User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9b5) Gecko/2008032619 Firefox/3.0b5 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9b5) Gecko/2008032619 Firefox/3.0b5 The identity indicator says today: "You are connected to mozilla.org which is run by (unknown) Verified by:..." When clicking on "More Information" the certificate viewer screen says: "Website: bugzilla.mozilla.org Owner: This site does not supply identity information..." Both statements above are simply incorrect! The site is run by the "Mozilla Corporation" and the owner of the site is Mozilla. I expect that Firefox doesn't make wrong statements, instead omit the non relevant bits altogether, if Firefox doesn't want to show it (because of EV). Instead the identity indicator should show: "You are connected to mozilla.org Verified by:..." and omit the Owner section if it's not relevant. Currently it looks like Firefox is lying to me. When encountering an EV certificate, the indicator can show as it does now. Reproducible: Always Steps to Reproduce: 1. Visit https://bugzilla.mozilla.org/ 2. Click on the icon next to the URL in the address bar 3. Review information of the identity indicator Actual Results: Wrong statements like: which is run by (unknown) And Owner: This site does not supply identity information..." Expected Results: Should omit information which doesn't apply. Omit information which Firefox doesn't want to show because the owner of the web site might be known (and even validated) and there is no entity called "unknown" which runs web sites.

This behaviour is by design. The identity panel is not a certificate viewer - it is a way for us to communicate to the user whatever identity information we have that we consider valid. For a DV cert, we don't have identity information about "Mozilla Corporation" or "Mozilla" - we have a verified domain, and a bunch of other fields that we wish we knew we could trust, but don't. So including the value of the O field is a non-starter for me. The argument has been made before that we should just drop the text for ownership if we don't have a verified owner. The purpose of the current treatment is to call deliberate attention to the fact that there is this absence. It is entirely legitimate for users to feel that they don't require verified organization information in order to proceed to interact with the site, but we are deliberately communicating the lack. This was the direct intent of bug 418694. Not resolving WONTFIX, because I also feel that there's a way to communicate this distinction more effectively, but I don't feel this blocks Firefox 3.

The information of the O field might or might not be verified, is not something the browser can judge at this stage without EV. However it really should be omitted in order to be correct. Right now the the indicator says something which simply isn't correct. BTW, who is "unknown"? Similar that the site/certificate doesn't provide identity information doesn't mean that this statement is correct. I have news for you...there are validation procedures more rigorous than EV. That Firefox chooses only to know about EV doesn't mean that the browser should issue wrong statements. In every respect (including legal) you'd better omit this information if it doesn't suit the policy.

Is there a reason why we say "unknown" and then "This website does not supply identity information"?

(In reply to comment #3) > Is there a reason why we say "unknown" and then "This website does not supply > identity information"? The latter didn't fit as nicely into the dialog, basically. Though the string in the "More Info" dialog should probably say "owner information" instead of "identity information". Hoo boy does this not block. I'm sure Johnath will be revising the design for the next version, though,

Mike, this bug was opened because of WRONG information, not a cosmetic change. I think it appropriate to open a new bug if you feel that it uses conflicting terms. Currently FF3 makes wrong claims and information should be omitted if not suitable to be displayed.

This behaviour by design is wrong design. Identity authentication and verification is not done only by EV. This bug is a kind of business bug.

Discussion regarding this topic... ------- Comment #4 From Rich F 2008-11-26 15:06:30 PST (-) [reply] ------- How do I go about supplying indentity information to make you insulting statement go away? ------- Comment #5 From Jesse Ruderman 2008-11-26 15:12:19 PST (-) [reply] ------- Use https. ------- Comment #6 From Rich F 2008-11-26 15:26:05 PST (-) [reply] ------- Ok but if you go to my secure booking page it still says: Web site: www.blahblah.com Owner: This web site does not supply identity information. Verified by: VeriSign, Inc. So we still have a insulting comment when I click on the secure lock and so what I am rapidly understanding is that in order to make this insulting comment to go away and increase my customers trust it isn't just that I need a VeriSign cert. but that I need a VeriSign EV cert.? ------- Comment #7 From Rich F 2008-11-26 15:43:55 PST (-) [reply] ------- Hello anyone home now? What about my last post? ------- Comment #8 From Eddy Nigg, StartCom Ltd. 2008-11-26 15:55:02 PST (-) [reply] ------- An EV certificate from any provider will show a less insulting comment ;-) (There are many others besides Verisign, if you prefer) ------- Comment #9 From Rich F 2008-11-26 16:07:24 PST (-) [reply] ------- BTW just for **** and giggles does VeriSign and all the cert sellers that have various price ranges on the certs. that you can buy from them fund the development of Firefox? ------- Comment #10 From Rich F 2008-11-26 16:15:17 PST (-) [reply] ------- I see it looks like the old statement that you were innocent until proven guilty has once again changed to you are guilty until proven innocent and to clarify it's like this: According to your statement until I get VeriSign or someone of the likes to make a statement something to the effect that I am who I say I am according to Firefox you cannot trust that I am who I say I am??? So I need to pay a lot of money to be who I am. Once again I am guilty until I prove my innocence. Thank God our real judicial system still believes that I am innocent until proven guilty. I cannot believe an organization like FF has bought into the ****! ------- Comment #11 From Rich F 2008-11-26 16:17:46 PST (-) [reply] ------- In reality you could make that statement much less insulting like you used to?

