I happened across this a week or so ago, actually, by accident. It's good info, and the "privacy & history" thing is great.
But the main weakness is that (at least on the Mac) it doesn't look like a button. I would never think to click on it because of that, and because in previous browsers clicking on the favicon simply is like clicking in the location bar. The new style doesn't go far enough to distinguish itself from the previous behavior.
LpSolit
· 1 year ago
"If you want to add the exception temporarily, make sure the “Permanently store this exception” checkbox at the bottom of the dialog is unchecked."
Deb, I always wondered: as the website has a certificate which is suspect, why is the checkbox checked by default? I would have thought that leaving it unchecked by default would be safer.
rwg
· 1 year ago
I encourage you to consider the (lack of) accessibility for color blind users. As an example, load your image showing the gray/blue/green icons into your favorite image editor, desaturate the image, and see if you can still determine what each icon represents. The red icon is the only one with any features that distinguish it from the other icons, outside of color.
A possible fix is to include a symbol at the bottom left of the icons. For example, a question mark on the gray icon to indicate there is no encryption or identity information, a check mark on the green icon to indicate the website's identity was verified, an X on the yellow icon to indicate the certificate is invalid or untrusted, etc. Of course, the symbols then present i18n and l10n issues...
Johnathan Nightingale
· 1 year ago
@Richard: If we don't rely on domain-verification, then I can set up camp in a hotel lobby or an airport or wherever people and laptops congregate, and start intercepting traffic to, say, https://www.paypal.com. I can generate my own certificates which claim that I am the real paypal.com, and I can put convincing looking details in. Tools like ettercap make this entire attack point-and-click simple (right down to spoofing the certificate contents).
The only thing that tells you it's not the real paypal.com is that no trusted third party has signed off on my certificate. When Firefox shows me that the domain has been confirmed, it is saying that this kind of attack is not happening; that the site I am visiting is presenting an up-to-date *and verified* certificate confirming that they are the legitimate owner of that domain.
As Deb points out, you also really want to know if this website is the "real" paypal - and that's where the distinction between basic and extended verification comes in. A basic certificate is only trusted to confirm the domain name. Some CAs do more work than that, but not in a way we can easily detect and verify. An extended certificate can only be issued by CAs that agree to follow specific practices in terms of identity verification, and to be regularly audited on those practices - for those ones, we can know not only that the real domain owner is in control, but also who that domain owner is.
Is that a helpful example?
Giovanni
· 1 year ago
What about colour blindness? Colour shouldn't be the only difference. A different icon, border, texture, even position could help better.
Johnathan Nightingale
· 1 year ago
@LpSolit - That's an interesting question. Certainly it seems on the surface like you wouldn't want to permanently trust a suspicious certificate, right?
But if a typical user hits this only on a few sites, maybe on their college webmail server and their friend's private photo sharing site, then with permanent exceptions, this UI is a rare thing for them, and probably doesn't habituate them into blind click-through. If the default is temporary and they don't notice to change it, dismissing this warning becomes much more commonplace (just like FF2's dialog box). The best way to help users see the sites they want to see, and notice when a site that used to have valid credentials starts having invalid ones, may well be to default them to permanent exceptions for the ones they know they can trust, so that after a week's browsing, they never see this UI again until something bad happens.
This approach has another benefit too - if someone ever attempts to attack the college webmail server they've added a permanent exception for, the certificates will no longer match, and the error will come back. So even for a site without a verified identity, exceptions act like a kind of "manual verification" and mean that attempts to attack THAT site also stick out.
Natanael L
· 1 year ago
But why not remove the "Permanently store this exeption" checkbox and replace the "Confirm Security Exception" button with two buttons: "Allow Temporarily" and "Allow Permanently"?
Richard
· 1 year ago
Would you give an example of how a domain might be spoofed? How does a certificate prove that the domain hasn't been spoofed?
Johnathan Nightingale
· 1 year ago
@rwg, giovanni - We absolutely do consider the accessibility implications of any change to our UI. Deb focused on the color here because it's certainly how most people will experience it, but the popup text is different in each of the three cases, as is the tooltip hover text on the button. The SSL states (green and blue) also contrast more with the background chrome than the default, gray state. We have also made sure that our access keys and screen-reader affordances are wired up properly, so that people with other vision impairments can still make use of the interface.
