dria - Latest Comments in Firefox 3: Site Identification button

Re: Firefox 3: Site Identification button

Natanael L — Wed, 22 Oct 2008 06:44:38 -0000

Youcan only pretect yourslef using self signed certificates "the second time around" - the very first time you visitthe site you will not be able to know if you are seing the real site or if you are seing a spoofed site.

"That site are using a self signed certificate, just accept it"
"Ok"
*Adding exception*
*Virus contamination + stolen money from some accounts*
"Oh, somebody did a MITM attack!"

That's why you have to make sure that you already have all of the details of the certificate on your computer before the first time you visit the site - and you have to make sure that you get that information trough a secure channel (not IRC, not email, and the person who gives you the info must be verified, must *know* that it is real, and must be trustable).

Then you can visit the site and compare all of the info about the certificate with the info you have to make sure that this is the *real self signed certificate*.

Re: Firefox 3: Site Identification button

Natanael L — Wed, 22 Oct 2008 06:35:39 -0000

But why not remove the "Permanently store this exeption" checkbox and replace the "Confirm Security Exception" button with two buttons:
"Allow Temporarily" and "Allow Permanently"?

Re: Firefox 3: Site Identification button

pid — Fri, 12 Sep 2008 06:41:58 -0000

gud work people...really liked your site....it helped me a lot....thanks a lot...

Re: Firefox 3: Site Identification button

Martin — Sat, 16 Aug 2008 12:05:13 -0000

Hi!

How can I as a webmaster fill this Information? The site Im talking of is not a secure site with bank account or something like this. I´m just asking myself how I can fill f.e. the "Owner" or other basic things of this button?

Thnaks

Re: Firefox 3: Site Identification button

Mark — Fri, 15 Aug 2008 10:36:31 -0000

Great explanation of the new security features. Thanks! Just wish the encrypted lock was up top rather than the very tiny status bar.

Re: Firefox 3: Site Identification button

Jayson — Sat, 28 Jun 2008 14:58:51 -0000

I also second (third, fourth) the objection about self-signed certificates; many web control panels, eg plesk, self-sign (or at least have to option to offer self-signed certificates). It also looks like the yellow state works in a similar way to how Google malicious site blocker works - by interrupting the browsing session. I think a lot of the smaller commerce sites will be “broken” by this feature.

Re: Firefox 3: Site Identification button

Eric — Wed, 25 Jun 2008 08:45:52 -0000

I found the yellow bar very useful and I am extremely disappointed to see it gone.

The yellow bar was never meant to distinguish between "good" and "evil" sites - it was only there to show that the communication with the site is encrypted. I think it did that job very well and would have liked it to stay. People are used the the yellow indicator for encryption. Why remove it? I don't understand the thinking here and think that the decision to remove it is flawed.

I also agree with VanillaMozilla above re. self-signed certificates. Encryption and identification are two different things. Why block access to an encrypted site just because the encryption is done by the site owner?

Also - how would I know that the button is clickable? It is not very obvious. I had no idea until I started searching for info about the missing yellow location bar.

Re: Firefox 3: Site Identification button

Chris — Fri, 06 Jun 2008 12:34:03 -0000

On the Mac, the text in the green identity button is 1px higher than the URL. Was this intentional? It doesn't appear to be that was on Windows.

Re: Firefox 3: Site Identification button

Sorensen — Mon, 19 May 2008 02:16:53 -0000

Thanks for a, at least for me, very educational article. I have recently updated my Linux dist to Ubuntu 8.04. Mozilla Firefox 3 beta 5, the default browser of this dist, has the identity button. But strangely they have made the background of the button permanently grey. So absolute no information unless one actually move the cursor over the button. Maybe the colors did not match the Ubuntu folks color scheme!? Anyhow it is quite unfortunate - though not your problem ;-)

Re: Firefox 3: Site Identification button

Eddy Nigg — Sun, 18 May 2008 22:03:13 -0000

To mario:

If no third party which is known and has proved to validate domain name ownership (at least) no certificate is worth the digital paper it's written on. Otherwise the MITM will simply use also a self-signed which you'll click through...Except with the new scheme where you add a specific certificate for a specific site, in which case it's your risk if you talk to a MITM, but it will certainly alert you if it happens in the future at some point.

To Bodi:

This certainly doesn't happen with any recent Firefox browser. You must be using a different product then...This CA is in later 1.5 versions on upwards.

Re: Firefox 3: Site Identification button

VanillaMozilla — Tue, 13 May 2008 12:52:33 -0000

Two bug reports filed:
Bug 433412 – "Larry" button (site ID) needs an informative icon
Bug 433422 – Self-signed SSL certificates should not be labeled as "invalid"

Sorry for the comment spam.

Re: Firefox 3: Site Identification button

VanillaMozilla — Tue, 13 May 2008 12:50:08 -0000

"The gray Site Identity button, along with the fact that the Firefox 3 location bar doesn’t display a padlock in the location bar as a security indicator, makes it obvious that this site is spoofing a padlock and isn’t really encrypted or secure"

It's not obvious to me. Most users are not going to know these details of the interface, and even if they do, they can have a lapse. The favicon does not belong on the location bar, in my opinion.

Looking at the features more closely, the color gray is supposed to raise an alarm?!! And how would the average user know where you had or had not moved the padlock to? Remember, you just moved the security information to that point. Now I see the icon has changed to a padlock. How neat. Firefox has changed the icon to tell me it's encrypted. An easy mistake to make.

Re: Firefox 3: Site Identification button

VanillaMozilla — Mon, 12 May 2008 08:55:17 -0000

This is all a big step forward, but there's still another problem. Or maybe two problems, depending on how you count. Like many other people, I had no idea that the icon on the URL box was a button, and that it held useful information. Here's what I think is the essence of the problem:

The ikon on the URL box is the same as the icon on the tab. They have different purposes, but there is absolutely no visual clue that they are different. If you really want to be helpful, this should be a recognized symbol that indicates that there is information here. I suggest either the international "i" symbol for information, or a question mark.

Some may object that if you only one tab and do not have the tab bar displayed, you won't see the ikon for the site, but that's OK. The purpose of the site ikon is for convenience only, to distinguish between the tab bars at a glance. If you only have one open tab, there's nothing to distinguish it from. The ikon is useless for identification or verification anyway.

Re: Firefox 3: Site Identification button

hj — Sat, 10 May 2008 05:00:48 -0000

This "passport officer" icon is an international standardized symbol, isn't it? If so: Where can I find this icon and similar ones? What is "its Homepage"? Who has initially created it? ISO? The UN? Don't know, maybe someone can give me a hint. TIA

Re: Firefox 3: Site Identification button

Chris Lees — Sat, 10 May 2008 01:26:48 -0000

Thanks for this post. I'm running Firefox 3 beta on Linux and I had no idea what the coloured organisation names were all about. Some user education is in order, I think.

Re: Firefox 3: Site Identification button

Bodi — Fri, 09 May 2008 14:20:14 -0000

Eddy:
"https:startssl.com" brings up a certificate warning popup... ahh I see... their ssl certificate is self-signed...
Doesn't it get a bit circular to avoid using a self-signed certificate in order to have SSL by getting a certificate from an "untrusted" issuer who run their own https: site with a self-signed certificate?

Re: Firefox 3: Site Identification button

David Waite — Thu, 08 May 2008 03:17:12 -0000

This looks like a great scheme. The only problems I have with it are around the icons.

Even with non-color-blind people, the contents of the image are equally important to the color of the image. Green and Blue being the same icon is fine with me (lets face it, EV certs are a total rip-off and only make sense if you just have money to blow. You are basically paying 20x as much to have your company name and icon as part of the cert.). However, The grey icon indicates that you are unsure but still matches the (more) affirmative green and blue icons.

This is actually the hard part of all of this - even an EV cert doesn't prove that the holder is trustworthy, just that you can figure out who they really are. If I'm starting a malware company, I'll probably wind up springing for an EV cert. So every single icon basically implies a non-binding recommendation to the user, but with unspoken and rarely understood idea that the user is always responsible for determining if they trust the site.

It would probably make more sense for the yellow and red to be the more traditional warning and stop international signs, and to drop the 'passport agent' metaphor completely for these cases.

Re: Firefox 3: Site Identification button

anaesthetica — Wed, 07 May 2008 20:34:55 -0000

I had no idea that this button even had a function, as it never occurred to me to click on it. I hope that Mozilla does a good job in publicizing this security function when Fx3.0 is released. I think this is a big step forward in making security both visually easy & present, and yet unobtrusive at the same time.

I get more and more excited about this release every time I read something new about it.

I think Mozilla has done a really good job with this release, especially compared to Fx2.0, which seemed to make things a bit too clunky and slow. Fx3.0 has gotten extra features without visual weight, and more importantly without slowing the browsing experience itself down. It seems like everything has gotten a speed bump--rendering, javascript, memory usage, etc. Good work folks.

Re: Firefox 3: Site Identification button

Tyler — Wed, 07 May 2008 14:05:44 -0000

I've been using Firefox 3 beta for a dew weeks now and this is really good info, thanks.

Re: Firefox 3: Site Identification button

Wed, 07 May 2008 12:55:52 -0000

@mario
Did you even try reading the previous comments or are you just trolling?

@TVSpy
That's because it, for some reason, is for www.google.com and not google.com which imo is really backwards...

Re: Firefox 3: Site Identification button

Ebrahim — Wed, 07 May 2008 11:46:19 -0000

Every site is hackable, hence no site should be considered trusted.

Re: Firefox 3: Site Identification button

TVSpy — Wed, 07 May 2008 11:44:42 -0000

It's interesting to note that some of google's sites fail the security warning, try visiting https://google.com/adsense it fail in v3b5

Re: Firefox 3: Site Identification button

Studio 2 Web Design — Wed, 07 May 2008 10:38:53 -0000

This is a great article and very useful. I've posted a link to this page.

I agree with the comments above, just because something is 'not signed' or 'not secure' it doesn't make them 'invalid'.

Not all internet users are 'tecchies' or know the lingo, and what about colourblind or people who cannot see correctly. Does this software have to comply with DDA as websites should?

Re: Firefox 3: Site Identification button

mario — Wed, 07 May 2008 10:02:11 -0000

There is nothing wrong about self-signed certificates. They are used for securing the connection (SSL). That's about it.

All the new UI is doing, is requiring site owners to pay off Verisign for something you ought to have for free. This is not exactly making the web a more secure place.
So the new Firefox UI is just a new coloring scheme for various levels of "secure" - where the meaning of "secure" isn't as consistent as this article tries to make it look like. (Your explanation contradicts between verified site owner and SSL encryption notifications.)

Not, that this hasn't been brought up before...

Re: Firefox 3: Site Identification button

Eddy Nigg — Wed, 07 May 2008 07:52:14 -0000

Self-signed certificate are worse than no certificate at all! Because they give you a false sense of so-called "security". It might be useful if you are the ONLY person accessing the site, but the minute somebody else has to rely on it, it's a very bad idea. If you are the only one using that site, you can add the exception, because you KNOW what you are doing. Some others might as well, because perhaps they received the finger print of the certificate by other means than through the web from you. All the rest should not rely on it and get out of there ;-)

If you are concerned about the costs of a valid certificate, you can get one for free at https://www.startssl.com/
Nobody makes a profit from it (apparently a concern by so many...), but they are legitimate, validated and valid. You can get as many as you want/need without paying a dime. For more advanced certificates you have to validate your identity/organization which carries a reasonable fee.

Hope this helps!