Open Bug 711816 Opened 9 years ago Updated 6 years ago

Larry should include a checklist of optional security measures

Categories

(Firefox :: Security, enhancement)

enhancement
Not set
normal

Tracking

()

People

(Reporter: jruderman, Unassigned)

References

(Depends on 1 open bug)

Details

(Keywords: sec-want, Whiteboard: [sg:want])

I want Larry to include something like this on a site that "gets everything right":

✓ Signed to prevent tampering
   ✓ Authenticated by a CA (Verisign)
   ✓ Authenticated hierarchically (DNSSEC)
   ✓ Certificate status is valid (checked 20 seconds ago using OCSP)
   ✓ Safe renegotiation protocol
✓ Encrypted to prevent eavesdropping
   ✓ Algorithms secure through ~2025
   ✓ Forward secrecy (EDH)
✓ Entire page delivered securely
✓ All cookies secure
✓ Future connections will be secure (STS)
   ✓ Including all sites that share cookies (*.eTLD+1)

And like this on a site that meets the current minimum for https:

✓ Signed to prevent tampering
   ✓ Authenticated by a CA (Verisign)
   · Not authenticated hierarchically
   · Unable to check certificate status
   · Old renegotiation protocol
✓ Encrypted to prevent eavesdropping
   · Algorithms secure through ~2015
   · No forward secrecy
· Some images were delivered insecurely
· Some cookies have insecure flag
· Future connections can be secure or insecure

I'm thinking green check marks and gray dots. Green is good, but gray isn't explicitly scary. We want to promote the use of these features, and allow users to check for them easily, but most of them optional for a good reason.

A "what do these mean?" link could explains the technologies and the
types of threats they mitigate.  Like Chrome's page, but more complete:
https://www.google.com/support/chrome/bin/answer.py?answer=95617&hl=en-US
Assignee: nobody → limi
Keywords: uiwanted
Assignee: limi → nobody
✓ Intermediate certs included (see bug 629558 and bug 733232)
✓ OCSP response stapled (see bug 700693)
It might be interesting also to look at DANE/TLSA records, and then to to side load those certs via Tor, Convergence or other methods like GNS.
Duplicate of this bug: 834052
Duplicate of this bug: 906159
As bug 906159 has been closed as a duplicate, please also include the exact SSL/TLS version & cipher information somewhere. While check marks and "secure enough until..." may be good enough for most folks, a more detailed view is needed too, IMHO.  (Also, who is "Larry"?)
(In reply to Christian Kujau from comment #5)
> As bug 906159 has been closed as a duplicate, please also include the exact
> SSL/TLS version & cipher information somewhere. 

I agree.
I do not understand how #834052 and #906159 were closed as dupes of this. Both were filed against the page info window which should hold "advanced" (but very useful) information like the TLS version in use. This bug is about the Larry, which should probably show some more information but more user friendly. Adding the information to the page info window should _not_ be deferred by the design of the Larry popup.
This seems like a nice improvement over what's currently shown, a misleading "The connection to this website is secure."

Given heartbleed [1] and government controlled or coerced CAs [2], I hope you can refrain from re-introducing such language. This means avoiding the word "secure" if possible, and not saying things like "Entire page delivered securely".

[1] http://heartbleed.com/
[2] http://blog.okturtles.com/2014/02/introducing-the-dotdns-metatld/
Let me rephrase. You either mean that "Entire page delivered securely" or you don't.

What if the page wasn't delivered securely due to a bug (eg: [1] in the previous comment) or a fundamental flaw in the protocol ([2] in previous comment)?

The page wasn't delivered securely, and yet the user is being told that it was.

Something seems very wrong about that.
Duplicate of this bug: 1077976
You need to log in before you can comment on or make changes to this bug.