Firefox 3: Site Identification button

Browsers, Firefox, Mozilla, Work 67 Comments

[I use a Mac, so all the images in this post are of the Mac user interface. The UI for other platforms will differ slightly. Click on pictures to view other sizes. French translation of this article now available!]

Ensuring that users are safe, secure, and protected while they browse the Web is one of the greatest challenges facing browser makers. Browser security involves a delicate balance between protecting the user from the dangers that exist on the Web and overly restricting the user’s freedom to go where she wants and see what she wants while surfing.

One of my favorite new Firefox 3 security features is the Site Identification button. This button replaces and builds upon the ubiquitous “padlock” icon that has for so long been the primary security indicator used in browsers. Firefox 2, for example, indicates that the connection to a site is encrypted by changing the background color of the location bar and displaying a padlock icon.

fx2-paypal-locbar

There is a major problem with the padlock, however, in that a lot of people believe that it means more than it really does. I certainly thought so until I had a long chat with Johnathan Nightingale (Mozilla’s security UI guru and lead imagineer for this feature) who explained to me that the padlock simply means “encrypted” rather than “safe”. Where the padlock has a very specific meaning related to browser security, I had given it a deeper, broader meaning that it didn’t really deserve.

So, what’s the difference between “encrypted” and “safe”? It turns out that it’s not actually that hard to set up a site that will get your browser to display a padlock. In fact, it’s easy enough that essentially anyone can do it, including bad guys who are just out to steal your credit card info, identity, and whatever else they can get. So the padlock means “encrypted” but doesn’t say anything about the validity of the domain, nor about the identity of the people at the other end of the encrypted connection.

It’s even possible to easily spoof a padlock of sorts, as demonstrated here:

fx2-emergentchaos-locbar

The padlock isn’t in the right place, and it isn’t even quite the right padlock, but many users wouldn’t notice, falling back on the learned-but-not-quite-correct “padlock equals safe” assumption. It’s a very simple and imperfect spoof (they just have a padlock favicon for the website), but it’s enough to confuse and trick some users. Clearly things need to be improved.

How Firefox 3 makes things better

This is where the new Firefox 3 Site Identification Button comes in. Rather than just displaying a little padlock somewhere, Firefox 3 finds out as much as it can about the site you’re browsing and makes that information easily accessible through a single click of a button at the left end of the location bar.

site-identification-button2

The button can be one of three colors — gray, blue, or green — and displays the new Site Identification dialog when clicked. The dialog includes a matching gray, blue, or green “Passport Officer” icon, and shows a summary of the information available about the site’s identity.

gray-blue-green-icons

So, instead of having a single indicator that a connection is either encrypted or not (the padlock), Firefox 3 presents you with information that covers a range of different security levels.

Here’s what the various colors mean:

Gray – No identity information

gray-icon

The gray Site Identification button indicates that the site doesn’t provide any identity information at all. Also, the connection between the browser and the server is either unencrypted or only partially encrypted, and should not be considered safe against possible eavesdroppers.

Most of the Web will have the gray button, because most sites don’t involve passing sensitive information back and forth and don’t really need to have verified identities or encrypted connections. So, gray is fine for the majority of sites.

Note: If you’re sending any sort of sensitive information (bank information, credit card data, Social Security Numbers, etc.) the Site Identification button should not be gray.

fx3-gray-dialog

The gray Site Identity button, along with the fact that the Firefox 3 location bar doesn’t display a padlock in the location bar as a security indicator, makes it obvious that this site is spoofing a padlock and isn’t really encrypted or secure:

fx3-emergentchaos-locbar

Blue – Basic identity information

blue-icon

The blue Site Identification button indicates that the site’s domain has been verified, and the connection between the browser and the server is encrypted and therefore protected against eavesdroppers.

When a domain has been verified, it means that the people who are running the site have bought a certificate proving that they own the domain and it is not being spoofed. For example, my bank’s site has this sort of certificate and an encrypted connection, so it displays a blue Site Identification button. When I click on the Site Identification button, it tells me that the easyweb.tdcanadatrust.com site is verified to be part of tdcanadatrust.com, as certified by RSA Data Security Inc. It also assures me that the connection is encrypted so no one can eavesdrop on the connection and steal my bank login information that way.

fx3-blue-dialog

What’s not verfied in this situation is who actually owns the domain in question. There is no guarantee that tdcanadatrust.com is actually owned by the Toronto Dominion Bank. All that is being guaranteed here is that the domain is a valid domain, and my connection to it is encrypted.

If I’m still leery about a site’s identity when it is displaying a blue Site Identification button, I can see more information about the site by clicking the “More information…” button on the Site Identification dialog. Here I can view the site’s identity certificate, whether I’ve visited the site before, and if I have any cookies or passwords stored for the site.

tdct-pageinfo-dialog-cropped

This is the “Privacy and History” section of the security information displayed by the “More information…” button. Firefox 3 is here telling me that I’ve visited the site 94 times since I last cleared my browser history, that my browser is storing at least one cookie for the site, and that I have no saved passwords for the site. All of this information fits with my expectations, so I’m confident that this site is the site I think it is, and can now go about my banking more or less worry-free.

Green – Complete identity information

green-icon

The green Site Identification button indicates that the site provides fully verified identity information about its owner, and that the connection is encrypted.

If a site has a green Site Identification button it means that it is using a new “Extended Validation certificate” (EV). You can read all about EV certificates at the link above, but to make a long story a little shorter, EV certificates are a special type of site validation certificate that requires a significantly more rigorous identity verification process than other types of certificate. So, while the blue Site Identification button indicates that a site’s domain is not being spoofed but does not have any verified information about who actually owns the domain, the green Site Identification button indicates that the domain is valid and that the owners of the domain are who you would expect them to be.

With the EV certificate, the Site Identification button assures you that paypal.com is owned by Paypal Inc., for example. Not only does the Site Identification button go green on the Paypal site, it also expands and displays the name of the owner in the button itself. The Site Identification dialog presents further detailed information.

fx3-green-dialog

To contrast, here’s what Firefox 2 does when it is on the paypal.com site:

fx2-paypal-locbar

If I click on the padlock, it brings up this Page Info:

fx2-paypal-pageinfo

Compared to the Firefox 3 Site Identification information, the Firefox 2 padlock and Page Info dialog aren’t exactly enlightening.

But wait, there’s more!

In other situations the Passport Officer icon appears in two other colors, but not as part of the Site Identification button.

Yellow – Invalid identity certificate

yellow-icon

One thing you may encounter while surfing with Firefox 3 is a page that has a yellow Passport Officer icon. While the Site Identification button doesn’t have a “yellow” state, the Passport Officer icon will appear when there is some sort of problem with a site’s identity certificate.

fx3-selfsigned-warning

The page above is actually generated by Firefox 3 itself, and its purpose is to block you from going to a site that has an invalid identity certificate. Just like driver’s licenses and passports, site identifications need to be renewed or they expire. And just like only you can use your passport, each web site should present the credentials belonging to that site.

In the case pictured above, the problem being warned about is that the site has a “self signed” identity certificate. On the Web, self signed certificates are like passports you made at home — they don’t mean anything, no one’s verified them, and while maybe the information on them is real, Firefox wants you to know that the passport has not been validated.

There are many perfectly valid sites that use self signed certificates simply so they can support encrypted connections to the server, and are not doing anything untoward or nefarious at all. This is why Firefox 3 allows you to add exceptions for sites who have self signed certificates that you know are not trying to trick you. Adding an exception is a simple process that only needs to be done once for each site encountered.

At the bottom of the “Secure Connection Failed” page that is blocking access to the site (shown above), there is a link that reads, “Or you can add an exception…”. Click this, and it shows the following to verify that this is what you really want to do:

fx3-selfsigned-adding-exception-step1

Click the “Add Exception…” button there, and you’ll see this dialog, where you complete the process:

fx3-selfsigned-adding-exception-step2

If you want to add the exception temporarily, make sure the “Permanently store this exception” checkbox at the bottom of the dialog is unchecked. Then click “Confirm Security Exception”, and Firefox 3 will no longer block you from visiting the page.

The yellow Passport Officer icon will appear in other situations as well, all related to there being a problem with the site’s identity certificate. The warning page will clearly explain what’s wrong and what you should do about it.

Red – Reported attack site

red-icon

There is also a stern red Passport Officer icon who carries a little stop sign rather than a passport. This is part of Firefox 3′s Malware and Phishing protection system that protects users against reported attack sites, but I’ll talk about that stuff in a later blog post. For now, be assured that if you encounter the red Passport Officer, he’s protecting you from potential attacks and is only here to help.

The Firefox 3 system — with its Site Identification button, Site Identification dialog, much friendlier security-related Page Information, and invalid certificate warning pages — is vastly superior to older systems that relied so heavily on the padlock. Not only have the security indicators been expanded and improved, it’s also now much easier to understand the levels of security being encountered while surfing the Web. No system is perfect, of course, but Firefox 3 makes some extremely important and valuable strides towards improving user safety and security on the Web.


67 Responses to “Firefox 3: Site Identification button”

  1. Richard Says:
    May 6th, 2008 at 10:58 am

    Would you give an example of how a domain might be spoofed? How does a certificate prove that the domain hasn’t been spoofed?

