Lets have a game of "Spot The Difference" (Serious Firefox 3 Security UI Issue)

Remember back to when you were much younger and you had puzzle books for travel journeys, or maybe just because you liked puzzles, one of the puzzles you probably played was "spot the difference", where you have to identify the things different about to apparently similar pictures or drawings. Time to play that game again....

However there is a serious note here and it involves an issue that came to my attention via the cryptography@ email list thanks to Peter Gutman. There is a very major user interface change between the Firefox 2 and Firefox 3 releases in how the location bar in the browser is displayed for pages retrieved over SSL.

This covered in Mozilla.org bug 430790

On to the game...



Round 1: The difference between Firefox 2 showing the same page over http and https



Round 2: The difference between Firefox 3 showing the same page over http and https



Did you get it?

In Firefox 2 there are two easily found differences between the two cases:

  • The background of the location bar is yellow
  • There is a lock icon in the location bar (as well as the one not shown at the bottom of the window)
The Firefox 3 case is more subtle:
  • The background of the favicon is turned blue

So what is actually wrong with this ?

  • Major change in functionality that users depend to determine if a site is "secure"
  • Same space being used to draw untrusted and trusted information:
    • The browsers "blue it is SSL"
    • The remote site's "random" icon for itself (which might contain that smame colour of blue!
  • Removal of the Lock Icon (yes there is another one at the bottom of the window.
  • Change of colour from yellow to blue at the same time as introducing green (see below for where green comes into it)
  • Inconsistency between platforms. I looked at this on Solaris (which is where all the screenshots were taken), MacOS X and Windows. The Solaris (and I assume Linux too) is the most difficult to determine which parts are the remote provided icon and which are the parts the browser is using to indicate SSL. On Windows the left hand side of the favicon area is curved, on MacOS X both sides are curved but on Solaris it was square.

A little improvement can be had by setting the 'browser.identity.ssl_domain_display' property to 1. This makes the default SSL Cert case be similar to the Extended Validation (EV) Certificate case below.

Note in this case there are two indicators that we are now looking at an https page:

  • Location bar is green
  • Company name from the cert is displayed after the favicon

For the non EV cert case with 'browser.identity.ssl_domain_display' we get a location bar that looks like this:

Comments:

This page shows only the differences in the "location bar" (where the URL is entered and displayed) at the top of the window, not the differences in the status bar (at the bottom of the window). But the primary SSL indicators have historically been in the status bar. The differences between FF2 and FF3 in the status bar are even greater than the differences in the location bar. So I suggest that your page should also show images contrasting the status bars.

Setting the 'browser.identity.ssl_domain_display' property to 1 has the effect of restoring the status bar indicators to their former behavior.

Posted by bottom feeder on September 09, 2008 at 11:25 AM BST #

Post a Comment:
  • HTML Syntax: NOT allowed
About

DarrenMoffat

Search

Categories
Archives
« April 2014
MonTueWedThuFriSatSun
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    
       
Today