I would recommend that color blind users (or others, for that matter) also consider changing the browser.identity.ssl_domain_display pref in about:config. Changing this from 0 to 1 causes the verified domain to be displayed in the button for basic-identification sites. It takes up some location bar space, obviously, and came too late for us to land it in Firefox 3 as a default, but it does give you much more noticeable feedback about the identity of sites you visit.
VanillaMozilla
· 1 year ago
If I am not mistaken, the "Invalid certificate" warning is a false alarm, because "self-signed" does not mean "invalid". It just means that (1) that the connection is encrypted, and (2) the identity of the site cannot be INDEPENDENTLY verified. If, on the other hand, the user has previously used accepted the certificate as valid, then the certificate offers assurance that the site is not forged. Why not just say that instead of false raising alarms?
I have never seen one of these that was not a false alarm, and I always ignore them. It's quite possible that this will also teach other people to ignore warnings. Instead of attempting to alarm people about "self-signed" certificates, why not just say simply what you DO know about the site? You can still inform people that the site could be a forgery, etc., and that you can add an exception.
Josh Pyles
· 1 year ago
Hey guys,
Interesting idea. I have to say though, that many users aren't going to understand a policeman holding a passport. The concept has too much detail in the icon. The color coding is a great idea though.
I think it should still be a lock (simplest way to visually explain security) + color coding. I know a thing or two about icons since i've been making them for years, and this is my best suggestion.
I also agree with VanillaMozilla who points out that many times the self-signed certificates are a mistake and that users will be trained to ignore the warnings. A better, and perhaps less intrusive way of explaining and handling this would be better.
Jonathan Watt
· 1 year ago
VanillaMozilla: if the certificate is self signed (or more generally if it's signed by a certificate authority the browser doesn't know about), there's nothing to stop man in the middle attacks. Your connection is encrypted, sure, but possibly by the guy or gal in the middle. Great! Self signed certificates are bad.
Asa Dotzler
· 1 year ago
Josh Pyles, I disagree. The passport officer speaks specifically to identification. The lock speaks to some general idea of safety. Accuracy here is important and the lock is not just imprecise, it's misleading.
You may have found the simplest way to visually explain security, but when simple isn't meaningful or accurate, then it's probably not a great idea.
Tyler
· 1 year ago
FireFox 3 is looking better and better everytime I see news updates.
Iang
· 1 year ago
Guys, thanks for doing this, I really appreciate it!
On the issue of self-signed certs: yes, they are tricky. In and of themselves they are better than the next alternative, unencrypted, unidentified comms, and they can be cached for repeat business to overcome MITM fears. But the browser security model was so strongly oriented to external verifiers of identity (CAs) that it will take time for SSCs to find a natural home. Patience, and take comfort in the knowledge that most CAs want you to integrate them because it is needed to expand the regular use of certificates.
For the record, the first use of the spoof padlock as a favicon was by PGP.com. Oddly enough they didn't realise what they had done.
Hans
· 1 year ago
For those wondering how all this stuff works, basically any server can be configured to encrypt data. It's called SSL and your browser and the server will begin talking in encrypted mode, by using public key encryption (they share a little bit of information with each other, enough such that each can decrypt any data passed forth and back). Now, when it comes to certificates, however, this gets more complex. All browsers have a set of pre-programmed accepted certificate authorities and sites will then purchase a certificate from one of these certificate authorities, which has been rubber stamped to be unique and verifiable. Your browser will then accept this certificate without prompting you, whereas just a simple SSL certificate does not contain any certifiable means for the browser to trust that certificate (hence why you would get a warning).
VanillaMozilla
· 1 year ago
There are two concepts that are being confused here: encryption and identification. "Self-signed" is not synonymous with "invalid", and if you label it that way, you'll only confuse the user.
And contrary to what you might think, self-signed certificates are very useful for identification, and can actually PROTECT you against the man in the middle. That certificate is how I can be sure that that's really my Web mail and that there is no MITM.
Natanael L
· 1 year ago
Youcan only pretect yourslef using self signed certificates "the second time around" - the very first time you visitthe site you will not be able to know if you are seing the real site or if you are seing a spoofed site.
"That site are using a self signed certificate, just accept it" "Ok" *Adding exception* *Virus contamination + stolen money from some accounts* "Oh, somebody did a MITM attack!"
That's why you have to make sure that you already have all of the details of the certificate on your computer before the first time you visit the site - and you have to make sure that you get that information trough a secure channel (not IRC, not email, and the person who gives you the info must be verified, must *know* that it is real, and must be trustable).