  2. Joe Shaw Says:
    May 6th, 2008 at 11:10 am

    I happened across this a week or so ago, actually, by accident. It’s good info, and the “privacy & history” thing is great.

    But the main weakness is that (at least on the Mac) it doesn’t look like a button. I would never think to click on it because of that, and because in previous browsers clicking on the favicon simply is like clicking in the location bar. The new style doesn’t go far enough to distinguish itself from the previous behavior.

  3. LpSolit Says:
    May 6th, 2008 at 11:10 am

    “If you want to add the exception temporarily, make sure the “Permanently store this exception” checkbox at the bottom of the dialog is unchecked.”

    Deb, I always wondered: as the website has a certificate which is suspect, why is the checkbox checked by default? I would have thought that leaving it unchecked by default would be safer.

  4. rwg Says:
    May 6th, 2008 at 11:14 am

    I encourage you to consider the (lack of) accessibility for color blind users. As an example, load your image showing the gray/blue/green icons into your favorite image editor, desaturate the image, and see if you can still determine what each icon represents. The red icon is the only one with any features that distinguish it from the other icons, outside of color.

    A possible fix is to include a symbol at the bottom left of the icons. For example, a question mark on the gray icon to indicate there is no encryption or identity information, a check mark on the green icon to indicate the website’s identity was verified, an X on the yellow icon to indicate the certificate is invalid or untrusted, etc. Of course, the symbols then present i18n and l10n issues…

  5. Johnathan Nightingale Says:
    May 6th, 2008 at 11:16 am

    @Richard: If we don’t rely on domain-verification, then I can set up camp in a hotel lobby or an airport or wherever people and laptops congregate, and start intercepting traffic to, say, https://www.paypal.com. I can generate my own certificates which claim that I am the real paypal.com, and I can put convincing looking details in. Tools like ettercap make this entire attack point-and-click simple (right down to spoofing the certificate contents).

    The only thing that tells you it’s not the real paypal.com is that no trusted third party has signed off on my certificate. When Firefox shows me that the domain has been confirmed, it is saying that this kind of attack is not happening; that the site I am visiting is presenting an up-to-date *and verified* certificate confirming that they are the legitimate owner of that domain.

    As Deb points out, you also really want to know if this website is the “real” paypal – and that’s where the distinction between basic and extended verification comes in. A basic certificate is only trusted to confirm the domain name. Some CAs do more work than that, but not in a way we can easily detect and verify. An extended certificate can only be issued by CAs that agree to follow specific practices in terms of identity verification, and to be regularly audited on those practices – for those ones, we can know not only that the real domain owner is in control, but also who that domain owner is.

    Is that a helpful example?

  6. Giovanni Says:
    May 6th, 2008 at 11:31 am

    What about colour blindness? Colour shouldn’t be the only difference. A different icon, border, texture, even position could help better.

  7. Johnathan Nightingale Says:
    May 6th, 2008 at 11:42 am

    @LpSolit – That’s an interesting question. Certainly it seems on the surface like you wouldn’t want to permanently trust a suspicious certificate, right?

    But if a typical user hits this only on a few sites, maybe on their college webmail server and their friend’s private photo sharing site, then with permanent exceptions, this UI is a rare thing for them, and probably doesn’t habituate them into blind click-through. If the default is temporary and they don’t notice to change it, dismissing this warning becomes much more commonplace (just like FF2′s dialog box). The best way to help users see the sites they want to see, and notice when a site that used to have valid credentials starts having invalid ones, may well be to default them to permanent exceptions for the ones they know they can trust, so that after a week’s browsing, they never see this UI again until something bad happens.

    This approach has another benefit too – if someone ever attempts to attack the college webmail server they’ve added a permanent exception for, the certificates will no longer match, and the error will come back. So even for a site without a verified identity, exceptions act like a kind of “manual verification” and mean that attempts to attack THAT site also stick out.

  8. Johnathan Nightingale Says:
    May 6th, 2008 at 11:49 am

    @rwg, giovanni – We absolutely do consider the accessibility implications of any change to our UI. Deb focused on the color here because it’s certainly how most people will experience it, but the popup text is different in each of the three cases, as is the tooltip hover text on the button. The SSL states (green and blue) also contrast more with the background chrome than the default, gray state. We have also made sure that our access keys and screen-reader affordances are wired up properly, so that people with other vision impairments can still make use of the interface.

    I would recommend that color blind users (or others, for that matter) also consider changing the browser.identity.ssl_domain_display pref in about:config. Changing this from 0 to 1 causes the verified domain to be displayed in the button for basic-identification sites. It takes up some location bar space, obviously, and came too late for us to land it in Firefox 3 as a default, but it does give you much more noticeable feedback about the identity of sites you visit.

