Mark Goodwin wrote: > So far, Tanvi and I (with the help of Mihai and others) have been > working on making mixed content issues visible in the web console > (#737873). We'll be taking this further with some work on showing CSP > information too (#712859).
Awesome! > We'd like to start work on providing more SSL diagnostic information > via the developer console too (e.g. why is the bar not blue / green, > etc.) but we'd like some input on what form this should take before > we start filing bugs. SSL and related information is a property of the connection. So, the first question is, "how can I find information about a connection with our developer tools?" AFAICT, there is currently no way of seeing (a) what connection a request/response was on, (b) for a given connection, what requests/responses were on that connection, (c) what requests on that connection were for the current document, and which were for other documents/tabs, and (d) any metadata about a connection that isn't specific to a particular request. Firefox will maintain many open connections to the same IP address, and, each of these connections could, in theory, have differing SSL properties (even different certificates). When I look at the developer console, I cannot tell which requests were sent on the same connection and which weren't. If you were to provide a way of visualizing connections, regardless of whether the connection is over SSL or not, the UI for displaying the HTTPS information would fall into place pretty readily. Conversely, if you don't create a UI for connections first, I think it is likely that the display of SSL-related information will be messy and confusing except for the simplest cases. Also, the mapping between pages/tabs and connections is many-to-many, and it would be useful to know what requests from other tabs are affecting the network connections used for the current tab. For example, if I have a Facebook-Connect-based page loaded in the current tab and I have Facebook loaded in another tab, then it would be useful to know that we are reusing the HTTPS connection from the other tab to get the Facebook Connect button. Also note that we will create connections (SSL or non-SSL) speculatively, so there may be connections that don't even have any requests sent on them yet. Such connection handling information is particularly critical for websites that are migrating to SPDY (which always uses SSL), because the connection management is totally different with SPDY (there are possibly even multiple domains per connection) and applications are counting on those differences. I have imagined that there would be a little colored button in the web console next to the IP address labeled "n" where n is a serial number representing identifying a connection to the web server (1, 2, 3, 4, etc.). When I click [1] then I would see lots of properties about the connection, including all the SSL information. The button could be colored using the same coloring scheme we use for the site identification block (green == EV, blue == DV, grey == no SSL, with yellow/red used when there is a warning or error). When you click this colored button, some kind of UI for showing the metadata for that connection (SSL certificate, why the button is the color that it is, what kind of revocation checking we did for that connection, etc.) would come up. Cheers, Brian _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