Then you can visit the site and compare all of the info about the certificate with the info you have to make sure that this is the *real self signed certificate*.
mtl
· 1 year ago
I agree with VanillaMozilla. The warning message is wrong. Self-signed certs are not "invalid".
There is a problem getting lay users to understand PKI but teaching them things that are blatantly false is not helpful.
Andrew
· 1 year ago
The deal with the self signed certs and their false "error" page seems to be a verisign tax more than anything else.
I have never run into a 'fake' self-signed site, they are almost -always- for encryption only, and like many others lurking around here have probably put up hundreds as well.
This aint exaclty an offical FF site, so why am I whining here. Dunno, didn't seem like too many comments to get drowned out in.
I think it would be better if we could just somehow indicate that the connection is encrypted, which is all I personally care about, separately. I think a lot of this 'self signed' garbage is because of bad browsers telling the user that was what indicated security, rather than having any way to verify the identity or easily view the cert. They took the easy way out for years, and now something that is perfectly fine to use, and is used constantly, is even more of an 'error'!
Damn, little angry, but I can't count the # of certs I have had to buy for people just to avoid this browser "error". Stupid, but again, I'm sure the feature was paid for by verisign.
//Andrew
free php code
· 1 year ago
I agree that there should be a non-colour related difference in the icons. It's so simple to just add a question mark, or an 'x' or whatever.
I also second (third, fourth) the objection about self-signed certificates; many web control panels, eg plesk, self-sign (or at least have to option to offer self-signed certificates). It also looks like the yellow state works in a similar way to how google's malicious site blocker works - by interrupting the browsing session. I think a lot of the smaller ecommerce sites will be "broken" by this feature.
Oh and the guy in the icon looks like he's got a broken arm in a sling, lol :)
But the idea of improving the padlock=secure mentality is spot on. Most users I'm sure would accept a somewhere on the page as evidence of a "secure" website.
Eddy Nigg
· 1 year ago
Self-signed certificate are worse than no certificate at all! Because they give you a false sense of so-called "security". It might be useful if you are the ONLY person accessing the site, but the minute somebody else has to rely on it, it's a very bad idea. If you are the only one using that site, you can add the exception, because you KNOW what you are doing. Some others might as well, because perhaps they received the finger print of the certificate by other means than through the web from you. All the rest should not rely on it and get out of there ;-)
If you are concerned about the costs of a valid certificate, you can get one for free at https://www.startssl.com/ Nobody makes a profit from it (apparently a concern by so many...), but they are legitimate, validated and valid. You can get as many as you want/need without paying a dime. For more advanced certificates you have to validate your identity/organization which carries a reasonable fee.
Hope this helps!
mario
· 1 year ago
There is nothing wrong about self-signed certificates. They are used for securing the connection (SSL). That's about it.
All the new UI is doing, is requiring site owners to pay off Verisign for something you ought to have for free. This is not exactly making the web a more secure place. So the new Firefox UI is just a new coloring scheme for various levels of "secure" - where the meaning of "secure" isn't as consistent as this article tries to make it look like. (Your explanation contradicts between verified site owner and SSL encryption notifications.)
Not, that this hasn't been brought up before...
Studio 2 Web Design
· 1 year ago
This is a great article and very useful. I've posted a link to this page.
I agree with the comments above, just because something is 'not signed' or 'not secure' it doesn't make them 'invalid'.
Not all internet users are 'tecchies' or know the lingo, and what about colourblind or people who cannot see correctly. Does this software have to comply with DDA as websites should?
TVSpy
· 1 year ago
It's interesting to note that some of google's sites fail the security warning, try visiting https://google.com/adsense it fail in v3b5
Ebrahim
· 1 year ago
Every site is hackable, hence no site should be considered trusted.
'
· 1 year ago
@mario Did you even try reading the previous comments or are you just trolling?
@TVSpy That's because it, for some reason, is for www.google.com and not google.com which imo is really backwards...
Tyler
· 1 year ago
I've been using Firefox 3 beta for a dew weeks now and this is really good info, thanks.
anaesthetica
· 1 year ago
I had no idea that this button even had a function, as it never occurred to me to click on it. I hope that Mozilla does a good job in publicizing this security function when Fx3.0 is released. I think this is a big step forward in making security both visually easy & present, and yet unobtrusive at the same time.
