Lets have a game of "Spot The Difference" (Serious Firefox 3 Security UI Issue)
By DarrenMoffat on Sep 08, 2008
Remember back to when you were much younger and you had puzzle books for travel journeys, or maybe just because you liked puzzles, one of the puzzles you probably played was "spot the difference", where you have to identify the things different about to apparently similar pictures or drawings. Time to play that game again....
However there is a serious note here and it involves an issue that came to my attention via the cryptography@ email list thanks to Peter Gutman. There is a very major user interface change between the Firefox 2 and Firefox 3 releases in how the location bar in the browser is displayed for pages retrieved over SSL.
This covered in Mozilla.org bug 430790
On to the game...
Round 1: The difference between Firefox 2 showing the same page over http and https
Round 2: The difference between Firefox 3 showing the same page over http and https
Did you get it?
In Firefox 2 there are two easily found differences between the two cases:
- The background of the location bar is yellow
- There is a lock icon in the location bar (as well as the one not shown at the bottom of the window)
- The background of the favicon is turned blue
So what is actually wrong with this ?
- Major change in functionality that users depend to determine if a site is "secure"
- Same space being used to draw untrusted and trusted information:
- The browsers "blue it is SSL"
- The remote site's "random" icon for itself (which might contain that smame colour of blue!
- Removal of the Lock Icon (yes there is another one at the bottom of the window.
- Change of colour from yellow to blue at the same time as introducing green (see below for where green comes into it)
- Inconsistency between platforms. I looked at this on Solaris (which is where all the screenshots were taken), MacOS X and Windows. The Solaris (and I assume Linux too) is the most difficult to determine which parts are the remote provided icon and which are the parts the browser is using to indicate SSL. On Windows the left hand side of the favicon area is curved, on MacOS X both sides are curved but on Solaris it was square.
A little improvement can be had by setting the 'browser.identity.ssl_domain_display' property to 1. This makes the default SSL Cert case be similar to the Extended Validation (EV) Certificate case below.
Note in this case there are two indicators that we are now looking at an https page:
- Location bar is green
- Company name from the cert is displayed after the favicon
For the non EV cert case with 'browser.identity.ssl_domain_display' we get a location bar that looks like this: