Ubuntu
firefox-3.0 package

Firefox 3 SSL warning page is slightly cryptic

Bug #217606 reported by Sitsofe Wheeler
6
Affects Status Importance Assigned to Milestone
firefox-3.0 (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Binary package hint: firefox

Description of the problem:
The Firefox3 "SSL certificate not signed by a known authority" page is a bit cryptic and has a button with an unclear action.

Steps to reproduce:
1. Start firefox .
2. Visit https://www.kernel.org/ .
3. Click on "Or you can add an exception…"

Expected result:
Two buttons to appear, one saying close this window another saying remember this certificate.

Actual result:
Two buttons one saying "Get me out of here!" another saying "Add exception..."

Additional information:
The first time round I clicked "Get me out of here!" and was confused to land on the firefox home page.

Version information:
Ubuntu hardy (development branch)
firefox 3.0~b5+nobinonly-0ubuntu1

Tags: likely-dup
Revision history for this message
C de-Avillez (hggdh2) wrote :

for what is worth -- I agree with Sitsofe. I also was confused by it.

Revision history for this message
Saša Bodiroža (jazzva) wrote :

Targeting against firefox-3.0 package.

I think the choices are redone, so the only option is "Or you can add an exception...". I suppose this was done for security reasons.

Revision history for this message
Alexander Sack (asac) wrote : Re: [Bug 217606] [NEW] Firefox 3 SSL warning page is slightly cryptic

On Tue, Apr 15, 2008 at 07:36:33AM -0000, Sitsofe Wheeler wrote:
> Public bug reported:
>
> Binary package hint: firefox
>
> Description of the problem:
> The Firefox3 "SSL certificate not signed by a known authority" page is a bit cryptic and has a button with an unclear action.
>

The page was changed to look more special compared to normal error
pages - which appears to cause the main confusion.

previews are:

 http://people.ubuntu.com/~asac/screenshots/bad_cert.png
 http://people.ubuntu.com/~asac/screenshots/bad_cert2.png

Better?

 status incomplete

However, IIRC we have another wontfix bug open for this ...

 tag likely-dup

 - Alexander

Changed in firefox-3.0:
status: New → Incomplete
Revision history for this message
Sitsofe Wheeler (sitsofe) wrote :

I like the first mockup. Is this really going to be resolved effectively wontfix though (through duping)? Can it be left open until the dup is found?

Revision history for this message
Alexander Sack (asac) wrote : Re: [Bug 217606] Re: Firefox 3 SSL warning page is slightly cryptic

On Wed, May 14, 2008 at 07:13:15AM -0000, Sitsofe Wheeler wrote:
> I like the first mockup. Is this really going to be resolved effectively
> wontfix though (through duping)? Can it be left open until the dup is
> found?
>

for me its still incomplete .... setting again

 affects ubuntu/firefox-3.0
 status incomplete

 - Alexander

Revision history for this message
Sitsofe Wheeler (sitsofe) wrote :

I'm unsure what extra information you want me to add... Were you asking me to choose between the mockups? My original report did include expected behaviour...

Revision history for this message
John Vivirito (gnomefreak) wrote :

This is expected results to add and remember exception you would click on "Add Exception" and it will restart the page for you to get in it. Now not sure what is expected in the way of "get me out of here" but it should return you to an already determined page. Are you looking for the buttons to be renamed? I dont find "Add Exception" or " get me out of here" cryptic at all since it says exactly what you are looking to do. Please explain what in this you wish was changed.

Revision history for this message
John Vivirito (gnomefreak) wrote :

Also a bug that is incomplete "for mozilla bugs" doesnt always mean more info, most of the time it helps us track bugs better than other status'

Revision history for this message
Jayson Rowe (jayson.rowe) wrote :

Since it's been a very long time since any additional info was added to this bug, I'm just checking to see if this is still an issue, and find out what additional work should be done on this bug.

Revision history for this message
W.McL (w-mcl) wrote :

I find this behaviour extremely annoying, since it treats browser users like stupid people who cannot decide themselves what website to visit and what not. (This sadly seems to be a general concept of Mozilla lately, since also the access to "about:config" comes with such an annoying warning)

In my opinion it also does not add any more security, because it is not impossible to fake CA certificates by hash colllision (and has recently been demonstrated, see http://events.ccc.de/congress/2008/Fahrplan/events/3023.en.html )

So this behaviour drives away people from encrypted sites using either self-signed certificates, or certificates signed by an autority not "trusted" by default, despite both of them are not really more unsecure than "trusted" certificates.

Here http://blog.madism.org/index.php/2008/06/26/177-firefox3-and-ssl I found a guide to reduce the clicks necessary to visit an "untrusted" https site to "only" two. (The changes shown on that site can also be applied via about:config instead of editing the config file) This is a slight improvement, but the behaviour is still annoying enough to make me considering to switch to a different browser, although I got used to firefox and rather liked it.

My recommendation for a warning about unverified certificates would be rather to display a notice bar in the upper part of the browser window (like for example the "Do you want to save this password" dialog), or to change the background colour of the address bar, which would be sufficient warning, but much less annoyance.

Revision history for this message
Sitsofe Wheeler (sitsofe) wrote :

W.McL:
This bug was never about the self signed cert behaviour (look at the expected behaviour in the first post) - rather it was the wording of the page. The self signed debate has been hashed out thoroughly elsewhere (see http://www.gerv.net/security/self-signed-certs/ ) but if you still feel strongly please file a new bug report rather than adding to this one. Thanks!

(PS: don't forget to subscribe yourself to bugs that you post on - it lets you see other people's replies!)

Revision history for this message
W.McL (w-mcl) wrote :

Sitsofe:
Thank you for making clear that I was mistaken about the topic of this bug report.

Revision history for this message
Sitsofe Wheeler (sitsofe) wrote :

W.McL:
You're welcome!

Revision history for this message
xteejx (xteejx) wrote :

Thank you for taking the time to report this bug and helping to make Ubuntu better. You reported this bug a while ago and there hasn't been any activity in it recently. We were wondering if this is still an issue for you. I believe the intention of this, was, as Alexander stated, to make it look different from a normal page, drawing the users attention. If you still feel this should be changed, you can set up an Idea in Brainstorm, or speak directly with the Mozilla Team on their bug tracker https://bugzilla.mozilla.org/ . Please let us know if this still affects you.

Revision history for this message
xteejx (xteejx) wrote :

We are closing this bug report because it lacks the information we need to investigate the problem, as described in the previous comments. Please reopen it if you can give us the missing information, and don't hesitate to submit bug reports in the future. To reopen the bug report you can click on the current status, under the Status column, and change the Status back to "New". Thanks again!

Changed in firefox-3.0 (Ubuntu):
status: Incomplete → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.