still have some questions.

“That site are using a self signed certificate, just accept it”
“Ok”
*Adding exception*
*Virus contamination + stolen money from some accounts*
“Oh, somebody did a MITM attack!”

That's why you have to make sure that you already have all of the details of the certificate on your computer before the first time you visit the site – and you have to make sure that you get that information trough a secure channel (not IRC, not email, and the person who gives you the info must be verified, must *know* that it is real, and must be trustable).

Then you can visit the site and compare all of the info about the certificate with the info you have to make sure that this is the *real self signed certificate*.

How can I as a webmaster fill this Information? The site Im talking of is not a secure site with bank account or something like this. I´m just asking myself how I can fill f.e. the “Owner” or other basic things of this button?

Thnaks

The yellow bar was never meant to distinguish between “good” and “evil” sites – it was only there to show that the communication with the site is encrypted. I think it did that job very well and would have liked it to stay. People are used the the yellow indicator for encryption. Why remove it? I don’t understand the thinking here and think that the decision to remove it is flawed.

I also agree with VanillaMozilla above re. self-signed certificates. Encryption and identification are two different things. Why block access to an encrypted site just because the encryption is done by the site owner?

Also – how would I know that the button is clickable? It is not very obvious. I had no idea until I started searching for info about the missing yellow location bar.

If no third party which is known and has proved to validate domain name ownership (at least) no certificate is worth the digital paper it’s written on. Otherwise the MITM will simply use also a self-signed which you’ll click through…Except with the new scheme where you add a specific certificate for a specific site, in which case it’s your risk if you talk to a MITM, but it will certainly alert you if it happens in the future at some point.

To Bodi:

This certainly doesn’t happen with any recent Firefox browser. You must be using a different product then…This CA is in later 1.5 versions on upwards.

Sorry for the comment spam.

It’s not obvious to me. Most users are not going to know these details of the interface, and even if they do, they can have a lapse. The favicon does not belong on the location bar, in my opinion.

Looking at the features more closely, the color gray is supposed to raise an alarm?!! And how would the average user know where you had or had not moved the padlock to? Remember, you just moved the security information to that point. Now I see the icon has changed to a padlock. How neat. Firefox has changed the icon to tell me it’s encrypted. An easy mistake to make.

The ikon on the URL box is the same as the icon on the tab. They have different purposes, but there is absolutely no visual clue that they are different. If you really want to be helpful, this should be a recognized symbol that indicates that there is information here. I suggest either the international “i” symbol for information, or a question mark.

Some may object that if you only one tab and do not have the tab bar displayed, you won’t see the ikon for the site, but that’s OK. The purpose of the site ikon is for convenience only, to distinguish between the tab bars at a glance. If you only have one open tab, there’s nothing to distinguish it from. The ikon is useless for identification or verification anyway.

Deb Richardson from Mozilla has written up her latest introduction to Firefox 3’s upcoming new features, this time describing the “Site Identity” button. Is this the death of the padlock?…

Even with non-color-blind people, the contents of the image are equally important to the color of the image. Green and Blue being the same icon is fine with me (lets face it, EV certs are a total rip-off and only make sense if you just have money to blow. You are basically paying 20x as much to have your company name and icon as part of the cert.). However, The grey icon indicates that you are unsure but still matches the (more) affirmative green and blue icons.

This is actually the hard part of all of this – even an EV cert doesn’t prove that the holder is trustworthy, just that you can figure out who they really are. If I’m starting a malware company, I’ll probably wind up springing for an EV cert. So every single icon basically implies a non-binding recommendation to the user, but with unspoken and rarely understood idea that the user is always responsible for determining if they trust the site.

It would probably make more sense for the yellow and red to be the more traditional warning and stop international signs, and to drop the ‘passport agent’ metaphor completely for these cases.

I get more and more excited about this release every time I read something new about it.

I think Mozilla has done a really good job with this release, especially compared to Fx2.0, which seemed to make things a bit too clunky and slow. Fx3.0 has gotten extra features without visual weight, and more importantly without slowing the browsing experience itself down. It seems like everything has gotten a speed bump–rendering, javascript, memory usage, etc. Good work folks.