Well so if it is in the long run that your browser is going to insult me to my visitors pertaining to my identity in one degree or another then I just need to build a bridge and get over it. Regardless looks like you guy's are done talking to me about it.

If Firefox's wording sounds insulting to you, you can still use SeaMonkey. In its current bleeding-edge development version (which, today, is (on my OS) "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1b3pre) Gecko/20081127 SeaMonkey/2.0a2pre" with a Build ID of 20081127000503) it shows pale-yellow URL-Bar background for DV or EV as opposed to white for no cert, and it is hard (but, I think, possible) to tell the difference between an EV cert and a DV cert. (No warranty that it won't become just as insulting as Firefox a few weeks or months from now, but I hope it won't.) Actually the current wording used by Firefox is intentionally frightening, because the Fx developers believe that if you don't use an EV cert it is easy for a malevolent third party to impersonate you with no one the wiser, and maybe (if you're a banker) make your customers unwittingly type in their account numbers and passwords into a counterfeit form. As for me -- I'm not as versed in "security" technology, and I don't know how easy or hard it would be for a "mad hacker" to break in, and where. Actually I don't use Internet banking, but that's not enough in itself to protect me, because my attorney-in-fact does. I just hope she's careful in how she uses it.

This bug is about removing information which doesn't apply, similar to details omitted in the subject line of certificates which weren't validated. I recognize the fact that EV is the standard endorsed by Mozilla as the only choice for displaying validated information, however there is no one called "unknown" who runs web sites AND was also verified by a CA ;-) Omitting any information which doesn't apply seems to me the correctly balanced solution instead. Same goes for the Web Site Identity...: Web Site: bugzilla.mozilla.org Owner: This web site does not supply identity information. Verified by: Equifax Did Equifax verify that the web site owner didn't supply identity information? Or that the site is run by "unknown"? Or what exactly is going on here? Johnat, can you look into this one once more?

(In reply to comment #16) > Well so if it is in the long run that your browser is going to insult me to my > visitors pertaining to my identity in one degree or another I fail to see what is insulting about saying we don't know or can't verify who owns a particular site. I have my own (minor) issues with the wording, but "insulting"? I don't see it.

Once again... I paid $700.00 this past year to VeriSign and basically had to have my left testicle put under a microscope in order to get my cert. If I click on the secure lock IE7 says VeriSign blahblah has identified this site as www.mysite.com and to the typical user it instills a significant level of trust. With all of our efforts to instill trust in our company by our users FireFox has turned around and said no wait it isn't good enough you need to pay VeriSign $300.00 more get an EV cert. and let them put both your left testicle and right testicle under the microscope and then we will say we know you??? I guess is what I would be assuming from my take on the replies I've gotten from this forum. I am thinking at the rate I am going that in a few years I will need to pay VeriSign $2,000.00 a year to get the secure cert. with EV triple dipped in chocolate with 2 snaps with a little umbrella sticking out of it in order to instill trust with our users.

