Open Bug 804974 Opened 12 years ago Updated 2 years ago

Grey padlock and "https" says "disabled"; use something other than grey

Categories

(Firefox :: Theme, defect)

Product:
Firefox
Component:
Theme
Type:
defect

Tracking

()

Status:
REOPENED

People

(Reporter: gerv, Unassigned)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

firefox-https-warning.png
11.80 KB, image/png
Details 
There is a reasonably common convention that things in GUIs which are grey are disabled or inactive or deemphasized. We made various URL component grey to highlight the domain name - fine. However, we appear to have also got a grey "https" and a grey padlock (for non-EV certs).

This is UI that we want a user to notice, and also to notice the lack of. "De-emphasis" is not appropriate for it, even in a minimalist theme.

I hate UI churn in security UI as much as the next man, but where we are now is really not a good place. I suggest returning to either yellow or blue for the padlock, and returning to black (same as the domain name) for the "https".

Gerv
Yes, I would also like for the SSL indicators to not look like SSL is disabled because they are gray.

Note that the EV lock is green, and if the user notices the difference in color at all, it seems likely they will get confused about why the non-EV lock looks disabled (because it is gray).

For a long time, there has been this idea that we must make the indicators for EV look "better" or "stronger" than the indicators for non-EV. However, I don't think that is justified. The one thing that is really better about EV is the verification of the "real" company, and that's already indicated by having the company name in the address bar (on desktop). (And, I am not sure it is worth keeping the company name in the address bar for EV, but that's another issue.) I think it would be much less confusing if, besides maybe showing the company name for EV, the non-EV and EV cases looked as similar as possible. That would be much less confusing for people who don't know anything about EV. The difference between EV and non-EV is really quite small and it's likely only going to get smaller (to the point of being inconsequential, if it isn't already) in the future. The difference between HTTPS and HTTP is **much** more important to make clear.

I think the way we show "https://" in gray at the start of a HTTPS URL, but we don't show anything at all for a HTTP URL, makes it seem like HTTPS is worse than HTTP. "Why is there all this extra jibberish here before the website name; let's delete it to make it better." Showing the lock and the https:// as both green (like in the EV case) helps convey the idea that the jibberish is related to the lock that means something about "being secure." Instead of making https:// URLs look worse, we should make them look better.

I know that we've put a lot of effort into making the UI less distracting and the monochromatic features of the address bar are part of that. If we really feel like the monochromatic look is important, then we should consider making the SSL indicators always gray--even for EV. But, I do worry that users will interpret our gray security indicators as "Firefox security is broken," especially if/when they compare to the more colorful, more active-looking, more positive-looking indicators in Chrome.

By the way, the recent round of improvements to the appearance of the site identity block definitely are already making the product look a lot better.
I would certainly not support making the non-EV lock green, to make it look similar to the EV one. I think that our UI in this area should be identity-focussed, not "security" or "safety" focussed (which is why I liked the blue site identity bar which got axed). Identity is something we can say something meaningful about and, for better or worse, browsers mark connections to an identified entity with green UI elements.

I would perhaps support hiding the https in the case of a successful connection, although I suspect quite a bit of documentation tells people to look for it to check they are secure (it being the only ever-present indicator across all browsers), so that might lead to more user confusion.

Gerv
(I've just noticed this bug after adding a comment on a similar subject in bug 444980.)

I'm not sure where the idea of making the address bar as monochromatic as possible was discussed, but I'm really not convinced it's a good idea (when it comes to HTTPS connections).

Checking that an HTTPS connection is secure is ultimately the user's responsibility: the certificate must be verified, the host name must be verified, but before any of those, the fact that HTTPS is used at all when it's expected is absolutely essential.

Making the fact that HTTPS is being used (and used correctly: accepted certificate, no mixed content...) should be clear at all times, using something that's visible even when it's not the main focus of attention.

To achieve this, I think having something like a full coloured background (e.g. green for EV certs and blue/yellow for other certs) in the address bar would certainly be better.
It would certainly be more distracting (when looking at the main content of the page) in that it would be noticeable, but that's a feature when secure connections are concerned.

I also think that hiding "https://" would be more confusing indeed.
From bug 761179 that was closed a dupe of this one (I don't know why as that bug pre-dated this one):

To maintain muscle memory us users could have developed and be consistent with the previous coloring site identity provided[1], there should be a separator | between the padlock and the URL and a light shade of blue that matches "Larry" on SSL state should fill the padlock area.

At https://bugzilla.mozilla.org/attachment.cgi?id=629796 there's a very raw "mockup" I did using paint ;-)

[1] https://support.mozilla.org/en-US/kb/how-do-i-tell-if-my-connection-is-secure#w_blue-basic-identity-information
I agree with Bruno Harbulot's comment.

From a Browser user's perspective, we are accustomed to looking for "https" as an indication of secured site.

The troubling issue is that a black colored lock may lead to confusion (since we already use a "grey" colored globe for the unsecured sites).

I don't think the browser user cares whether the company name is displayed in the location bar for EV enabled sites. The company name is available if you click on the green lock.

But surely, it would be very convenient if the black lock is changed to blue (for non-EV enabled secured sites).
I don't think change is ever going to happen here unless we can work out who is responsible for this decision, and get them to comment on the arguments put forth above.

According to:
https://wiki.mozilla.org/Firefox/Features/Theme_Refinement_and_Evolution_%28Australis%29
that's probably shorlander. NEEDINFOing him.

Gerv
Flags: needinfo?(shorlander)
shorlander: ping?

Gerv
This decision seems to have been confirmed with Australis; marking WONTFIX by default. :-(

Gerv
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(shorlander)
Resolution: --- → WONTFIX
:gerv Thank you for looking into this. Any reasons behind this decision? Is it simply too late for the current version of the interface, or has someone actually made the case for grey being good somehow?
The general issue with everything being grey, even with HTTPS, also applies when there are warnings.

Funnily enough, I was just looking the UX blog at https://blog.mozilla.org/ux/2014/05/redesigning-firefox/, and I must say I didn't notice the broken lock immediately, it's quite small in the corner of the screen (see picture attached).

Once again, expecting a blue bar (like it was at some point in the past) for correct non-EV certs, and maybe orange/red bar (or something that stands out a bit more) when there's something wrong (e.g. insecure resources loaded) would be a substantial improvement in terms of security.

Making the HTTPS status of a connection clearly visible to the user is absolutely essential for the overall security of that connection.
(In reply to Bruno Harbulot from comment #11)
> :gerv Thank you for looking into this. Any reasons behind this decision? Is
> it simply too late for the current version of the interface, or has someone
> actually made the case for grey being good somehow?

Given the amount of work which went into Australis, I can only assume that they decided not to make a change here. It would have been better if it was communicated explicitly, but closing this bug is simply reacting to what has been demonstrated through the lack of change.

Gerv
Clearly, a lot of work went into Australis, I don't think anyone is disputing that. However, this is after all a security issue (although not strictly speaking a programming bug, since it's more on the UX side of security indeed).

The problem remains, and it has been around for a couple of years at least. Should we open a new issue in this bug tracker for future versions of Firefox?
I agree that Gerv's rationale for closing this bug doesn't make sense. Lots of things didn't happen during Australis because of the desire to limit scope. Lots of things related to security indicators for HTTPS are being actively debated and/or changed now, and this could be one of those changes.

Gerv has leeway to close this bug because he filed it. Gerv doesn't have such latitude for bugs that other people file. So, I suggest that if this bug isn't reopened, that people file a new bug on their own. Also, I'm not sure "Firefox: Theme" is the right place. "Firefox: Security" or "Core: Security UI" seem like better places.
(In reply to Gervase Markham [:gerv] from comment #13)
> Given the amount of work which went into Australis, I can only assume that
> they decided not to make a change here.

It's generally a bad idea to assume anything like that.

If you are having trouble getting decisions to be made explicit, there are several avenues for clarification (firefox-dev, reaching out to me).
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
This was something that we talked about when switching to the lock. Blue doesn't have any cultural connotations towards "secure" and green is already a reserved color for HTTPS+EV.

We want to have a simple UI that people can relate to. Using outside conventions helps in this matter.

As I recall it, the only other option we came up with was to use a green lock in all HTTPS cases, and HTTPS+EV would stand out because of the presence of the organizational name.
Thanks Jared and Gavin, for taking the time to comment on this bug.

(In reply to Jared Wein [:jaws] (please needinfo? me) from comment #17)
> As I recall it, the only other option we came up with was to use a green
> lock in all HTTPS cases, and HTTPS+EV would stand out because of the
> presence of the organizational name.

I think that is exactly the option that should be preferred. The problem is that Firefox is not giving the user any indication that https:// is good. In fact, the current UI makes it look like https:// is BAD because it's a bunch of messy jibberish in front of the domain name that isn't there in the non-secure but "normal" looking case. Reserving the green color for EV over-states the security benefits of EV. Having the distinction between EV and non-EV be the presence or absence of the organization name almost EXACTLY captures the value (if any) of what EV is about.
Are you OK with us switching the grey padlock to be green in all instances?
Flags: needinfo?(shorlander)
Is it OK to repost my "design" for consideration?

https://bug761179.bugzilla.mozilla.org/attachment.cgi?id=629796
Great to see this issue back on the radar :-) I have thoughts but it's now Friday night here. Will post on Monday.

Gerv
Green has a particular meaning, which is that the real-world identity of the person running the site has been established to a level such that we are comfortable presenting that info to the user. In other words, an EV cert, although a user doesn't need to know that name. I think it would be confusing to blur this distinction. We want users to trust sites based on their owners, not based on their manual attempts to parse the domain name and match it up against what they think the correct domain name is from memory. So ownership display is important.

If we have identified the only problem is that "grey seems like disabled", then we should fix it by returning to a yellow lock, like previous versions of Firefox had.

Otherwise, if we want to do something else, we should probably do so in the wider context of other recent suggestions to find some way of indicating whether a site is using best practices for their SSL connection (see discussions in mozilla.dev.security.policy).

Gerv
Just for information, since it seems difficult to find how old versions were displaying this, here is an article that compares a few browsers back in 2011, in particular FF 3 and 4: http://www.lookout.net/2011/05/how-web-browsers-display-standard-ssl.html

While green indeed has particular meaning now, it's a meaning that only seem to have appeared when EV certs were introduced, which is also more or less at the time the blue emblem appeared (for non-EV certs). A blue indicator for non-EV HTTPS was used at least in FF 3 and 4, but disappeared some time later. For comparison, Chrome uses green for EV and non-EV, but only display the owner emblem for EV certs.

I think the biggest problem at the moment is that a plain HTTP site, a site with non-EV HTTPS correctly used, and a site with mixed content all use a little grey icon, so one needs to pay close attention to the shape of the icon, especially on a large screen (and unfortunately, the mixed-content warning can change at any time when using the page if it is caused by an AJAX request).

Are you saying that you don't think the blue emblem is appropriate at all? I don't really mind whether the indicator is blue or yellow, as long as it stands out a bit more than the current grey look. However, yellow can also be used to indicate a problem (the warning triangle for mixed-content attempts or for the inability to check for revocation in Chrome looks yellow to me, although it could be a light shade of orange). As far as I know initial padlocks used to be "gold", which is again a colour quite close to yellow. Blue would at least avoid such confusion.

The other issue, equally important, is to have something a bit more visible for "broken" HTTPS sites that use mixed content (although ideally, those requests to plain HTTP resources from an HTTPS page shouldn't even be made, but that's a different issue). A more visible warning sign (e.g. orange or red) would be good for this.

In addition, in any case (green, blue, yellow, red, ...), the status could be displayed even more prominently to the user by changing the background colour of the URL text (similarly to IE). Perhaps this is more difficult to implement.
(In reply to Gervase Markham [:gerv] from comment #22)
> If we have identified the only problem is that "grey seems like disabled",
> then we should fix it by returning to a yellow lock, like previous versions
> of Firefox had.

Firefox actually used blue previously (as noted by Bruno's link). This confusion is an example of the arbitrariness and confusing nature of using random colors to denote safety/security.

(In reply to Bruno Harbulot from comment #23)
> Are you saying that you don't think the blue emblem is appropriate at all? I
> don't really mind whether the indicator is blue or yellow, as long as it
> stands out a bit more than the current grey look. However, yellow can also
> be used to indicate a problem (the warning triangle for mixed-content
> attempts or for the inability to check for revocation in Chrome looks yellow
> to me, although it could be a light shade of orange). As far as I know
> initial padlocks used to be "gold", which is again a colour quite close to
> yellow. Blue would at least avoid such confusion.

Blue is an arbitrary color that has no outside relation to "good" or "acceptance". As mentioned above, yellow and red are colors that are used often to note danger and warnings.

However, green is often used as "proceed, success, serenity ("grass is greener...").

We should not move back to having multiple colors. It does nothing but add confusion to which the average user will not understand the reasoning why one color was chosen over another.
(In reply to Jared Wein [:jaws] (please needinfo? me) from comment #24)
> Firefox actually used blue previously (as noted by Bruno's link). 

Actually, we used blue during that period of time when we decided to eliminate the lock altogether and go for the "identity chip" style approach. We've never had a blue lock to my recollection.

Having said that, I'm not particularly opposed to returning to the identity chip. I do think the current non-EV lock looks disabled (as do all our grey toolbar buttons, actually). 

> This
> confusion is an example of the arbitrariness and confusing nature of using
> random colors to denote safety/security.

To a degree. First of all, again, EV is about identity, not safety/security. Green is standard across all browsers for validated identity (as was yellow for non-EV before we decided to go for blue). I disagree with Chrome's decision to also use green for the non-EV case, and I don't think we should make things worse.

> Blue is an arbitrary color that has no outside relation to "good" or
> "acceptance". As mentioned above, yellow and red are colors that are used
> often to note danger and warnings.

Depends on your culture; not so in China:
http://www.wikiwand.com/en/Color_in_Chinese_culture
 
Gerv
(In reply to Gervase Markham [:gerv] from comment #22)
> Green has a particular meaning, which is that the real-world identity of the
> person running the site has been established to a level such that we are
> comfortable presenting that info to the user.

That is not what green means. Jared's description is far more accurate. If you look at the Chrome indicator, they make both the lock and the "https" in "https://" green, for both EV and non-EV, to signify pretty directly "HTTPS is good" and less directly "https:// is better than http://." I find the Chrome indicator to be much clearer than the Firefox indicator, exactly because of the color difference between green for HTTPS and grey for HTTP.

> In other words, an EV cert,
> although a user doesn't need to know that name. I think it would be
> confusing to blur this distinction.

Is https://www.facebook.com/ or https://mail.google.com/ less secure than https://www.mtgox.com/? No. Are Facebook and GMail more likely to defraud you than Mt. Gox? I would say "absolutely not" and I think most people would agree, given the history of Mt. Gox. Does the Firefox UI make mtgox.com look more trustworthy than Facebook and GMail? Yes. That means the Firefox UI is misleading.

With the proposed change of making the lock always green, the UI will still be just as "clear" that mtgox.com is operated by MtGox Co. Ltd. (JP) and that nobody has any clue in the world which companies are running facebook.com or google.com, due to the presence/lack of the organization name in the address bar, regardless of the color used.

> We want users to trust sites based on
> their owners, not based on their manual attempts to parse the domain name
> and match it up against what they think the correct domain name is from
> memory. So ownership display is important.

I think that's what *you* want. AFAICT, you are one of very few people that think that that is useful or practical to expect end users to do. There's definitely no consensus agreeing with that. In fact, if there's any consensus at all, it is that Safe Browsing (or equivalent) is a better mechanism for preventing such fraud than EV.

> If we have identified the only problem is that "grey seems like disabled",
> then we should fix it by returning to a yellow lock, like previous versions
> of Firefox had.

Like Jared said, yellow tends to mean "caution" or "be careful." I agree with him that using multiple colors beyond green/gray is too confusing and should be avoided.

> Otherwise, if we want to do something else, we should probably do so in the
> wider context of other recent suggestions to find some way of indicating
> whether a site is using best practices for their SSL connection (see
> discussions in mozilla.dev.security.policy).

I think that that conversation is something to take into consideration when deciding what to do here. However, nothing concrete has come out of that discussion. I think it would be fine to make this change first, and then adjust it after something concrete has come out of that discussion. (Also that's the wrong forum to have that discussion, because it's not an issue about root CA inclusion policy, but a UI and security issue in Firefox.)
(In reply to Gervase Markham [:gerv] from comment #25)
> To a degree. First of all, again, EV is about identity, not safety/security.
> Green is standard across all browsers for validated identity (as was yellow
> for non-EV before we decided to go for blue). I disagree with Chrome's
> decision to also use green for the non-EV case, and I don't think we should
> make things worse.

You don't give a reason for disagreeing with Chrome's use of green for the non-EV case. And, nobody wants to make things worse.

> Depends on your culture; not so in China:
> http://www.wikiwand.com/en/Color_in_Chinese_culture

I don't think the culture-specific connotations should be dismissed out of hand, but the EV indicator is always green, and it is green exactly due to the same green==good thinking.
(In reply to Jared Wein [:jaws] (please needinfo? me) from comment #19)
> Are you OK with us switching the grey padlock to be green in all instances?

No. We did discuss doing this, but decided against it because we didn't want to conflate EV with non-EV.

The grey of the lock was intentionally chosen to match the deemphasized non-domain parts of the URL. It's important to have the encrypted indicator (lock) but we still want the focus to be on the site identity. Which in the non-EV case is only the domain name.

Relevant links: Bug 742419, Bug 747087, SecReview — https://wiki.mozilla.org/Security/Reviews/IdentityBox
Flags: needinfo?(shorlander)
(In reply to Stephen Horlander [:shorlander] from comment #28)
> The grey of the lock was intentionally chosen to match the deemphasized
> non-domain parts of the URL.

(I must say I'm not sure I had noticed the black v.s. grey in the location bar. Now that you mention it, it's there indeed. It doesn't really stand out, though.)

Just to be clear, are you against the idea of making the HTTPS indicators more obvious for non-EV (e.g. something in blue, yellow, green, or anything really that makes it clear that HTTPS is used)? I'm talking about something that should be visible in the corner of your eye on a typical 22" monitor for example.
At the moment, it's fairly easy to browse from page to page casually and be taken from a non-EV HTTPS page to a plain HTTP page or an HTTPS with mixed content without it being immediately noticeable.

I agree the site's identity is important and showing something can be useful, but EV certs are not the silver bullets that are going to fix all the problems with the PKI system. They seem to be given a disproportionately favourable treatment. Using HTTPS with a site using a non-EV cert isn't necessarily worse than with a site with an EV cert.
Blocks: lockicon
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: