It is very unfortunate that we have changed indicators so many times. I
don't like having to train and retrain users about security. It is
already confusing enough.
One of the problems with the favicon in FF4-FF13 was that websites could
set whatever favicon they wanted (including a lock). Since other
browsers continued to use the lock indicator, a lock favicon could trick
the user into thinking the page was ssl when it's not.
We are trying to avoid training and retraining users. In FF14, we were
going to have a Mixed Content Icon (see
https://people.mozilla.com/~tvyas/SiteIdentity-Option1-triangle.jpg),
but reverted that change for precisely this reason. We are trying to
find the right mixed content experience and UI. Hence, we don't want to
train users to look for this triangle icon if we may change it and then
have to retrain them. We'd rather take our time to find the right
solution and stop changing it.
I personally think it would be great if we could coordinate with other
browsers and all use the same or similar security indicators, so that
users would only have to learn them once regardless of which browser
they are on.
~Tanvi
On 7/20/12 10:27 AM, Gervase Markham wrote:
On 20/07/12 09:39, Jan Schejbal wrote:
Except for 2010, every year since 2008 has had at least one significant
change to the SSL indicator. This means that each time we finally
managed to teach users what to look for, that changed.
And what we've ended up with now is an indicator that's really hard to
see :-(
Training users is hard. Training users to look for SSL indicators is
even harder, as not only do all browsers use different indicators, they
also change all the time. Users trained to ignore locks in the favicon
location (due to spoofing) will now need to be re-trained to look and
trust just in the place they had been trained not to trust.
The damage has already been done, so it is pointless discussing the
change or reverting it, that would just cause more chaos. Just please
strongly consider to stop changing the SSL indicators ever year.
I feel your pain.
Gerv
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
On 7/20/12 1:39 AM, Jan Schejbal wrote:
Hi,
in Firefox 2, the SSL indicator was a yellow background in the address
bar. This was replaced by a blue background for the favicon in Firefox
3, quickly followed by also displaying the domain to prevent spoofing in
Firefox 3.5. All this time, there was a lock indicator in the status bar
that users could be referred to (although in Firefox 3.5, it lost the
domain name that had been shown next to the lock in Firefox).
In Firefox 4, the lock indicator was removed together with the status
bar. Now, in Firefox 14, the lock returns to the place where the favicon
was, banishing the favicon to the tab header.
Except for 2010, every year since 2008 has had at least one significant
change to the SSL indicator. This means that each time we finally
managed to teach users what to look for, that changed.
Training users is hard. Training users to look for SSL indicators is
even harder, as not only do all browsers use different indicators, they
also change all the time. Users trained to ignore locks in the favicon
location (due to spoofing) will now need to be re-trained to look and
trust just in the place they had been trained not to trust.
The damage has already been done, so it is pointless discussing the
change or reverting it, that would just cause more chaos. Just please
strongly consider to stop changing the SSL indicators ever year.
Kind regards,
Jan
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
