The number one question I get asked, in my capacity as Human Shield at Mozilla, is how we make any money. People ask it with a sort of knowing grin, as though they already know we get it from leprechauns, but they want to hear me admit it. That’s not what this blog post is about.
The second most frequent question I get asked, and the one I’m more directly positioned to answer, is whether Firefox 3 will have an IE7-style Green Bar. I’m going to try to answer that here by offering my opinion on the matter, and an update on my coding progress to that end.
The short answer to that question is: no.
The longer answer is: it is not my preference to do so, though I recognize that, in order to aid in user education, we will have to find SOME consistent visual presentation across browsers. I just don’t think the green bar is the right one.
I don’t want to rehash my concerns with the green bar here, you can read all about them in this post. Suffice it to say that the green bar blurs the line between security and identity. An Extended Validation certificate tells us, with more certainty than any other web technology out there, who you are. It does not tell us that you’re a nice person. Identity, not security. The green bar also, like the padlock before it, relies on users noticing when it’s not there. If my life were a bumper sticker it would say:
Absence: good for hearts, bad for security UI.
What I’d like to see, instead, is a cue that focuses on identity. This is also not news to regular readers.  Take safety out of the equation, we never could tell you that anyhow. An always-on identity indicator that doesn’t blur the lines.
Remember this guy? I called him Larry back then, and it’s stuck. Instead of using a colour, always tricky since the popular ones tend to be pretty culturally-dependent and semantically overloaded, I suggested using a freely available icon with a pretty singular meaning: inspection of identity documents.
At the time, I also posted an unfortunately poor photoshop mockup that looked like this:
Since then a lot of things have happened, and my time has been split in a bunch of ways, but Larry hasn’t left my mind. I now have a Firefox add-on that implements Larry and he looks, for the moment, like this:
Finally, for comparison, here is what IE7 looks like on the same page:
Now, call me a Canadian if you must, but I see a lot of common ground here. We both tell the user the name of the site’s owner, and who verified that information. We both try to include some meaningful location data, where it’s been specified, and we both provide some indication that this represents a successful identity verification.
IE7 links to some help documentation behind “Should I trust this site?” and to their certificate viewer “View certificates” whereas we link to the updated Security Info dialog, but once again are both providing some way to drill down and get more information.
Our differences are pretty minor, when you think about it. Colour signal vs. icon signal; intermittent signal vs. persistent; and some minor differences in language and presentation. But still, it matters.
We’ve spoken to Markellos Diorinos at Microsoft about including Larry in their presentation as well, and he didn’t immediately reject the idea. I think it would be a big win for the end user, but I’m not so long gone from IBM that I’ve forgotten the speed at which such things move. Markellos and his colleagues are good guys, but they may well have an uphill struggle on such things, so cross your fingers for them.
In the meantime, we have work to do, as well. I need to finish implementing the front end, and eventually tie it in to the work already being done on the back end to recognize EV certificates. And there are still questions…
Should we talk about encryption in Larry’s popup? How do we approach sites that offer encryption, but not strong identity information? And where, oh where, do we put him?
Putting Larry in the address bar means making it even more crowded than it already is. Putting him outside in the space between location bar and search bar gives him more room, but makes him float sort of confusingly out in space. We don’t often introduce new pieces of primary UI, so it’s always a little bit touch-and-go when we do.
This is somewhere that I could use your help. Probably the single biggest thing you can do to help is install the current version of Larry from the addons sandbox.  You can provide feedback here, or in the tracking bug. I look forward to it. Adding something to primary chrome is a big deal, especially something security-related. I’m going to try pretty damned hard to get it right.
meandering wildly 
Hmmm …. has the icon been tested on users? What about users with poor vision (or with normal vision for someone over 40)? Do they understand it? Can they see it?
Wherever it goes, if the icon will have little details such as the book/passport, larger is better.
“Buh”, but with the words “Paypal, Inc” to the left of Larry. He’s looking in that direction, that’s where the text he refers to should be.
Also, I haven’t tried the extension yet so I don’t know what you do here, but you should definitely make sure Larry is present, but greyed out, all the time, even on non-https sites. You made the point yourself that it’s bad to expect people to notice the absence of something. Clicking on Larry in that state should bring up a popup explaining that it’s impossible to verify the identity of the site you’re on.
I’ve no preference between Zuh and Buh, but Aroo is clearly wrong to me. This indicator has nothing to do with the next site you are visiting, which is what the go button is for (besides, I always turn the go button off to allow for a longer url bar).
About the icon itself, I agree its too detailed for something of that size, I’d particularly get rid of the high visibility band he is wearing, as it is too similar to a line crossing the symbol out to indicate that identity verification had failed.
If you’re going to have the symbol always there then how are you going to differentiate between ID verified and ID not verified? The tick in the mock up above is hardly noticeable, and using colour causes problems for colour blind people (and the cultural differences mentioned above).
I also like buh. I tried to install him, but I can’t seem to access the sandbox.
“Zuh” but as Stuart says the “Papers, please!” guy is looking to the left, so the words so be there.
Also, like Steph I had issues accessing the sandbox.
++ to Stuart.
I’d put the tick next to the passport instead of larry, too.
