Closed Bug 1034360 Opened 10 years ago Closed 10 years ago

remove OCSP preference UI (or at least remove the unnecessary dialog window)

Categories

(Firefox :: Settings UI, defect)

Product:
Firefox
Component:
Settings UI
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Firefox 33

People

(Reporter: keeler, Assigned: keeler)

References

(Blocks 1 open bug)

Details

Attachments

(1 file, 1 obsolete file)

patch v2
(deleted), patch
dao
: review+
Details | Diff | Splinter Review 
See about:preferences -> Advanced -> Certificates -> Validation

1. It's unclear that the "Validation" button has anything to do with OCSP.
2. It shouldn't be necessary to use a dialog window to expose two checkboxes.
3. The vast majority of users do not need to change these settings. This is something that belongs solely in about:config.

It's probably best to just remove it altogether.
Attached patch patch (obsolete) (deleted) — Splinter Review 

  

  


Assignee: nobody → dkeeler
Status: NEW → ASSIGNED

        Attachment #8450683 -
        Flags: review?(dao)

    
    

    
  
> 3. The vast majority of users do not need to change these settings. This is
> something that belongs solely in about:config.

about:config isn't meant for any end users, so if we expect that a small minority will want to change these settings, it may still make sense to have it in the UI, depending on how much these users would depend on that.

  

  



    
  
Flags: needinfo?(dkeeler)

    
    

    
  
Looking at the telemetry for security.OCSP.require[0], about 0.2% of users have changed it from the default value, so I think it's reasonable to not have any ui (other than about:config) for that. 

The telemetry for security.OCSP.enabled[1] indicates about 2% of users have changed it from the default value, so I suppose that's about where we would support changing it in preferences. It doesn't need its own dialog box, though, so I'll just move it to the Certificate tab of the Advanced preferences.

[0] http://telemetry.mozilla.org/#filter=nightly%2F33%2FCERT_OCSP_REQUIRED&aggregates=multiselect-all!Submissions&evoOver=Builds&locked=true&sanitize=true&renderhistogram=Graph
[1] http://telemetry.mozilla.org/#filter=nightly%2F33%2FCERT_OCSP_ENABLED&aggregates=multiselect-all!Submissions&evoOver=Builds&locked=true&sanitize=true&renderhistogram=Graph

  

  


Flags: needinfo?(dkeeler)

        Attachment #8450683 -
        Attachment is obsolete: true

        Attachment #8450683 -
        Flags: review?(dao)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patch v2 (deleted)
        — Splinter Review
      

    


  
Dao - how does this look?

  

  



        Attachment #8451935 -
        Flags: review?(dao)

    
    

    
  
(In reply to David Keeler (:keeler) [use needinfo?] from comment #3)
> Looking at the telemetry for security.OCSP.require[0], about 0.2% of users
> have changed it from the default value, so I think it's reasonable to not
> have any ui (other than about:config) for that.

I'm still missing some context. Are these 0.2% just confused or paranoid or are there good reasons for touching that pref? Why does security.OCSP.require exist in the first place?

Do other browser provide similar prefs?

  

  



    
    

    
  
Right, sorry - context: security.OCSP.require toggles strict OCSP checking. That is, if the OCSP responder is not available or fails for some reason, if security.OCSP.require is true, firefox will terminate the connection. Since OCSP responders have historically not been reliable enough, this makes for an unusable browsing experience, so the pref is false by default. However, some people are well enough informed that they know the security/performance trade-offs (not to mention the fact that the pref exists at all) and can deal with a degraded browsing experience. I think these are the kind of people that can handle using about:config. (It's also good for testing purposes, i.e. to make sure a given OCSP responder is working.)

As I understand it, Chrome doesn't even do OCSP anymore. Safari does appear to have this sort of preference buried somewhere in the system settings. From doing a bit of searching, I wasn't able to tell if Opera or Internet Explorer have similar preferences.

  

  



    
    

    
  
Ok, so my only remaining concern is that the dialog spells out "Online Certificate Status Protocol" while you're only using the OCSP acronym.

  

  



    
    

    
  
My intuition on using the acronym rather than spelling it out was that to someone unfamiliar with it, "Online Certificate Status Protocol" doesn't mean much more than "OCSP". Similarly, anyone familiar with it would know it from the acronym, so I think it's unnecessary either way. If you think it's important, though, I can update the patch to basically use the old string.

  

  



    
  

        Attachment #8451935 -
        Flags: review?(dao) → review+

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/d29d68087657

  

  


Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → Firefox 33

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: