digg

Facebook Connect Join Digg About
See the original image at dria.org

The Identity Button - Firefox 3's New Security UI

dria.org Deb Richardson from Mozilla has written up her latest introduction to Firefox 3's upcoming new features, this time describing the "Site Identity" button. Is this the death of the padlock?

Who dugg this? Made popular May 6, 2008

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

136 Comments

show profanity settings
expand all
  • anaesthetica, on 05/06/2008, -2/+130I had no idea that this button even had a function, as it never occurred to me to click on it. I hope that Mozilla does a good job in publicizing this security function when Fx3.0 is released. I think this is a big step forward in making security both visually easy & present, and yet unobtrusive at the same time.

    I get more and more excited about this release every time I read something new about it.

    I think Mozilla has done a really good job with this release, especially compared to Fx2.0, which seemed to make things a bit too clunky and slow. Fx3.0 has gotten extra features without visual weight, and more importantly without slowing the browsing experience itself down. It seems like everything has gotten a speed bump--rendering, javascript, memory usage, etc. Good work folks.
  • inactive, on 08/28/2008, -1/+113you can test a couple here:
    verified: https://www.paypal.com/
    secure connection: https://www.cia.gov/
    attack site: http://www.mozilla.com/firefox/its-an-attack.html
    forgery: http://www.mozilla.com/firefox/its-a-trap.html
    ssl error: https://mozilla.com/
  • flarn2006, on 05/06/2008, -9/+70. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . _________
    . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ./ It’s a trap!
    . . . . . . . . . . . . . . . . _,,,--~~~~~~~~--,_ . . . . ._________/
    . . . . . . . . . . . . . . ,-‘ : : : :::: :::: :: : : : : :º ‘-, . . /. . . . . . . . . .
    . . . . . . . . . . . . .,-‘ :: : : :::: :::: :::: :::: : : :o : ‘-, . . . . . . . . . .
    . . . . . . . . . . . ,-‘ :: ::: :: : : :: :::: :::: :: : : : : :O ‘-, . . . . . . . . .
    . . . . . . . . . .,-‘ : :: :: :: :: :: : : : : : , : : :º :::: :::: ::’; . . . . . . . .
    . . . . . . . . .,-‘ / / : :: :: :: :: : : :::: :::-, ;; ;; ;; ;; ;; ;; ; . . . . . . . .
    . . . . . . . . /,-‘,’ :: : : : : : : : : :: :: :: : ‘-, ;; ;; ;; ;; ;; ;;| . . . . . . .