I was thinking on how to make larry without an identity more distinguishable. How about putting down his arm and don’t show a passport? As larry doesn’t get a passport there’s nothing for him to do. I like the greying out, too.
I find myself confused by the thing, quite frankly, and searching for the padlock: It seems to be harder for me to quickly distinguish a “happy” Larry from one who is trying to verify the site (did you have to color that instance green?!) from one who just has nothing to say (lighter gray); I seem to be visually skipping over the text that indicates the identity.
That might be just my own behavior and expectations, but…
Another remark: Larry will happily tell me the name of an effectively unknown CA as being the trust root, even if I’ve just indicated that I want to trust a certificate just for this session. Strikes me as the wrong thing to do.
Of the three options, Zuh. I agree Larry should be facing the name, but that could also be accomplished by putting him to the right of it – so he’s looking back towards both the name and the URL. I certainly think he should be toolbar-icon-sized rather than URL-bar-icon-sized.
Are we planning to have the popup come up automatically when you first visit a site? if so, putting Larry further to the right would reduce the likelihood of it covering up important content.
I also think we need to trim every possible superfluous word from the dialog. We could get away with “Paypal, Inc. (US)” and “Tell me more…”
If they read two words from the dialog before glazing over, it needs to be the company name – so that should be the biggest text, not “Identity Verified”.
Have you experimented with a greater amount of transparency on the background?
Really helpful to test it out with the addon. It is too hard to see the question mark and the check mark. A simpler Larry might be better, but then would he be Larry or just some guy?
Personally I like the green bar, but I also liked the dancing banana idea.
Also, I assume this is the EV cert presentation. What happens when a non-EV cert is shown?
None: put Larry (and the verified domain if any) on the left side of the location bar where people will see him. Put him outside the location bar into the chrome (that is, NOT Buh) so people can’t try to spoof him with favicons as you’re spoofing the lock icon with your blog.
I really like the idea of Larry being a top-level button, the same size and shape as the Home button. He could be between the URL bar and the Search box, so he’s highly visible all on his own, and he’s a fair way to the right so his dropdown doesn’t obscure too much.
Your example doesn’t look so bad when you use VeriSign, Inc. As people knowledgeable about computer security, we all know who VeriSign is. But, what about “Verified by ABA.ECOM,” another CA included with FireFox 2? Who the heck is ABA.ECOM? I think that Mozilla made a big mistake by being so lenient with which CA’s are trusted by the browser. Firefox 3 is a good time to revisit this policy, and create stricter criteria for what it considers to be sufficient verification of identity. Mozilla can do this independently of the EV cert consortium.
There is also the question of when the CA verified the identity of the site. The EV guidelines state that certs last 12-18 months, IIRC, and the CA is only required to re-verify the identity of the website owner (not operator) once per year. That is a long time in Internet time.
Your stance against “Green means go” with respect to EV certs is right on. I have read through the EV requirement drafts. The EV verification requirements are heavily weighted favor of larger businesses. In fact, as of the current standards, ONLY corporations (not small businesses, and not sole proprietors or individuals) qualify. Furthermore, the EV verification process does nothing to verify the identity of the hosting providers or the payment processors for a website. A company could have an EV cert for a website that is running on a machine owned and operated by convicted thieves and still qualify, as long as said company has a phone that they answer in a businesslike manner–yes, that is what the EV requirements say!
I think that every EV cert should include a statement from the domain owner stating their privacy and security guidelines, and what procedures they have gone through the verify the statement (WebTrust-like audits, etc.) This would be analogous to the CA’s CPS statement, but user-oriented (i.e. not 200 pages of jargon). It would be signed (cryptographically) by the CA and the website, and firefox would retrieve it on demand. If the statement is missing, Firefox would say “The identity of this website was last verified on July 21, 2006 by ABE.ECOM. Neither ABE.ECOM nor the owners of this website have provided any assurances regarding the content of this website, your privacy, or anything else regarding the safety of using this website.” An abbreviated form of the CA’s CPS statement should be included as well–especially the parts where they disclaim any and all liability and refuse to warrant the service they provide.
This takes away a considerable amount of responsibility from Mozilla and give it to the CA and the website operator, the CA, and whoever Mozilla delegated CA verification to (WebTrust?). Then, Firefox just needs to include a single “How Safe is this Website?” button to show what the Website said, what the CA said about the Website, and what Firefox and/or Webtrust had to say about the CA. Which all boils down to, approximately, “nobody promises anything about anything.”
Brian brings up some good points. Now that browsers are working to state the name of the CA, we can expect much more scrutiny of who the CA is. This more than anything will move the PKI industry to a sense of quality, to a desire to establish its brand, and to show it is good enough for the job, not just fill in some dry auditing documents so it can get on and sell certs.
Brian, bear in mind that before now, the CA’s name and thus its role and quality was hidden. If you think that Mozilla made mistakes in its root list, then I’d suggest mistakes can only be fixed if they can be seen. Browsers can expect to hear a lot more noise and face a lot more scrutiny on CAs if and when the brand is surfaced: if anyone sees a strange name, then they are motivated to investigate and comment, either positively or negatively.
It’s not reasonable for us to expect a browser to get it right every time, but if mistakes are hidden, nobody is encouraged to help. (Disclosure: I audit a CA.)