Security/Reviews/IdentityBox

Please use "Edit with form" above to edit this page.

Item Reviewed

New Idenity Box Design

Target

   
     Full Query

ID	Summary	Priority	Status
612253	Need a shortcut key to focus the input line in web console	P2	VERIFIED
742419	Implement new identity block design (lighter weight with a generic icon)	--	RESOLVED

2 Total; 0 Open (0%); 1 Resolved (50%); 1 Verified (50%);

{{#set:SecReview name=New Idenity Box Design

|SecReview target=

Full Query

ID	Summary	Priority	Status
612253	Need a shortcut key to focus the input line in web console	P2	VERIFIED
742419	Implement new identity block design (lighter weight with a generic icon)	--	RESOLVED

2 Total; 0 Open (0%); 1 Resolved (50%); 1 Verified (50%);

}}

Introduce the Feature

Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)

We will remove the favicon from the Firefox address bar and replace it with a generic icon in http and mixed content scenarios. Use a grey lock in https, and a green lock in https+ev. The verified domain will be hidden in https. The verified identity will be visible in https+ev.

What solutions/approaches were considered other than the proposed solution?

current state

Why was this solution chosen?

to make the state of pages clearer to users

Any security threats already considered in the design and why?

`

Threat Brainstorming

"Your connection to this website has been encrypted to prevent eavesdropping."
- That statement makes me very uncomfortable, as encryption doesn't prevent eavesdropping: it attempts to protect a combination of confidentiality and integrity, depending on the algorithms chosen. I think this is an important distinction, not a pedantic argument, as it can lead users to assume a false level of security. I'm not sure what the right words to use are - a different question - but I believe that these are not it. If we change this, it's something we'll want to do a blog post explaining. - adamm
- Out of scope for this review, the Larry dialog is a separate effort.

{{#set: SecReview feature goal=* We will remove the favicon from the Firefox address bar and replace it with a generic icon in http and mixed content scenarios. Use a grey lock in https, and a green lock in https+ev. The verified domain will be hidden in https. The verified identity will be visible in https+ev. |SecReview alt solutions=* current state |SecReview solution chosen=* to make the state of pages clearer to users |SecReview threats considered=' |SecReview threat brainstorming=* "Your connection to this website has been encrypted to prevent eavesdropping."

- That statement makes me very uncomfortable, as encryption doesn't prevent eavesdropping: it attempts to protect a combination of confidentiality and integrity, depending on the algorithms chosen. I think this is an important distinction, not a pedantic argument, as it can lead users to assume a false level of security. I'm not sure what the right words to use are - a different question - but I believe that these are not it. If we change this, it's something we'll want to do a blog post explaining. - adamm
- Out of scope for this review, the Larry dialog is a separate effort.

}}

Action Items

Action Item Status

Complete

Release Target

`

Action Items

<td[DONE] done

Who	bug	Action	By When	Completed date [NEW] new [DONE] Done [MISSED] Miss
UX	bug 747093	A blog post about how moving the display of favicon.ico from the area supplying trusted information from the browser, to the tab, protects users.	during Beta	[DONE] done
jaws	bug 747090	Change the icon for mixed content	by Beta for FF 14	[DONE] done
jaws	bug 747088	Don't include https:// in the mixed content case	by FF15, or sooner if possible.	[DONE] done
jaws	bug 747087	Make the https:// black (to match the domain color) in the https non-ev case	by FF15	[DONE] done
jaws	bug 747085	Make the https: green in the https ev case	by FF15 (not a security requirement)	[DONE] done
jaws	bug 747083	Make the lock icon darker for the non-ev case	by FF15

Full Query

ID	Summary	Priority	Status
747083	Update the identity icons to have a darker lock icon for HTTPS and greener lock icon for HTTPS+EV.	--	RESOLVED
747085	Make the https:// green in the https ev case	--	RESOLVED
747087	Make the https:// black (to match the domain color) in the https non-ev case	--	RESOLVED
747088	Don't include https:// in the location bar in the mixed content case	--	RESOLVED
747090	Change the icon for mixed content	--	RESOLVED
747093	Favicon blog post	--	RESOLVED

6 Total; 0 Open (0%); 6 Resolved (100%); 0 Verified (0%);

{{#set:|SecReview action item status=Complete

|Feature version=`

|SecReview action items=

<td[DONE] done

Who	bug	Action	By When	Completed date [NEW] new [DONE] Done [MISSED] Miss
UX	bug 747093	A blog post about how moving the display of favicon.ico from the area supplying trusted information from the browser, to the tab, protects users.	during Beta	[DONE] done
jaws	bug 747090	Change the icon for mixed content	by Beta for FF 14	[DONE] done
jaws	bug 747088	Don't include https:// in the mixed content case	by FF15, or sooner if possible.	[DONE] done
jaws	bug 747087	Make the https:// black (to match the domain color) in the https non-ev case	by FF15	[DONE] done
jaws	bug 747085	Make the https: green in the https ev case	by FF15 (not a security requirement)	[DONE] done
jaws	bug 747083	Make the lock icon darker for the non-ev case	by FF15

Full Query

ID	Summary	Priority	Status
747083	Update the identity icons to have a darker lock icon for HTTPS and greener lock icon for HTTPS+EV.	--	RESOLVED
747085	Make the https:// green in the https ev case	--	RESOLVED
747087	Make the https:// black (to match the domain color) in the https non-ev case	--	RESOLVED
747088	Don't include https:// in the location bar in the mixed content case	--	RESOLVED
747090	Change the icon for mixed content	--	RESOLVED
747093	Favicon blog post	--	RESOLVED

6 Total; 0 Open (0%); 6 Resolved (100%); 0 Verified (0%);

}}