When you visit an HTTP page that has a password field, Nightly (and soon dev edition) will show a degraded UI (lock with strikethrough). When you click on that to open the Control Center, the message says: "Your login could be compromised". Matt proposes that we change that string (either in general or just for dev edition) to something that is aimed more at developers. When we are ready to move the feature to the release channel, we can switch to a different string for general users. A couple ideas: "The login page could be compromised" "This login page could be compromised" (although this might be a general purpose page that happens to also have a login form) "Login pages should be served over HTTP" "Passwords/(Credentials) should not be collected over HTTP" "Passwords/(Credentials) should be collected over HTTPS" It depends on who our audience is. We could even have two separate strings - one for dev edition and one for everything else. Matej, what do you think?

Ideas: * "Logins on this page could be compromised." * "Logins entered on this page could be compromised."

I don't want people to think we're saying the site is compromised and I think that saying "your login" in a message targeted to developers could be confusing.

I personally like... > "Login pages should not be served over HTTP" It lets the user know exactly why they're receiving the error with a single click of the strict-through lock icon. If they need more information, they can expand the CC via ">" to get more information on the error.

I'm not as familiar with this audience or what will be right for them, but here are the two that sound best to me: "Logins on this page could be compromised." "Login pages should not be served over HTTP."

(In reply to Matej Novak [:matej] from comment #4) > I'm not as familiar with this audience or what will be right for them, but > here are the two that sound best to me: > > "Logins on this page could be compromised." > "Logins entered on this page could be compromised." is a little more clear, but longer by 8 characters. What do you think? > "Login pages should not be served over HTTP." We will use this version for Nightly and Dev Edition

All of the strings proposed in comment 5 are two lines instead of one in the Control Center main view. (At least on my mac)

How about: > "Logins should not be served over HTTP"

Hmm; trying the patch on a beta build I still see the dev edition warning. So maybe the ifndef doesn't work? We could take that out for now in an attempt to land this before uplift, and just land the dev edition string change.

Comment on attachment 8711095 [details] [diff] [review] Bug1241292-01-22-16.patch Review of attachment 8711095 [details] [diff] [review]: ----------------------------------------------------------------- ::: browser/locales/en-US/chrome/browser/browser.dtd @@ +748,5 @@ > <!ENTITY identity.connectionFile "This page is stored on your computer."> > <!ENTITY identity.connectionVerified1 "You are securely connected to this site, run by:"> > <!ENTITY identity.connectionInternal "This is a secure &brandShortName; page."> > +<!ENTITY identity.insecureLoginFormsDevEdition "Login pages should not be served over HTTP."> > +<!ENTITY identity.insecureLoginFormsRelease "Logins entered on this page could be compromised."> I would prefer the 2nd one for dev edition too. "Login pages should not be served over HTTP" feels too jargony even for Dev Edition IMO.

Updated to just use one string everywhere: Logins entered on this page could be compromised.

[bugday-20160323] Status: RESOLVED,FIXED -> UNVERIFIED Comments: STR: Not clear. Developer specific testing Component: Name Firefox Version 46.0b9 Build ID 20160322075646 Update Channel beta User Agent Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0 OS Windows 7 SP1 x86_64 Expected Results: Developer specific testing Actual Results: As expected