Open Bug 795771 Opened 7 years ago Updated 3 years ago

Firefox for Android and Firefox for Desktop have very different certificate exception UIs

Categories

(Core :: Security: PSM, defect, P5)

defect

Tracking

()

People

(Reporter: briansmith, Assigned: lco)

References

Details

(Keywords: ux-consistency, Whiteboard: [parity-desktop][parity-mobile][psm-backlog])

Attachments

(2 files)

tl;dr: I propose that (a) in the short term, we replace the Firefox Desktop certificate error page with the one from Firefox for Android, which would remove the certificate exception dialog box, and (b) we add a "View Certificate" button to the desktop version of that page.

In Firefox for Android, the certificate error page provides a button to add a permanent exception, and a "visit site" button (which adds a temporary exception). In Firefox for Android, there's no way to view the certificate before adding the exception.

In Firefox for Desktop, there is a button that shows the Certificate Exception Dialog Box, which has the UI for adding permanent and/or temporary exceptions, and which has the "view certificate" button that lets the user view the certificate before adding the exception.

Bug 469848 has the history for why the Android UI is different than the desktop UI. The rational for the current desktop UI is strewn about in hundreds of comments in dozens of bugs; the basic idea is that we go out of our way to make it tedious to add certificate error exceptions, even though we could make it easier.

It seems to me that the mobile UI is clearly easier to use. And, if it is "secure enough" for our mobile users, then it is "secure enough" for our desktop users. And, if it isn't "secure enough" for our desktop users, then it isn't "secure enough" for mobile users. (Personally, I am in the "is secure enough" camp.)

We can do a much better job with these errors in general (e.g. doing things to avoid them, e.g. bug 562917, bug 657228, bug 399324, bug 454036, bug 449498, and bug 432802). But, there are going to be times where we need some kind of UI like this, and I think that security UI should be consistent across our products whenever possible, so I think this is something that should be resolved.

Also, I am working on some back-end bugs that would require me to modify how the certificate exception mechanism works (behind the scenes) on both Android and desktop. If we were to decide to use the Firefox for Android UI on Desktop too, then that work would be greatly simplified (halved). So, it would be great to have a UX that is similar for all products (including also B2G) soon, as they could likely share a significant amount of code. I would like these things to share as much code as possible to make it easier to maintain them, to reduce the likelihood of (platform-specific) bugs, and to ensure that all products keep up with each other.
I no longer hold the UX reins on such things, but fwiw, I agree.
At the risk of Madhava telling me I have too much to do, I can take a look at this issue :) I think I may have to design this for B2G anyway. 

I do agree that I'd prefer to make desktop and mobile consistent. 

My initial thought is that I'd like to try and improve the certificate exception UI in the long run. I don't think either UI is the best we can make it, mainly because I think our design intent _is_ to make it difficult for the user to add a permanent exception. Not because we enjoy putting up walls in front of our user, but because we don't want users to see "adding an exception" as the solution, especially when it might make them unsafe. 

So having the option to visit the site (i.e. add a temporary exception), and making this more prominent, is a good thing, although ideally, I would still make it difficult to add any kind of exception.

In the short run though, I think the Android UI is a little closer to what we want. The main comment I have for it is that we need to do a better job of guiding people to the preferred choice now that we have three buttons for them to choose from. The text isn't enough of a guide-- a lot of people won't take the time to process it. 

I'll think about this issue more though.
Assignee: nobody → lco
Thanks, Larissa. But to be clear: adding an exception is a better security outcome than visiting the site, in most cases. It prevents dialog fatigue, cements a trust decision that, whether you made it well or poorly, you're likely to make again and again when visiting that site. So I'm all for doing better, but your comment makes it sound like "Visit site" is the intended outcome and most of the time it isn't.
Out of curiosity, why do we have an option to add a temporary exception anyway? As a fairly unsophisticated user, that misled me into thinking that it's a "better" choice than adding a permanent exception.
Worth discussing, for sure. It may be that "add exception" is the only meaningful user choice there and that "visit site" gives a false sense of safety.
(In reply to Larissa Co from comment #5)
> My initial thought is that I'd like to try and improve the certificate
> exception UI in the long run. I don't think either UI is the best we can
> make it, mainly because I think our design intent _is_ to make it difficult
> for the user to add a permanent exception. 

Yes. IMO, the requirement to click "I understand the risks" is enough of a slow down, insofar as we want to have a slow down.

> Out of curiosity, why do we have an option to add a temporary exception
> anyway? As a fairly unsophisticated user, that misled me into thinking that
> it's a "better" choice than adding a permanent exception.

One problem is that we end up creating a lot more permanent exceptions than we really need, because we show the option to add exceptions in many situations where we shouldn't (captive portal, wrong system time, "https://amazon.com" instead of "https://www.amazon.com", etc.).

I know too much about the technical minutiae to accurately judge the value of having the various options (and I use the temporary option more because I know what the choices really mean), but IMO reduce the number of choices doesn't need to block the change requested in this bug. I'm requesting this kind of unification to  facilitate more rapid cross-product (Fennec, Desktop, B2G) UX improvements that I expect to follow, and to improve the rate of improvements to the back-end stuff.

> three buttons

On the cert error page, I would make "View Certificate" available from the site identity block (only), like it is in the non-error case (and like it is in other browsers). That would address the concern about adding *that* button to the page.

As far as "visit site" vs. "add permanent exception," perhaps it would be better to do what we do for other security prompts regarding permanent vs. temporary (e.g. geolocation, password saving, etc.).
Component: Security: UI → Security: PSM
Priority: -- → P5
Whiteboard: [parity-desktop][parity-mobile] → [parity-desktop][parity-mobile][psm-backlog]
You need to log in before you can comment on or make changes to this bug.