I get more and more excited about this release every time I read something new about it.
I think Mozilla has done a really good job with this release, especially compared to Fx2.0, which seemed to make things a bit too clunky and slow. Fx3.0 has gotten extra features without visual weight, and more importantly without slowing the browsing experience itself down. It seems like everything has gotten a speed bump--rendering, javascript, memory usage, etc. Good work folks.
David Waite
· 1 year ago
This looks like a great scheme. The only problems I have with it are around the icons.
Even with non-color-blind people, the contents of the image are equally important to the color of the image. Green and Blue being the same icon is fine with me (lets face it, EV certs are a total rip-off and only make sense if you just have money to blow. You are basically paying 20x as much to have your company name and icon as part of the cert.). However, The grey icon indicates that you are unsure but still matches the (more) affirmative green and blue icons.
This is actually the hard part of all of this - even an EV cert doesn't prove that the holder is trustworthy, just that you can figure out who they really are. If I'm starting a malware company, I'll probably wind up springing for an EV cert. So every single icon basically implies a non-binding recommendation to the user, but with unspoken and rarely understood idea that the user is always responsible for determining if they trust the site.
It would probably make more sense for the yellow and red to be the more traditional warning and stop international signs, and to drop the 'passport agent' metaphor completely for these cases.
Bodi
· 1 year ago
Eddy: "https:startssl.com" brings up a certificate warning popup... ahh I see... their ssl certificate is self-signed... Doesn't it get a bit circular to avoid using a self-signed certificate in order to have SSL by getting a certificate from an "untrusted" issuer who run their own https: site with a self-signed certificate?
Chris Lees
· 1 year ago
Thanks for this post. I'm running Firefox 3 beta on Linux and I had no idea what the coloured organisation names were all about. Some user education is in order, I think.
hj
· 1 year ago
This "passport officer" icon is an international standardized symbol, isn't it? If so: Where can I find this icon and similar ones? What is "its Homepage"? Who has initially created it? ISO? The UN? Don't know, maybe someone can give me a hint. TIA
VanillaMozilla
· 1 year ago
This is all a big step forward, but there's still another problem. Or maybe two problems, depending on how you count. Like many other people, I had no idea that the icon on the URL box was a button, and that it held useful information. Here's what I think is the essence of the problem:
The ikon on the URL box is the same as the icon on the tab. They have different purposes, but there is absolutely no visual clue that they are different. If you really want to be helpful, this should be a recognized symbol that indicates that there is information here. I suggest either the international "i" symbol for information, or a question mark.
Some may object that if you only one tab and do not have the tab bar displayed, you won't see the ikon for the site, but that's OK. The purpose of the site ikon is for convenience only, to distinguish between the tab bars at a glance. If you only have one open tab, there's nothing to distinguish it from. The ikon is useless for identification or verification anyway.
VanillaMozilla
· 1 year ago
"The gray Site Identity button, along with the fact that the Firefox 3 location bar doesn’t display a padlock in the location bar as a security indicator, makes it obvious that this site is spoofing a padlock and isn’t really encrypted or secure"
It's not obvious to me. Most users are not going to know these details of the interface, and even if they do, they can have a lapse. The favicon does not belong on the location bar, in my opinion.
Looking at the features more closely, the color gray is supposed to raise an alarm?!! And how would the average user know where you had or had not moved the padlock to? Remember, you just moved the security information to that point. Now I see the icon has changed to a padlock. How neat. Firefox has changed the icon to tell me it's encrypted. An easy mistake to make.
VanillaMozilla
· 1 year ago
Two bug reports filed: Bug 433412 – "Larry" button (site ID) needs an informative icon Bug 433422 – Self-signed SSL certificates should not be labeled as "invalid"
Sorry for the comment spam.
Eddy Nigg
· 1 year ago
To mario:
If no third party which is known and has proved to validate domain name ownership (at least) no certificate is worth the digital paper it's written on. Otherwise the MITM will simply use also a self-signed which you'll click through...Except with the new scheme where you add a specific certificate for a specific site, in which case it's your risk if you talk to a MITM, but it will certainly alert you if it happens in the future at some point.
To Bodi:
This certainly doesn't happen with any recent Firefox browser. You must be using a different product then...This CA is in later 1.5 versions on upwards.
Sorensen
· 1 year ago
Thanks for a, at least for me, very educational article. I have recently updated my Linux dist to Ubuntu 8.04. Mozilla Firefox 3 beta 5, the default browser of this dist, has the identity button. But strangely they have made the background of the button permanently grey. So absolute no information unless one actually move the cursor over the button. Maybe the colors did not match the Ubuntu folks color scheme!? Anyhow it is quite unfortunate - though not your problem ;-)
Chris
· 1 year ago
On the Mac, the text in the green identity button is 1px higher than the URL. Was this intentional? It doesn't appear to be that was on Windows.
Eric
· 1 year ago
I found the yellow bar very useful and I am extremely disappointed to see it gone.
The yellow bar was never meant to distinguish between "good" and "evil" sites - it was only there to show that the communication with the site is encrypted. I think it did that job very well and would have liked it to stay. People are used the the yellow indicator for encryption. Why remove it? I don't understand the thinking here and think that the decision to remove it is flawed.
I also agree with VanillaMozilla above re. self-signed certificates. Encryption and identification are two different things. Why block access to an encrypted site just because the encryption is done by the site owner?
Also - how would I know that the button is clickable? It is not very obvious. I had no idea until I started searching for info about the missing yellow location bar.
Jayson
· 1 year ago
I also second (third, fourth) the objection about self-signed certificates; many web control panels, eg plesk, self-sign (or at least have to option to offer self-signed certificates). It also looks like the yellow state works in a similar way to how Google malicious site blocker works - by interrupting the browsing session. I think a lot of the smaller commerce sites will be “broken” by this feature.
Mark
· 1 year ago
Great explanation of the new security features. Thanks! Just wish the encrypted lock was up top rather than the very tiny status bar.
Martin
· 1 year ago
Hi!
How can I as a webmaster fill this Information? The site Im talking of is not a secure site with bank account or something like this. I´m just asking myself how I can fill f.e. the "Owner" or other basic things of this button?
Thnaks
pid
· 1 year ago
gud work people...really liked your site....it helped me a lot....thanks a lot...
All Comments
But the main weakness is that (at least on the Mac) it doesn't look like a button. I would never think to click on it because of that, and because in previous browsers clicking on the favicon simply is like clicking in the location bar. The new style doesn't go far enough to distinguish itself from the previous behavior.
Deb, I always wondered: as the website has a certificate which is suspect, why is the checkbox checked by default? I would have thought that leaving it unchecked by default would be safer.
A possible fix is to include a symbol at the bottom left of the icons. For example, a question mark on the gray icon to indicate there is no encryption or identity information, a check mark on the green icon to indicate the website's identity was verified, an X on the yellow icon to indicate the certificate is invalid or untrusted, etc. Of course, the symbols then present i18n and l10n issues...
The only thing that tells you it's not the real paypal.com is that no trusted third party has signed off on my certificate. When Firefox shows me that the domain has been confirmed, it is saying that this kind of attack is not happening; that the site I am visiting is presenting an up-to-date *and verified* certificate confirming that they are the legitimate owner of that domain.
As Deb points out, you also really want to know if this website is the "real" paypal - and that's where the distinction between basic and extended verification comes in. A basic certificate is only trusted to confirm the domain name. Some CAs do more work than that, but not in a way we can easily detect and verify. An extended certificate can only be issued by CAs that agree to follow specific practices in terms of identity verification, and to be regularly audited on those practices - for those ones, we can know not only that the real domain owner is in control, but also who that domain owner is.
Is that a helpful example?
But if a typical user hits this only on a few sites, maybe on their college webmail server and their friend's private photo sharing site, then with permanent exceptions, this UI is a rare thing for them, and probably doesn't habituate them into blind click-through. If the default is temporary and they don't notice to change it, dismissing this warning becomes much more commonplace (just like FF2's dialog box). The best way to help users see the sites they want to see, and notice when a site that used to have valid credentials starts having invalid ones, may well be to default them to permanent exceptions for the ones they know they can trust, so that after a week's browsing, they never see this UI again until something bad happens.
This approach has another benefit too - if someone ever attempts to attack the college webmail server they've added a permanent exception for, the certificates will no longer match, and the error will come back. So even for a site without a verified identity, exceptions act like a kind of "manual verification" and mean that attempts to attack THAT site also stick out.
"Allow Temporarily" and "Allow Permanently"?
I would recommend that color blind users (or others, for that matter) also consider changing the browser.identity.ssl_domain_display pref in about:config. Changing this from 0 to 1 causes the verified domain to be displayed in the button for basic-identification sites. It takes up some location bar space, obviously, and came too late for us to land it in Firefox 3 as a default, but it does give you much more noticeable feedback about the identity of sites you visit.
I have never seen one of these that was not a false alarm, and I always ignore them. It's quite possible that this will also teach other people to ignore warnings. Instead of attempting to alarm people about "self-signed" certificates, why not just say simply what you DO know about the site? You can still inform people that the site could be a forgery, etc., and that you can add an exception.
Interesting idea. I have to say though, that many users aren't going to understand a policeman holding a passport. The concept has too much detail in the icon. The color coding is a great idea though.
I think it should still be a lock (simplest way to visually explain security) + color coding. I know a thing or two about icons since i've been making them for years, and this is my best suggestion.
I also agree with VanillaMozilla who points out that many times the self-signed certificates are a mistake and that users will be trained to ignore the warnings. A better, and perhaps less intrusive way of explaining and handling this would be better.
You may have found the simplest way to visually explain security, but when simple isn't meaningful or accurate, then it's probably not a great idea.
On the issue of self-signed certs: yes, they are tricky. In and of themselves they are better than the next alternative, unencrypted, unidentified comms, and they can be cached for repeat business to overcome MITM fears. But the browser security model was so strongly oriented to external verifiers of identity (CAs) that it will take time for SSCs to find a natural home. Patience, and take comfort in the knowledge that most CAs want you to integrate them because it is needed to expand the regular use of certificates.
For the record, the first use of the spoof padlock as a favicon was by PGP.com. Oddly enough they didn't realise what they had done.
And contrary to what you might think, self-signed certificates are very useful for identification, and can actually PROTECT you against the man in the middle. That certificate is how I can be sure that that's really my Web mail and that there is no MITM.
"That site are using a self signed certificate, just accept it"
"Ok"
*Adding exception*
*Virus contamination + stolen money from some accounts*
"Oh, somebody did a MITM attack!"
That's why you have to make sure that you already have all of the details of the certificate on your computer before the first time you visit the site - and you have to make sure that you get that information trough a secure channel (not IRC, not email, and the person who gives you the info must be verified, must *know* that it is real, and must be trustable).
Then you can visit the site and compare all of the info about the certificate with the info you have to make sure that this is the *real self signed certificate*.
There is a problem getting lay users to understand PKI but teaching them things that are blatantly false is not helpful.
I have never run into a 'fake' self-signed site, they are almost -always- for encryption only, and like many others lurking around here have probably put up hundreds as well.
This aint exaclty an offical FF site, so why am I whining here. Dunno, didn't seem like too many comments to get drowned out in.
I think it would be better if we could just somehow indicate that the connection is encrypted, which is all I personally care about, separately. I think a lot of this 'self signed' garbage is because of bad browsers telling the user that was what indicated security, rather than having any way to verify the identity or easily view the cert. They took the easy way out for years, and now something that is perfectly fine to use, and is used constantly, is even more of an 'error'!
Damn, little angry, but I can't count the # of certs I have had to buy for people just to avoid this browser "error". Stupid, but again, I'm sure the feature was paid for by verisign.
//Andrew
I also second (third, fourth) the objection about self-signed certificates; many web control panels, eg plesk, self-sign (or at least have to option to offer self-signed certificates). It also looks like the yellow state works in a similar way to how google's malicious site blocker works - by interrupting the browsing session. I think a lot of the smaller ecommerce sites will be "broken" by this feature.
Oh and the guy in the icon looks like he's got a broken arm in a sling, lol :)
But the idea of improving the padlock=secure mentality is spot on. Most users I'm sure would accept a somewhere on the page as evidence of a "secure" website.
If you are concerned about the costs of a valid certificate, you can get one for free at https://www.startssl.com/
Nobody makes a profit from it (apparently a concern by so many...), but they are legitimate, validated and valid. You can get as many as you want/need without paying a dime. For more advanced certificates you have to validate your identity/organization which carries a reasonable fee.
Hope this helps!
All the new UI is doing, is requiring site owners to pay off Verisign for something you ought to have for free. This is not exactly making the web a more secure place.
So the new Firefox UI is just a new coloring scheme for various levels of "secure" - where the meaning of "secure" isn't as consistent as this article tries to make it look like. (Your explanation contradicts between verified site owner and SSL encryption notifications.)
Not, that this hasn't been brought up before...
I agree with the comments above, just because something is 'not signed' or 'not secure' it doesn't make them 'invalid'.
Not all internet users are 'tecchies' or know the lingo, and what about colourblind or people who cannot see correctly. Does this software have to comply with DDA as websites should?
Did you even try reading the previous comments or are you just trolling?
@TVSpy
That's because it, for some reason, is for www.google.com and not google.com which imo is really backwards...
I get more and more excited about this release every time I read something new about it.
I think Mozilla has done a really good job with this release, especially compared to Fx2.0, which seemed to make things a bit too clunky and slow. Fx3.0 has gotten extra features without visual weight, and more importantly without slowing the browsing experience itself down. It seems like everything has gotten a speed bump--rendering, javascript, memory usage, etc. Good work folks.
Even with non-color-blind people, the contents of the image are equally important to the color of the image. Green and Blue being the same icon is fine with me (lets face it, EV certs are a total rip-off and only make sense if you just have money to blow. You are basically paying 20x as much to have your company name and icon as part of the cert.). However, The grey icon indicates that you are unsure but still matches the (more) affirmative green and blue icons.
This is actually the hard part of all of this - even an EV cert doesn't prove that the holder is trustworthy, just that you can figure out who they really are. If I'm starting a malware company, I'll probably wind up springing for an EV cert. So every single icon basically implies a non-binding recommendation to the user, but with unspoken and rarely understood idea that the user is always responsible for determining if they trust the site.
It would probably make more sense for the yellow and red to be the more traditional warning and stop international signs, and to drop the 'passport agent' metaphor completely for these cases.
"https:startssl.com" brings up a certificate warning popup... ahh I see... their ssl certificate is self-signed...
Doesn't it get a bit circular to avoid using a self-signed certificate in order to have SSL by getting a certificate from an "untrusted" issuer who run their own https: site with a self-signed certificate?
The ikon on the URL box is the same as the icon on the tab. They have different purposes, but there is absolutely no visual clue that they are different. If you really want to be helpful, this should be a recognized symbol that indicates that there is information here. I suggest either the international "i" symbol for information, or a question mark.
Some may object that if you only one tab and do not have the tab bar displayed, you won't see the ikon for the site, but that's OK. The purpose of the site ikon is for convenience only, to distinguish between the tab bars at a glance. If you only have one open tab, there's nothing to distinguish it from. The ikon is useless for identification or verification anyway.
It's not obvious to me. Most users are not going to know these details of the interface, and even if they do, they can have a lapse. The favicon does not belong on the location bar, in my opinion.
Looking at the features more closely, the color gray is supposed to raise an alarm?!! And how would the average user know where you had or had not moved the padlock to? Remember, you just moved the security information to that point. Now I see the icon has changed to a padlock. How neat. Firefox has changed the icon to tell me it's encrypted. An easy mistake to make.
Bug 433412 – "Larry" button (site ID) needs an informative icon
Bug 433422 – Self-signed SSL certificates should not be labeled as "invalid"
Sorry for the comment spam.
If no third party which is known and has proved to validate domain name ownership (at least) no certificate is worth the digital paper it's written on. Otherwise the MITM will simply use also a self-signed which you'll click through...Except with the new scheme where you add a specific certificate for a specific site, in which case it's your risk if you talk to a MITM, but it will certainly alert you if it happens in the future at some point.
To Bodi:
This certainly doesn't happen with any recent Firefox browser. You must be using a different product then...This CA is in later 1.5 versions on upwards.
The yellow bar was never meant to distinguish between "good" and "evil" sites - it was only there to show that the communication with the site is encrypted. I think it did that job very well and would have liked it to stay. People are used the the yellow indicator for encryption. Why remove it? I don't understand the thinking here and think that the decision to remove it is flawed.
I also agree with VanillaMozilla above re. self-signed certificates. Encryption and identification are two different things. Why block access to an encrypted site just because the encryption is done by the site owner?
Also - how would I know that the button is clickable? It is not very obvious. I had no idea until I started searching for info about the missing yellow location bar.
How can I as a webmaster fill this Information? The site Im talking of is not a secure site with bank account or something like this. I´m just asking myself how I can fill f.e. the "Owner" or other basic things of this button?
Thnaks