Comments on: Revisiting Security UI – Part 2

By: Johnath

Johnath — Sat, 12 Apr 2008 03:10:16 +0000

@hashi: The panel itself is in browser.xul, and most of the IdentityHandler() code is in browser.js, so in principle you should be able to interact with it from an extension like other chrome code. If there is something specific you’re interested in doing, I can try to be of more assistance.

By: hashi

hashi — Thu, 10 Apr 2008 13:47:29 +0000

I saw Larry on beta 5 – nice!
Is there an interface to this feature? Can I, as a security related extension developer, use Larry to display some more info?

By: Johnath

Johnath — Sat, 12 Jan 2008 14:41:07 +0000

Thanks Gen!

By: Gen Kanai

Gen Kanai — Thu, 10 Jan 2008 02:13:54 +0000

Just a note to let you know that the link to

http://www.iws.ie/media/pdf/Signs&symbols.pdf

is broken.

http://www.aiga.org/content.cfm/symbol-signs

may be a better one.

By: Kevin Berkheiser

Kevin Berkheiser — Thu, 27 Dec 2007 03:31:00 +0000

“@Kevin B: I find it interesting that people who write combative, declarative comments nevertheless adopt a tone that suggests they expect thoughtful and engaged replies, when their choice of language undermines the possibility of any such thing. ”

Ok, point taken. I guess I was getting frustrated. I haven’t been in bugzilla much the last couple of years bug decided to find out what was going on with EV in Mozilla. I was skimming bug 383183 and one of the first links was to this Blog.

Anyway, the frustrating thing I’ve been finding is that many bugs related to this are closed, yet, running the 12/21/07 nightly I had to uncover Larry because it wasn’t intuitive that it was even there and even when I did find Larry, EV sites didn’t show up any different.

By: Johnath

Johnath — Sat, 22 Dec 2007 05:46:32 +0000

@Kevin B: I find it interesting that people who write combative, declarative comments nevertheless adopt a tone that suggests they expect thoughtful and engaged replies, when their choice of language undermines the possibility of any such thing.

Instead I’ll refer you to blog posts more recent than May, to bugs like 406612, and to the general premises that:
a) Assuming your counterparty is an idiot is never a fruitful way to foster discussion, and
b) our obligation as browser vendors is to our users. Neither the amount of money CAs charge their customers, nor the expectations of those customers, is of any concern whatsoever to us except insofar as the product they sell provides more value to our users.

By: Kevin Berkheiser

Kevin Berkheiser — Sat, 22 Dec 2007 00:16:16 +0000

I downloaded the 12/21/07 nightly and installed it.

First, I’m reading bug reports talking about Larry and I’m seeinig nothing on EV sites. Then I finally read something that says to click the favicon. What is the point of building a new UI feature you are going to hide.

I agree, there is a difference between encryption and identity even though if you have a certifiicate that identifies a site it also gives you encryption.

I personally think if you are going to have an icon for identity then the padlock has to be the encryption icon. The duplication I see between the padlock and this larry thing seems dumb. Either separate the features or keep them as one icon.

Second, Larry needs an icon it can’t be a hidden feature. What is the point of spending all that time codeing to hide it.

Lastly, I don’t care what you think about EV and its useful or uselessness, it is out, and costs $$$. Companies expect to get something special in the UI for the extra $$$ they paid their CA. I don’t care if that is the green bar or a special designation in Larry (provided Larry is clearly visible).

By: Mihangel Caiaphas

Mihangel Caiaphas — Sun, 21 Oct 2007 19:15:50 +0000

that’s why it will never wor. Mihangel Caiaphas.

By: db48x

db48x — Tue, 29 May 2007 08:51:17 +0000

I really like that idea. The implementation is pretty simple (except for the bug where xul can’t float over html), and it doesn’t rely on the site having an EV cert. What do you think it should say for a non-ssl site?

By: x509v3

x509v3 — Mon, 14 May 2007 21:44:31 +0000

As someone who oversees a public CA (no, not the one you’re thinking of ), I’m reacting to the implication that there will be a bright line between “EV=trusted” and “everything else=untrusted”. Granted, if the number of steps a CA takes to give someone an SSL certificate for their host/domain is the same as the number of steps to get the original domain name in the first place then the notion of *who* or *what* is being identified is identical as well.

But some CAs do more than send an email ping to confirm that the applicant has possession of the domain name in question, or that they still have a (someone’s) valid credit card. You can’t lump all non-EV CAs into the same category. When a CA is missing the EV magic sauce it doesn’t mean that FF should throw up its hands and put the entire burden of validation on the user (“Verified by: You”) either. Speaking for my company, we’ve spent considerable money and resources building an infrastructure that protects people’s credentials and financial information via SSL transport encryption and provides a hint to savvy people that the site they’re connecting to is who it claims to be. We stand behind those certificates and have established a reputation on them, despite not having built everything again with a special magic OID to denote EV-ness.