is that "it now requires another click" - which is > not true; since SSL/EV state is visible according to the site identity block > colour. As of Fx5/6+, this is now even more visible with the new identity > block styling. Ok, I accept that, you've convinced me. I made this suggestion though: https://bugzilla.mozilla.org/show_bug.cgi?id=654714 clicking the Site Identity button should also show which type of connection encryption is being used (eg.128-bit encryption): eg. it should show "Your connection to this web site is encrypted(with 128-bit encryption) to prevent eavesdropping." No extra click to "More Information..." should be required, in order to check which type of encryption is being used.
You need to log in before you can comment on or make changes to this bug.