    . . . . . . . /,’,-‘ :: :: :: :: :: :: :: : ::_,-~~,_’-, ;; ;; ;; ;; | . . . . . . .
    . . . . . _/ :,’ :/ :: :: :: : : :: :: _,-‘/ : ,-‘;’-‘’’’’~-, ;; ;; ;;,’ . . . . . . . .
    . . . ,-‘ / : : : : : : ,-‘’’ : : :,--‘’ :|| /,-‘-‘--‘’’__,’’’ ;; ;,-‘ . . . . . . . .
    . . . :/,, : : : _,-‘ --,,_ : : : ||/ /,-‘-‘x### :: ;;/ . . . . . . . . . .
    . . . . / /---‘’’’ : # : : : : : | | : (O##º : :/ /-‘’ . . . . . . . . . . .
    . . . . /,’____ : : ‘-# : , : : : : ‘-,___,-‘,-`-,, . . . . . . . . . . .
    . . . . ‘ ) : : : :’’’’--,,--,,,,,,¯ :: ::--,,_’’-,,’’’¯ :’- :’-, . . . . . . . . .
    . . . . .) : : : : : : ,, : ‘’’’~~~~’ :: :: :: :’’’’’¯ :: ,-‘ :,/ . . . . . . . . .
    . . . . .,/ /|| | :/ / : : : : : : : ,’-, :: :: :: :: ::,--‘’ :,-‘ . . . . . . . .
    . . . . .’| |/ ‘/ / :: :_--,, : , | )’; :: :: :: :,-‘’ : ,-‘ : : : , . . . . . . .
    . . . ./¯ :| | : |/ :: ::----, :/ :|/ :: :: ,-‘’ : :,-‘ : : : : : : ‘’-,,_ . . . .
    . . ..| : : :/ ‘’-(, :: :: :: ‘’’’’~,,,,,’’ :: ,-‘’ : :,-‘ : : : : : : : : :,-‘’’ . . . .
    . ,-‘ : : : | : : ‘’) : : :¯’’’’~-,: : ,--‘’’ : :,-‘’ : : : : : : : : : ,-‘ :¯’’’’’-,_ .
    ./ : : : : :’-, :: | :: :: :: _,,-‘’’’¯ : ,--‘’ : : : : : : : : : : : / : : : : : : :’’-,
    / : : : : : -, :¯’’’’’’’’’’’¯ : : _,,-~’’ : : : : : : : : : : : : : :| : : : : : : : : :
    : : : : : : :¯’’~~~~~~’’’ : : : : : : : : : : : : : : : : : : | : : : : : : : : :
  • Hoov, on 05/06/2008, -2/+48Glad to know the BETA you're BETA'ing is BETArific. Excuse me while I BETA my kids.
  • borez, on 05/06/2008, -5/+47The best just got better
  • n0odles, on 05/06/2008, -10/+42Mozilla Firefox way ahead of other browsers.
  • bonzooznob, on 05/06/2008, -13/+42I just hope it looks half as sexy on Windows as it does on the Mac. ;-)
  • sputza, on 05/06/2008, -1/+28I've been using BETA 5 for a while and love it. Its more stable and secure. Its one of the best BETA releases I have ever used out of all the BETA software I have tried. I can't wait for Firefox 3 to go gold.
  • duckyinc, on 05/06/2008, -3/+22The red card is currently a pain, there is no way to skip it except for disabling the checks in options. They should add a "I don't care" button.
  • inactive, on 05/06/2008, -2/+21Opera is currently my favorite browser, but i think when firefox comes out of beta, that little O icon is going to get a foxy friend right next to it.

    Its looking better and better all the time.
  • beltzner, on 05/06/2008, -0/+19Fixed in nightlies. There's now an "Ignore this Warning" link which you can use at your own peril.
  • gavins, on 05/06/2008, -0/+17An "Ignore this warning" link was added, after beta 5. See https://bugzilla.mozilla.org/show_bug.cgi?id=42241 ... .
  • thegreatanti, on 05/06/2008, -4/+20Firefox is going to own, hard!
  • Tyr7BE, on 05/06/2008, -5/+20Are you kidding me? I just tried it on XP and it's just a big square white thing. No transparency no nothing.
  • WallnutBoy, on 05/07/2008, -0/+14You're going to share your kids out across the public so that they can test your kids and push them to the extreme in order to find bugs and holes in them? You're one sick *****..
  • bluesatin, on 05/06/2008, -2/+15Somebody that isn't a loyal fanboy to a specific piece of software/hardware, surely not!
  • apophenic, on 05/06/2008, -2/+13yes a big square white thing is horrible to look at when you're browsing web pages
  • beltzner, on 05/06/2008, -0/+11Sure, you know that. And I know that (but only because I've looked into it) but do you think everyone knows that? I can guarantee you that making these things more humane will make it better for everyone.
  • asadotzler, on 05/06/2008, -9/+18It does. I'd put it at even slightly sexier on Vista and about equally as sexy on XP.
  • centran, on 05/06/2008, -0/+9I am a little pissed about the un-signed screen.
    It looks like an error page. I use self-signed ssl certs and when I first saw that screen I was confused.
    The whole look needs to change to better explain what is going on and buttons need to be added instead of a tiny web-link. Maybe they could make the "I trust them"/Proceed/Continue button a little smaller so people stop and think.
  • Branchex, on 05/06/2008, -1/+10What scary is that Chase's site only brings up a gray box. It's not like they're a small bank, time to get with the times.
  • jjhat1, on 05/06/2008, -8/+16Extended Validation has been a feature in IE7 for a while. This was actually a topic on Security Now recently.
  • Ancestor, on 05/06/2008, -0/+8Maybe it's because you're using a beta. These screenshots come from the latest nightly builds.
  • bwat47, on 05/06/2008, -2/+9same for vista
  • iisdev, on 05/07/2008, -0/+7I applaud the effort but am very disappointed with how self-signed certificates were handled. The author states "they don't mean anything" but later back peddles and admits there are legitimate exceptions.
    The problem is that (this portion) of the new (passport cop) feature discriminates against sites that opt to self-sign. When a user requests a page from a self-signed domain that request is (essentially) _hi-jacked_ by Firefox. The heading that states 'Secure Connection Failed' is incorrect and the text that follows is misleading to the user. A (non) technical user may see the bold heading and immediately close the page. If the user does read the text they are given so little information that an informed choice to 'Add an exception' is unlikely to ever happen unless they possesses a certain level of knowledge or they were _specifically_instructed_by_the_web_site_to_do_so_. We can all agree that instructing users to (basically) disregard security related alerts undermines any effort made at keeping them safe. I shudder to think about how many times users were instructed to 'Continue Anyway' when prompted that their software had not passed Window's Logo testing on Windows XP. When they find out that their page requests are being hi-jacked by Firefox this is *exactly* what those sites are going to be telling the users to do.
    There are many sites whose content is politically/culturally/socially sensitive and that communicate over secure connections (more often than not through a self-signed certificate). These sites would absolutely be affected by this new feature and that is more than enough reason to revisit it's current implementation.
  • tapeworm77, on 05/07/2008, -0/+7WTF?!
  • centran, on 05/06/2008, -0/+7they may have another site for when you login.
    A lot of banks do that. They put some stupid login on their main page but it just re-directs you to the "true" web banking site. They can't have the cert on the main site because it is meant for the web banking site. It's retarded. They shouldn't even have the login box but just a button that says log-in here that brings you to the correct site.
  • mrsteveman1, on 05/06/2008, -1/+8YOU RUINED THE WEB FOR ME
  • BesideYouInTime, on 05/06/2008, -1/+7The problem with the attack site blocker is that there doesn't appear to be a good way around it. A few weeks ago I was trying to read a forum that had been blocked an attack site...when I clicked on the 'more info' button it appeared that the site had been clean for weeks, but yet it was still blocked.
  • inactive, on 05/06/2008, -2/+8While I agree with the basic premise that apps should match their respective host OSes, I disagree that Firefox is doing a good job at it. They're still using faked widgets that don't act right. They need to just use Cocoa for the UI, the next release should be at least partially based on Camino.
  • gcauthon, on 05/06/2008, -2/+8The whole browser certificate system is hopelessly broken. I've seen large companies that handle large transactions online with completely busted certificates. I've seen certs registered to "changeme.com" or something similar. I've seen expired certs, certs registered to unknown signing authorities and certs registered to the wrong IP address. Obviously, many people continue to hand over their personal financial info without thinking twice. I'm sure their browser at some point gave a warning about a certificate possibly being misconfigured and giving the option to "trust" them anyway. The only thing the browser knows is that it either passes verification or fails, so I'm not sure how they get these lame certificate warning messages with phony explanations. Maybe I'm just too pessimistic...
  • Kn1ghtmare, on 05/06/2008, -0/+6Lots of people see the lock and assume it's "safe", it's a bad assumption but it still happens.
  • thefinger, on 05/07/2008, -0/+5You obviously have your own mind and your own opinion, irrespective of Digg. Congrats!
  • MellerTime, on 05/06/2008, -3/+8Yeah, except for the damned hoops you have to jump through to get into a site that doesn't have a valid SSL certificate.

    "Or you can add an exception..." -> "Add Exception..." -> Get Certificate -> Confirm Security Exception.

    I'm sorry, but that's re-god-damn-diculous. I'm not going to shell out $400 a year to get SSL certificates to protect all my site login pages, when I'm the only one using them. I know it's not valid, I just want to make sure no one is sniffing my password. SSL was supposed to do just that, not be responsible for validating every site you visit actually belongs to the people they claim to be.
  • vagarach, on 05/06/2008, -0/+5And Safari already has it. The Firefox guys should take it upon themselves to right this wrong!
  • Enron, on 05/06/2008, -1/+6Passport Officers? This is excellent. It's like having the TSA right inside your browser.
  • OneLess, on 05/06/2008, -0/+5Correct me if I'm wrong here, but something like "paypals.com" would not come up as being run by "Paypal Inc. or San Jose, CA" like the legitimate site is. As the article says:

    'What’s not verfied in this situation is who actually owns the domain in question. There is no guarantee that tdcanadatrust.com is actually owned by the Toronto Dominion Bank. All that is being guaranteed here is that the domain is a valid domain, and my connection to it is encrypted.

    If I’m still leery about a site’s identity when it is displaying a blue Site Identification button, I can see more information about the site by clicking the “More information…” button on the Site Identification dialog. Here I can view the site’s identity certificate, whether I’ve visited the site before, and if I have any cookies or passwords stored for the site."

    Of course there's no completely automatic protection, but what Mozilla's trying to do is make it easier and more reliable to make sure you're secure.
  • stormspire, on 05/06/2008, -0/+4No, the author knew SSL wasn't safe, he was just pointing out that many users see a padlock which they associate with safe.
  • HonoredMule, on 05/06/2008, -3/+7Maybe because IE doesn't do nearly as good a job? IE 7 still shows me a padlock on a blue background, some form of warning, or nothing. All they've done is made the certificate information more accessible.

    Firefox, on the other hand, has color coded meaning. But the real huge improvement, is the always visible presence of the certificate holder's identity, shown clearly and prominently near but OUTSIDE the url, whenever a site is fully identified. Average users constantly get fooled by an encrypted connection to a spoofed url (like www.paypal.com.phish.co.uk/blahblahblah...), and blocklists are delayed, reactionary measures. Such spoofing tactics won't succeed if the averae joe becomes accustomed to expecting site identity outside the url and page itself, and Firefox has well designed itself to condition users with exactly that expectation. Firefox is also making a much clearer distinction between "secure connection" and "verified identity."
  • aldenhg, on 05/07/2008, -0/+4My BETA fish might want to join the party.
  • rebug, on 05/06/2008, -1/+5Porn mode is definitely a win for Safari.

    Not trying to rub it in or anything :)
  • caspy7, on 05/06/2008, -1/+5I think I read that that's something for FF4.
  • inactive, on 05/07/2008, -1/+5Red makes most people think "This is bad", whereas gray could mean "I'm not sure, but I'm not going to say yes or no just yet."
  • skmice2, on 05/06/2008, -2/+6I would really love that ASCII image to come up after opening the mozilla site -- I was (a bit) expecting it to be there !
  • Soave, on 05/07/2008, -0/+3Just like in real life, internet women are more vulnerable than men.
  • MellerTime, on 05/06/2008, -1/+4Browser vendors maintain a list of 'root authorities' that issue SSL certs that are considered valid authorities for that purpose. If the root authority is not on their internal list of valid authorities, it will display a message similar to the one you get when you visit a page that's self-signed telling you it's not signed by a company "you" trust.

    So you can't just create your own SSL certificate and fake your way through the browser's verification.
  • MellerTime, on 05/06/2008, -0/+3Their little login form actually POSTs to https://chaseonline.chase.com/, which does have a valid SSL cert (although not extended verification).

    Yet another example here of how relying on SSL for any type of identity verification is stupid, especially when it's only done for the current address.
  • zwaldowski, on 05/06/2008, -1/+4@bwat47: You must be using an old version of the beta. Vista's theme has slightly rounded edges just like the native widgets. XP's theme, unfortunately, also follows the native widget scheme.
  • HonoredMule, on 05/06/2008, -0/+3I don't think you quite get it. A valid (as in 3rd-party verified) security certificate requires verifiable human/corporate identity. You won't likely be able to hijack someone else's server and use your own certificate, nor can you alter the verified "owner" of the remote site's certificate. It also means you can't acquire the "valid" certificate without generating (through the transfer of funds in purchasing the certificate) a paper trail that makes performing the phishing operation WITHOUT GETTING CAUGHT impossible.

    (Even getting that far assumes the company issuing the certificate is stupid enough to blindly give one out to someone paying from a personal or offshore account for the www.papals.com address who claims without verification to represent Paypal the actual organization...and thus destroy the reputation on which their business depends).
  • Kavok, on 05/07/2008, -0/+3I'm pretty sure he was talking about SSL certificates, not a license to own a website.
  • Fetching more discussions...
    Show 51 - 100 of 137 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...


© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.