  9. About Larry Says:
    May 6th, 2008 at 12:16 pm

    [...] post like this for a while, and maybe I still will, but in the meantime Deb has done a great job of introducing the world to Larry.  Her writing is enviably clearer than my own, so you should go check it out right [...]

  10. richwklein.com » The Identity Button - Firefox 3’s New Security UI Says:
    May 6th, 2008 at 12:56 pm

    [...] this time describing the “Site Identity” button. Is this the death of the padlock?read more | digg story These icons link to social bookmarking sites where readers can share and discover [...]

  11. VanillaMozilla Says:
    May 6th, 2008 at 4:00 pm

    If I am not mistaken, the “Invalid certificate” warning is a false alarm, because “self-signed” does not mean “invalid”. It just means that (1) that the connection is encrypted, and (2) the identity of the site cannot be INDEPENDENTLY verified. If, on the other hand, the user has previously used accepted the certificate as valid, then the certificate offers assurance that the site is not forged. Why not just say that instead of false raising alarms?

    I have never seen one of these that was not a false alarm, and I always ignore them. It’s quite possible that this will also teach other people to ignore warnings. Instead of attempting to alarm people about “self-signed” certificates, why not just say simply what you DO know about the site? You can still inform people that the site could be a forgery, etc., and that you can add an exception.

  12. Josh Pyles Says:
    May 6th, 2008 at 5:19 pm

    Hey guys,

    Interesting idea. I have to say though, that many users aren’t going to understand a policeman holding a passport. The concept has too much detail in the icon. The color coding is a great idea though.

    I think it should still be a lock (simplest way to visually explain security) + color coding. I know a thing or two about icons since i’ve been making them for years, and this is my best suggestion.

    I also agree with VanillaMozilla who points out that many times the self-signed certificates are a mistake and that users will be trained to ignore the warnings. A better, and perhaps less intrusive way of explaining and handling this would be better.

  13. Jonathan Watt Says:
    May 6th, 2008 at 5:46 pm

    VanillaMozilla: if the certificate is self signed (or more generally if it’s signed by a certificate authority the browser doesn’t know about), there’s nothing to stop man in the middle attacks. Your connection is encrypted, sure, but possibly by the guy or gal in the middle. Great! Self signed certificates are bad.

  14. foxiewire.com Says:
    May 6th, 2008 at 6:12 pm

    Firefox 3: Site Identification button…

    Ensuring that users are safe, secure, and protected while they browse the Web is one of the greatest challenges facing browser makers. Browser security involves a delicate balance between protecting the user from the dangers that exist on the Web and o…

  15. Asa Dotzler Says:
    May 6th, 2008 at 6:21 pm

    Josh Pyles, I disagree. The passport officer speaks specifically to identification. The lock speaks to some general idea of safety. Accuracy here is important and the lock is not just imprecise, it’s misleading.

    You may have found the simplest way to visually explain security, but when simple isn’t meaningful or accurate, then it’s probably not a great idea.

  16. Tyler Says:
    May 6th, 2008 at 6:43 pm

    FireFox 3 is looking better and better everytime I see news updates.

  17. Iang Says:
    May 6th, 2008 at 6:45 pm

    Guys, thanks for doing this, I really appreciate it!

    On the issue of self-signed certs: yes, they are tricky. In and of themselves they are better than the next alternative, unencrypted, unidentified comms, and they can be cached for repeat business to overcome MITM fears. But the browser security model was so strongly oriented to external verifiers of identity (CAs) that it will take time for SSCs to find a natural home. Patience, and take comfort in the knowledge that most CAs want you to integrate them because it is needed to expand the regular use of certificates.

    For the record, the first use of the spoof padlock as a favicon was by PGP.com. Oddly enough they didn’t realise what they had done.

  18. The Identity Button - Firefox 3’s New Security UI | Simple Drops Says:
    May 6th, 2008 at 7:25 pm

    [...] this time describing the “Site Identity” button. Is this the death of the padlock?read more | digg story addthis_url = [...]

  19. Hans Says:
    May 6th, 2008 at 7:27 pm

    For those wondering how all this stuff works, basically any server can be configured to encrypt data. It’s called SSL and your browser and the server will begin talking in encrypted mode, by using public key encryption (they share a little bit of information with each other, enough such that each can decrypt any data passed forth and back). Now, when it comes to certificates, however, this gets more complex. All browsers have a set of pre-programmed accepted certificate authorities and sites will then purchase a certificate from one of these certificate authorities, which has been rubber stamped to be unique and verifiable. Your browser will then accept this certificate without prompting you, whereas just a simple SSL certificate does not contain any certifiable means for the browser to trust that certificate (hence why you would get a warning).

