Tidbits, mind you, not Timbits. Every time I’m dealing with non-Canadians in Canada, and they refer to “donut holes” when they clearly mean “Timbits,” I have a moment where I feel sort of embarrassed for them. Like they just said they were going to nip up the old gorn and scumbles for some hennylummers. Like they are hopelessly antiquated. And then I remember that “Timbit”, like “Kleenex”, “Xerox” and “100% Beef,” is just a corporatism, and truly it is I who should feel ashamed. And I do. On with the show.
SSL Error Pages
Yes, again. But just a quickie. When I land bug 402207 later today, it will slightly change the way adding a security override works. You’ll still have the option to add an exception when you visit a site with unverified security, but whereas recently the dialog that popped up would auto-fetch the certificate for you, it will now pre-populate the url, but make you fetch the certificate yourself.
This isn’t just a stupid attempt to annoy users more, it’s an attempt to make it easier to understand what’s going on. The behaviour of our exception adding is now controlled by a preference named:
With three values:
- 0 = Don’t pre-populate the site URL or pre-fetch the certificate
- 1 = Pre-populate the URL, but don’t pre-fetch the certificate (New default)
- 2 = Pre-populate and pre-fetch (Old default)
Doing this means that the dialog has less text when users first see it, meaning users might be more inclined to actually read it. It also don’t have an obvious one-click path, the user needs to fetch the certificate (at which point the problems will show up) and then add the exception.
Users who want to fast track the process because they know what they’re doing can just switch that to “2”, and users (or possibly IT departments deploying Firefox internally) might also choose to set it to 0 to compel more user interaction before trust is given to an unverified site.
For all the talk about Larry and EV certificates, people might be wondering when they’ll start seeing them. In a funny sort of way, they’re already there – all the code to DO stuff is there, but we don’t yet have any authorities “blessed” as being EV issuers. So that code is idle at the moment.
Kai has now finished up bug 404592 though, which means testers on nightlies can turn on EV trust by setting an environment variable. To see EV treatment on your (post-beta1) nightly, just run with:
I won’t go into detail about how to set environment variables, because this only matters in the very short term anyhow, but for those who are fluent in this underworld machination, doing so will prematurely bless the Verisign EV root. This doesn’t mean anything about Mozilla and Verisign and what certs will be trusted in Firefox 3, it’s purely a testing contrivance. Live sites with Verisign EV certs include Paypal and eBay. Once we have at least one EV root in the trusted list, this hack won’t be necessary, and Larry will truly be free to roam.
[Update: It took one minute – sixty terran seconds – for google to index this blog and give me sole possession of the googlerank for ‘hennylummers.’ Spooky.]