use a different "padlock" icon for SSL PFS ciphers

RESOLVED DUPLICATE of bug 942136

Status

()

--
enhancement
RESOLVED DUPLICATE of bug 942136
5 years ago
4 years ago

People

(Reporter: 5rgz6ni02, Unassigned)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:21.0) Gecko/20100101 Firefox/21.0 (Beta/Release)
Build ID: 2013051000

Steps to reproduce:

visit different https:// sites


Actual results:

Padlock is shown. Green padlock shown if the site has an EV certificate


Expected results:

A different padlock should be shown depending on whether a PFS or non-PFS cipher is being used.

In the light of recent disclosures it is important for the user to make sure that a PFS cipher is in use before engaging in sensitive private communication.
See http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html for details.
(Reporter)

Updated

5 years ago
Severity: normal → enhancement
(Reporter)

Updated

5 years ago
Component: Untriaged → Security

Comment 1

5 years ago
I'm not sure whether it should be a different lock icon or perhaps it's own icon next to it.  While FPS is indeed important to secure the connection, there are other important vectors to consider too, such like SSL attacks: secure regenotiation, BEAST attack, CRIME attack, etc weak ciphers like RC4, SSL/TLS version, mixed content. Perhaps it's best to expand the 'pop-up' when you click the lock icon with more details. Currently it only says the name of the CA and cipher e.g. AES 256 bit. I suggest to add more details like AES 256 with CBC, SHA-1 message authentication and RSA 1024 bit key exchange, and also PFS enabled or not, TLS version, mixed content if applicable, insecure renegotiation if applicable, Strict Transport Security, verified by OCSP or not and lastly perhaps OCSP stapling.
OS: Linux → All
Hardware: x86_64 → All
Version: 21 Branch → Trunk

Comment 2

5 years ago
Created attachment 801407 [details]
cipherInfo.png

Agreed, the current "Technical Details" would not allow you to notice, that the below site doesn't offer any cipher with forward secrecy - please mention the exact Cipher used!

https://www.ssllabs.com/ssltest/analyze.html?d=www.whitehouse.gov&s=184.51.104.110

see also bug 244746 and bug 636419

Comment 3

5 years ago
the same thoughts apply to thunderbird - or at least a plugin should find an interface to get the raw information to work on this: bug 878749

Comment 4

5 years ago
See also the Calomel SSL Validation extension; it's frustrated by Firefox
not propagating enough ssl connection metadata.
https://forums.mozilla.org/addons/viewtopic.php?f=7&t=14680
Resolving as a dupe of bug 942136. This bug is newer, bug 942136 would subsume this.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 942136
You need to log in before you can comment on or make changes to this bug.