  20. VanillaMozilla Says:
    May 6th, 2008 at 8:26 pm

    There are two concepts that are being confused here: encryption and identification. “Self-signed” is not synonymous with “invalid”, and if you label it that way, you’ll only confuse the user.

    And contrary to what you might think, self-signed certificates are very useful for identification, and can actually PROTECT you against the man in the middle. That certificate is how I can be sure that that’s really my Web mail and that there is no MITM.

  21. mtl Says:
    May 7th, 2008 at 12:27 am

    I agree with VanillaMozilla. The warning message is wrong. Self-signed certs are not “invalid”.

    There is a problem getting lay users to understand PKI but teaching them things that are blatantly false is not helpful.

  22. The Identity Button - Firefox 3’s New Security UI | Universe_JDJ's Blog Says:
    May 7th, 2008 at 2:27 am

    [...] read more | digg story [...]

  23. Botón de identificación del sitio de Firefox 3 | aNieto2K Says:
    May 7th, 2008 at 2:43 am

    [...] muchas mejoras y muchas nuevas funcionalidades para facilitar la vida al usuario. Entre ellas está el sistema de identificación de sitios, un sistema con el que se intenta evitar los problemas de phishing que actualmente sufren muchos [...]

  24. Andrew Says:
    May 7th, 2008 at 3:02 am

    The deal with the self signed certs and their false “error” page seems to be a verisign tax more than anything else.

    I have never run into a ‘fake’ self-signed site, they are almost -always- for encryption only, and like many others lurking around here have probably put up hundreds as well.

    This aint exaclty an offical FF site, so why am I whining here. Dunno, didn’t seem like too many comments to get drowned out in.

    I think it would be better if we could just somehow indicate that the connection is encrypted, which is all I personally care about, separately. I think a lot of this ‘self signed’ garbage is because of bad browsers telling the user that was what indicated security, rather than having any way to verify the identity or easily view the cert. They took the easy way out for years, and now something that is perfectly fine to use, and is used constantly, is even more of an ‘error’!

    Damn, little angry, but I can’t count the # of certs I have had to buy for people just to avoid this browser “error”. Stupid, but again, I’m sure the feature was paid for by verisign.

    //Andrew

  25. free php code Says:
    May 7th, 2008 at 4:37 am

    I agree that there should be a non-colour related difference in the icons. It’s so simple to just add a question mark, or an ‘x’ or whatever.

    I also second (third, fourth) the objection about self-signed certificates; many web control panels, eg plesk, self-sign (or at least have to option to offer self-signed certificates). It also looks like the yellow state works in a similar way to how google’s malicious site blocker works – by interrupting the browsing session. I think a lot of the smaller ecommerce sites will be “broken” by this feature.

    Oh and the guy in the icon looks like he’s got a broken arm in a sling, lol :)

    But the idea of improving the padlock=secure mentality is spot on. Most users I’m sure would accept a somewhere on the page as evidence of a “secure” website.

  26. Eddy Nigg Says:
    May 7th, 2008 at 7:52 am

    Self-signed certificate are worse than no certificate at all! Because they give you a false sense of so-called “security”. It might be useful if you are the ONLY person accessing the site, but the minute somebody else has to rely on it, it’s a very bad idea. If you are the only one using that site, you can add the exception, because you KNOW what you are doing. Some others might as well, because perhaps they received the finger print of the certificate by other means than through the web from you. All the rest should not rely on it and get out of there ;-)

    If you are concerned about the costs of a valid certificate, you can get one for free at https://www.startssl.com/
    Nobody makes a profit from it (apparently a concern by so many…), but they are legitimate, validated and valid. You can get as many as you want/need without paying a dime. For more advanced certificates you have to validate your identity/organization which carries a reasonable fee.

    Hope this helps!

  27. mario Says:
    May 7th, 2008 at 10:02 am

    There is nothing wrong about self-signed certificates. They are used for securing the connection (SSL). That’s about it.

    All the new UI is doing, is requiring site owners to pay off Verisign for something you ought to have for free. This is not exactly making the web a more secure place.
    So the new Firefox UI is just a new coloring scheme for various levels of “secure” – where the meaning of “secure” isn’t as consistent as this article tries to make it look like. (Your explanation contradicts between verified site owner and SSL encryption notifications.)

    Not, that this hasn’t been brought up before…

  28. Studio 2 Web Design Says:
    May 7th, 2008 at 10:38 am

    This is a great article and very useful. I’ve posted a link to this page.

    I agree with the comments above, just because something is ‘not signed’ or ‘not secure’ it doesn’t make them ‘invalid’.

    Not all internet users are ‘tecchies’ or know the lingo, and what about colourblind or people who cannot see correctly. Does this software have to comply with DDA as websites should?

  29. Bit Stampede » Blog Archive » Firefox 3: Why do I love thee? The first way. Says:
    May 7th, 2008 at 11:16 am

    [...] virtues.  Deb, in particular, has done a great job sharing the joys of the awesomebar and the new security information user interface, among [...]

  30. TVSpy Says:
    May 7th, 2008 at 11:44 am

    It’s interesting to note that some of google’s sites fail the security warning, try visiting https://google.com/adsense it fail in v3b5

  31. Ebrahim Says:
    May 7th, 2008 at 11:46 am

    Every site is hackable, hence no site should be considered trusted.

  32. ' Says:
    May 7th, 2008 at 12:55 pm

    @mario
    Did you even try reading the previous comments or are you just trolling?

    @TVSpy
    That’s because it, for some reason, is for http://www.google.com and not google.com which imo is really backwards…

  33. Tyler Says:
    May 7th, 2008 at 2:05 pm

    I’ve been using Firefox 3 beta for a dew weeks now and this is really good info, thanks.

  34. Dagelijkse Links | Past is prologue Says:
    May 7th, 2008 at 4:14 pm

    [...] dria.org » Blog Archive » Firefox 3: Site Identification buttonVery interesting read(tags: security firefox) Stem of voeg toe aan : (Nog geen ratings)  Loading … [...]

  35. anaesthetica Says:
    May 7th, 2008 at 8:34 pm

    I had no idea that this button even had a function, as it never occurred to me to click on it. I hope that Mozilla does a good job in publicizing this security function when Fx3.0 is released. I think this is a big step forward in making security both visually easy & present, and yet unobtrusive at the same time.

    I get more and more excited about this release every time I read something new about it.

    I think Mozilla has done a really good job with this release, especially compared to Fx2.0, which seemed to make things a bit too clunky and slow. Fx3.0 has gotten extra features without visual weight, and more importantly without slowing the browsing experience itself down. It seems like everything has gotten a speed bump–rendering, javascript, memory usage, etc. Good work folks.

  36. David Waite Says:
    May 8th, 2008 at 3:17 am

    This looks like a great scheme. The only problems I have with it are around the icons.

    Even with non-color-blind people, the contents of the image are equally important to the color of the image. Green and Blue being the same icon is fine with me (lets face it, EV certs are a total rip-off and only make sense if you just have money to blow. You are basically paying 20x as much to have your company name and icon as part of the cert.). However, The grey icon indicates that you are unsure but still matches the (more) affirmative green and blue icons.

    This is actually the hard part of all of this – even an EV cert doesn’t prove that the holder is trustworthy, just that you can figure out who they really are. If I’m starting a malware company, I’ll probably wind up springing for an EV cert. So every single icon basically implies a non-binding recommendation to the user, but with unspoken and rarely understood idea that the user is always responsible for determining if they trust the site.

    It would probably make more sense for the yellow and red to be the more traditional warning and stop international signs, and to drop the ‘passport agent’ metaphor completely for these cases.

  37. Upstream Connections - SEO » Firefox 3.0 close to RC… Says:
    May 8th, 2008 at 8:38 am

    [...] be it Internet Explorer, FF, Opera, Safari or any other: “more secure” – citing the Site Identification button as its most visually obvious upgrade – “easier to use”, “more personal”, [...]

  38. Bodi Says:
    May 9th, 2008 at 2:20 pm

    Eddy:
    “https:startssl.com” brings up a certificate warning popup… ahh I see… their ssl certificate is self-signed…
    Doesn’t it get a bit circular to avoid using a self-signed certificate in order to have SSL by getting a certificate from an “untrusted” issuer who run their own https: site with a self-signed certificate?

  39. Chris Lees Says:
    May 10th, 2008 at 1:26 am

    Thanks for this post. I’m running Firefox 3 beta on Linux and I had no idea what the coloured organisation names were all about. Some user education is in order, I think.

  40. hj Says:
    May 10th, 2008 at 5:00 am

    This “passport officer” icon is an international standardized symbol, isn’t it? If so: Where can I find this icon and similar ones? What is “its Homepage”? Who has initially created it? ISO? The UN? Don’t know, maybe someone can give me a hint. TIA

  41. pligg.com Says:
    May 11th, 2008 at 9:22 am

    dria.org » Blog Archive » Firefox 3: Site Identification button…

    Deb Richardson from Mozilla has written up her latest introduction to Firefox 3′s upcoming new features, this time describing the “Site Identity” button. Is this the death of the padlock?…

  42. VanillaMozilla Says:
    May 12th, 2008 at 8:55 am

    This is all a big step forward, but there’s still another problem. Or maybe two problems, depending on how you count. Like many other people, I had no idea that the icon on the URL box was a button, and that it held useful information. Here’s what I think is the essence of the problem:

    The ikon on the URL box is the same as the icon on the tab. They have different purposes, but there is absolutely no visual clue that they are different. If you really want to be helpful, this should be a recognized symbol that indicates that there is information here. I suggest either the international “i” symbol for information, or a question mark.

