info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Re: Chrome will start marking HTTP pages as "Not secure"
97 views
Skip to first unread message
Martin Thomson
Feb 8, 2018, 7:55:44 PM2/8/18
to Chris Peterson, dev-platform, firefox-dev
+ffxdev
There's a tangible difference between text saying "Not Secure" and a
broken lock icon. I think that we're close, but we'd be making a
stronger statement than Chrome if we did this.
On Fri, Feb 9, 2018 at 8:17 AM, Chris Peterson <cpet...@mozilla.com> wrote:
> Chrome will start marking HTTP pages as "Not secure" in July 2018 (Chrome
> 68):
>
> https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html
>
> Firefox has a similar insecure HTTP warning icon, currently disabled by the
> `security.insecure_connection_icon.enabled` pref added in bug 1310447.
>
> Are there any blockers for Firefox shipping this feature?
> _______________________________________________
> dev-platform mailing list
> dev-pl...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
There's a tangible difference between text saying "Not Secure" and a
broken lock icon. I think that we're close, but we'd be making a
stronger statement than Chrome if we did this.
On Fri, Feb 9, 2018 at 8:17 AM, Chris Peterson <cpet...@mozilla.com> wrote:
> Chrome will start marking HTTP pages as "Not secure" in July 2018 (Chrome
> 68):
>
> https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html
>
> Firefox has a similar insecure HTTP warning icon, currently disabled by the
> `security.insecure_connection_icon.enabled` pref added in bug 1310447.
>
> Are there any blockers for Firefox shipping this feature?
> _______________________________________________
> dev-platform mailing list
> dev-pl...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-platform
Tom Schuster
Feb 9, 2018, 9:02:46 AM2/9/18
to Martin Thomson, Chris Peterson, dev-platform, firefox-dev
If you flip just security.insecure_connection_text.enabled and not
security.insecure_connection_icon.enabled you get Chrome's behavior.
Flipping both gives you the broken lock and the "Not Secure" text. I
don't see a big difference there and I hope we can ship this as soon
as possible.
> _______________________________________________
> firefox-dev mailing list
> firef...@mozilla.org
> https://mail.mozilla.org/listinfo/firefox-dev
>
security.insecure_connection_icon.enabled you get Chrome's behavior.
Flipping both gives you the broken lock and the "Not Secure" text. I
don't see a big difference there and I hope we can ship this as soon
as possible.
> firefox-dev mailing list
> firef...@mozilla.org
> https://mail.mozilla.org/listinfo/firefox-dev
>
Jonathan Kingston
Feb 9, 2018, 10:36:51 AM2/9/18
to Tom Schuster, Chris Peterson, Martin Thomson, firefox-dev, dev-platform
Hey,
So we have two issues here:
- We have less testing on security.insecure_connection_text.enabled
- security.insecure_connection_icon.enabled is a lot heavier handed as MT
notes and also we use this for insecure passwords too.
We also have the pbmode variants if we wanted both enabled when in Private
Browsing mode.
We are discussing the impact of shipping the "Not Secure" text with product
at the moment which is likely much safer to ship right now.
Thanks
Jonathan
So we have two issues here:
- We have less testing on security.insecure_connection_text.enabled
- security.insecure_connection_icon.enabled is a lot heavier handed as MT
notes and also we use this for insecure passwords too.
We also have the pbmode variants if we wanted both enabled when in Private
Browsing mode.
We are discussing the impact of shipping the "Not Secure" text with product
at the moment which is likely much safer to ship right now.
Thanks
Jonathan
Johann Hofmann
Feb 9, 2018, 10:52:05 AM2/9/18
to Jonathan Kingston, dev-platform, Chris Peterson, Tom Schuster, Martin Thomson, firefox-dev
Yeah, there's a team working on this stuff (and they/we have been in
touch with the Chrome people for a long time) and this is not a call we
should make on a mailing list. There's a valid concern around warning
fatigue (plastering so many sites with "Insecure" that users easily
dismiss it) and we made those prefs to be able to run user studies on it.
I believe the original question was whether there are any blockers to
shipping this in Firefox right now. Technically? No. We should still
give product the chance to take a good look at the potential impact and
how it works in our design concept and not make this a race to the moon.
Thanks
Johann
touch with the Chrome people for a long time) and this is not a call we
should make on a mailing list. There's a valid concern around warning
fatigue (plastering so many sites with "Insecure" that users easily
dismiss it) and we made those prefs to be able to run user studies on it.
I believe the original question was whether there are any blockers to
shipping this in Firefox right now. Technically? No. We should still
give product the chance to take a good look at the potential impact and
how it works in our design concept and not make this a race to the moon.
Thanks
Johann
Karl Dubost
Feb 11, 2018, 5:58:30 PM2/11/18
to Johann Hofmann, Martin Thomson, Jonathan Kingston, firefox-dev, Chris Peterson, Tom Schuster, dev-platform
Johann,
Le 10 févr. 2018 à 00:51, Johann Hofmann <jhof...@mozilla.com> a écrit :
> There's a valid concern around warning fatigue (plastering so many sites with "Insecure" that users easily dismiss it) and we made those prefs to be able to run user studies on it.
Did Mozilla run UX studies about it? If yes, links would be appreciated.
Secure/Insecure intuitively seems for me a wrong metaphor. Or more exactly a metaphor which has been carried away too long and has now lost its meaning. Some HTTPS sites are/will not be secure. And some HTTP sites will be more innocuous than some HTTPS sites.
--
Karl Dubost, mozilla 💡 Webcompat
http://www.la-grange.net/karl/moz
Le 10 févr. 2018 à 00:51, Johann Hofmann <jhof...@mozilla.com> a écrit :
> There's a valid concern around warning fatigue (plastering so many sites with "Insecure" that users easily dismiss it) and we made those prefs to be able to run user studies on it.
Secure/Insecure intuitively seems for me a wrong metaphor. Or more exactly a metaphor which has been carried away too long and has now lost its meaning. Some HTTPS sites are/will not be secure. And some HTTP sites will be more innocuous than some HTTPS sites.
--
Karl Dubost, mozilla 💡 Webcompat
http://www.la-grange.net/karl/moz
Bram Pitoyo
Feb 11, 2018, 8:55:37 PM2/11/18
to Karl Dubost, firefox-dev, dev-platform, jsa...@mozilla.com, Francis Djabri, Jonathan Kingston, Johann Hofmann, Chris Peterson, Tom Schuster, Martin Thomson
I’ve forwarded this conversation thread to our UX researcher and designer,
Francis and Jacqueline. If we’ve run any studies, they’d be able to link us
to a report.
Francis and Jacqueline. If we’ve run any studies, they’d be able to link us
to a report.
Francis Djabri
Feb 12, 2018, 11:59:53 AM2/12/18
to Bram Pitoyo, Karl Dubost, firefox-dev, dev-platform, Jacqueline Savory, Jonathan Kingston, Johann Hofmann, Chris Peterson, Tom Schuster, Martin Thomson
We haven't run any studies on security indicators as yet.
--
*Francis Djabri*
Firefox User Research
e: fdj...@mozilla.com
+1 (415) 696-2786 <(415)%20696-2786>
*Francis Djabri*
Firefox User Research
e: fdj...@mozilla.com
+1 (415) 696-2786 <(415)%20696-2786>
0 new messages