    Some may object that if you only one tab and do not have the tab bar displayed, you won’t see the ikon for the site, but that’s OK. The purpose of the site ikon is for convenience only, to distinguish between the tab bars at a glance. If you only have one open tab, there’s nothing to distinguish it from. The ikon is useless for identification or verification anyway.

  43. Just Browsing » Browser Bits and Bobs for May 12, 2008 Says:
    May 12th, 2008 at 3:18 pm

    [...] Richardson elucidates the new Firefox site identification button. Besides the practical merit of this feature, it is a fascinating study in communicating [...]

  44. VanillaMozilla Says:
    May 13th, 2008 at 12:50 pm

    “The gray Site Identity button, along with the fact that the Firefox 3 location bar doesn’t display a padlock in the location bar as a security indicator, makes it obvious that this site is spoofing a padlock and isn’t really encrypted or secure”

    It’s not obvious to me. Most users are not going to know these details of the interface, and even if they do, they can have a lapse. The favicon does not belong on the location bar, in my opinion.

    Looking at the features more closely, the color gray is supposed to raise an alarm?!! And how would the average user know where you had or had not moved the padlock to? Remember, you just moved the security information to that point. Now I see the icon has changed to a padlock. How neat. Firefox has changed the icon to tell me it’s encrypted. An easy mistake to make.

  45. VanillaMozilla Says:
    May 13th, 2008 at 12:52 pm

    Two bug reports filed:
    Bug 433412 – “Larry” button (site ID) needs an informative icon
    Bug 433422 – Self-signed SSL certificates should not be labeled as “invalid”

    Sorry for the comment spam.

  46. Chat Marchet News Digest » The Identity Button - Firefox 3’s New Security UI Says:
    May 16th, 2008 at 1:14 am

    [...] The whole scoop. This entry was posted on Friday, May 16th, 2008 at 2:12 am and is filed under le Chat Marchet. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site. [...]

  47. » Secure banking The Chris Gonyea Project Says:
    May 18th, 2008 at 10:51 am

    [...] site identification button now shows up green when I log into my online banking page. They also now use 256-bit [...]

  48. Eddy Nigg Says:
    May 18th, 2008 at 10:03 pm

    To mario:

    If no third party which is known and has proved to validate domain name ownership (at least) no certificate is worth the digital paper it’s written on. Otherwise the MITM will simply use also a self-signed which you’ll click through…Except with the new scheme where you add a specific certificate for a specific site, in which case it’s your risk if you talk to a MITM, but it will certainly alert you if it happens in the future at some point.

    To Bodi:

    This certainly doesn’t happen with any recent Firefox browser. You must be using a different product then…This CA is in later 1.5 versions on upwards.

  49. Sorensen Says:
    May 19th, 2008 at 2:16 am

    Thanks for a, at least for me, very educational article. I have recently updated my Linux dist to Ubuntu 8.04. Mozilla Firefox 3 beta 5, the default browser of this dist, has the identity button. But strangely they have made the background of the button permanently grey. So absolute no information unless one actually move the cursor over the button. Maybe the colors did not match the Ubuntu folks color scheme!? Anyhow it is quite unfortunate – though not your problem ;-)

  50. meandering wildly Says:
    May 21st, 2008 at 12:23 pm

    [...] it can be hard to tell your bank’s real web site from one of these fakes.  Firefox 3 includes some features to help you do that, but really, it would be far better to just not go there in the first place.  That’s why we keep [...]

  51. Mozilla in Asia » Blog Archive » Firefox 3: UTF-8 support in location bar Says:
    May 23rd, 2008 at 4:17 am

    [...] smart location bar (a.k.a. Awesomebar), the new bookmarks functionality, color profile support, the site identification button, the 3 new themes, to name just a [...]

  52. Chris Says:
    June 6th, 2008 at 12:34 pm

    On the Mac, the text in the green identity button is 1px higher than the URL. Was this intentional? It doesn’t appear to be that was on Windows.

  53. Eric Says:
    June 25th, 2008 at 8:45 am

    I found the yellow bar very useful and I am extremely disappointed to see it gone.

    The yellow bar was never meant to distinguish between “good” and “evil” sites – it was only there to show that the communication with the site is encrypted. I think it did that job very well and would have liked it to stay. People are used the the yellow indicator for encryption. Why remove it? I don’t understand the thinking here and think that the decision to remove it is flawed.

    I also agree with VanillaMozilla above re. self-signed certificates. Encryption and identification are two different things. Why block access to an encrypted site just because the encryption is done by the site owner?

    Also – how would I know that the button is clickable? It is not very obvious. I had no idea until I started searching for info about the missing yellow location bar.

  54. Jayson Says:
    June 28th, 2008 at 2:58 pm

    I also second (third, fourth) the objection about self-signed certificates; many web control panels, eg plesk, self-sign (or at least have to option to offer self-signed certificates). It also looks like the yellow state works in a similar way to how Google malicious site blocker works – by interrupting the browsing session. I think a lot of the smaller commerce sites will be “broken” by this feature.

  55. Mark Says:
    August 15th, 2008 at 10:36 am

    Great explanation of the new security features. Thanks! Just wish the encrypted lock was up top rather than the very tiny status bar.

  56. Martin Says:
    August 16th, 2008 at 12:05 pm

    Hi!

    How can I as a webmaster fill this Information? The site Im talking of is not a secure site with bank account or something like this. I´m just asking myself how I can fill f.e. the “Owner” or other basic things of this button?

    Thnaks

  57. pid Says:
    September 12th, 2008 at 6:41 am

    gud work people…really liked your site….it helped me a lot….thanks a lot…

  58. Natanael_L Says:
    October 22nd, 2008 at 6:35 am

    But why not remove the “Permanently store this exeption” checkbox and replace the “Confirm Security Exception” button with two buttons:
    “Allow Temporarily” and “Allow Permanently”?

  59. Natanael_L Says:
    October 22nd, 2008 at 6:44 am

    Youcan only pretect yourslef using self signed certificates “the second time around” – the very first time you visitthe site you will not be able to know if you are seing the real site or if you are seing a spoofed site.

    “That site are using a self signed certificate, just accept it”
    “Ok”
    *Adding exception*
    *Virus contamination + stolen money from some accounts*
    “Oh, somebody did a MITM attack!”

    That's why you have to make sure that you already have all of the details of the certificate on your computer before the first time you visit the site – and you have to make sure that you get that information trough a secure channel (not IRC, not email, and the person who gives you the info must be verified, must *know* that it is real, and must be trustable).

    Then you can visit the site and compare all of the info about the certificate with the info you have to make sure that this is the *real self signed certificate*.

  60. Wonen en huizen in Duitsland Says:
    November 5th, 2008 at 9:49 am

    thanxx for the work people, i helpt me alot.

    still have some questions.

  61. depannage_informatique Says:
    November 8th, 2008 at 4:05 pm

    What about colour blindness? Colour shouldn't be the only difference. A different icon, border, texture, even position could help better.

  62. Firefox for Maemo RC3 Out Now | LoveMyNokia.com Says:
    January 28th, 2010 at 1:45 pm

    [...] Web site ID (“Larry“): Tap on a site favicon for an instant identity [...]

  63. Firefox Mobile for Maemo now available | Mobile Phone News Says:
    January 31st, 2010 at 8:28 am

    [...] and installing add-ons for a fully empowered mobile browsing experience * Instant Web site ID (”Larry“): Tap on a site favicon for an instant identity overview * Password manager: Typing passwords on [...]

  64. Interview with a 419 Scammer « meandering wildly Says:
    February 11th, 2010 at 11:41 am

    [...] scaring users away from specific attack situations. I hope we’ll continue to build tools like Larry which try to give people some affirmative context as well, to lend some nuance to their sense of [...]

  65. Firefox for Maemo RC3 Out Now Says:
    April 9th, 2010 at 3:22 pm

    [...] Web site ID (“Larry“): Tap on a site favicon for an instant identity [...]

  66. New features in Firefox mobile (but a working Android version’s a ways away) « Android Junkies Says:
    April 15th, 2010 at 5:00 pm

    [...] Yes, pretty much like they do in the desktop application.  The highlights here are easily the site identy information (above) and the save as pdf feature of [...]

  67. New features in Firefox mobile (but a working Android version’s a ways away) | TMI Tech News Says:
    April 16th, 2010 at 7:48 am

    [...] Yes, pretty much like they do in the desktop application.  The highlights here are easily the site identy information (above) and the save as pdf feature of [...]

Leave a Reply

Icons by N.Design Studio. Designed By Ben Swift. Powered by WordPress and Free WordPress Themes
Entries RSS Comments RSS Log in