"Insulting" is a strong word, but it's pretty rude on FF's part. Imagine you go to a conference. You're a bit unsure who everyone is, but you've got your trusted friend Moz with you. Even though Moz doesn't know everyone personally, he knows a lot of conference organisers and has got a pretty good idea what looks like a genuine name badge. As you go round the conference room, Moz introduces you to people. Some are wearing namebadges, some aren't. Moz introduces some of the ones with name badges by name. When you get to John, who *is* wearing a name badge, your friend Moz says "I don't know who this guy is, he won't tell us". John points furiously at his name badge, which says "John". Moz continues in a state of denial saying "I'm sorry, unlike other people in this room, this guy refuses to wear a name badge to say who he is". At this point you're a bit confused. It's plain for anyone to see that John has got a name badge on. Your friend Moz might not believe it, but in that case you'd expect Moz to be saying "Hey, this guy says he's called John but I'm a bit suspicious of his badge so I'm going to just warn you that I don't know him personally". John, assuming he really is John (which he probably is) is also probably feeling a bit snubbed at this point and most people would say Moz is being rather rude to John by picking him out and then making a statement that is clearly false. More to the point, it also makes people doubt the sanity of Moz and you might think twice about having him as your friend any more. In bug #439936 I explained very clearly the current failure to distinguish between "identity" and "how much you trust that identity". In bug #424182, Jakob Bohm made some very sensible suggestions about improving the wording. Sadly it seems nobody seems to really care that Moz continues to display meaningless, user-confusing nonsense like "...run by (unknown) Verified by: FooCA"). As Eddy rightly said in comment #18, this is also actually making false statements about what CAs have/haven't done.

I applaud to the two previous commenters (Tim and Rich - #20 and #21 ) for their very genuine and insightful posts. I think Firefox developers should finally rethink the wording that is indeed insulting for all the small developers and website owners that try to have their sites secure (with strong encryption SSL) without paying outrageous prices to companies that could be called a cartel or even an oligopoly. EvSSL is indeed pain the ass to get and even then I as a customer am paying some third party (be it Verisign, Comodo or other SLL provider) outrageous amount for their inspection of almost my private life. Mozilla has to rethink the whole security and usability point of how Firefox displays warning about old-fashioned certificates that feature strong encryption. Either use WHOIS info to display who does the domain belongs to and warn about domains with Privacy set or choose some other option, just don't say that you don't know the owner of the certificate in the current, insulting, way.

It seems that the real problem is that Firefox ships with Certificate Authorities that cannot be trusted to properly validate the data before signing an "O" field. My question is this: If we cannot trust "O", why do we trust "CN"? Isn't the proper course of action to remove the known untrustworthy CAs from the distribution? As Rich F has figured out, if you're not going EV, just get the cheapest host-only cert you can get. Anything in between is a complete waste of time and money. Firefox will treat your cert the same.

The CN field in SSL server certificates (same applies to email field for S/MIME) requires to be control validated by the Mozilla CA Policy. Myself part of the team over at m.d.t.c. can confirm that this requirement is enforced. Not so the organization and other fields for Non-EV certs, it may or may not be validated to a certain degree. Most CAs omit organizational information (or use the validated domain name instead) for domain validated certificates. But since it can't be guarantied right now the organization field can't be relied upon. My proposal is to omit this information altogether in the UI or substitute the "(unknown)" with "(domain.com)", since this is the lowest, validated parameter correct for all certificates (not including EV).

Ok, so I have my little shop on Main Street, and it's supplementing my income with a small profit. One day the company who supplies one of my four entrance doors comes along and puts a sign on the door saying "The identity of the owner of this shop has not been verified". Then he tells me it'll cost (in my case) about $700 to get it removed. I would run off yelling Extortion. The message is a little like a pilot of an aircraft getting on the intercom and saying "Ladies and gentlemen, there is absolutely no cause for alarm". The seeds of doubt are planted, in the minds of people who are already a little nervous. The message "This site does not supply identity information" is also incorrect. I have supplied that information and it has been verified. Sure, not to the new exacting $700 standard, but it has been verified. Perhaps a better text would be something like "This site has provided basic identity information".

Mostly everyone's browser says the issuing certificate authority says this site is whoever.com bought the certificate. Apparently Firefox has decided to place the liability on the site owner rather than the certificate issuer like every other browser does. Thereby alleviating Firefox and the certificate issuer from any liability. Oh but apparently if you are willing to pay like $300.00 more to get an EV Cert. the issuer will scrutinize you more thoroughly as if they didn't check you over thoroughly in the first place and then assume some miniscule sort of liability. I haven't purchased the EV cert. yet so I don't even know if Firefox is going to give you the thumbs up after that!

I don't think the solution in attachment 354564 [details] [diff] [review] really does much to help users understand what they should and should not be looking for when trying to establish the identity of the site to which they are connected. I said earlier in this bug (and meant it) that Johnath has plans to revise the UI here based on feedback to both help users and insult people less, since that's never our goal. Inspired by an IRC conversation I mocked this up for his input and consideration: LARRY [x] This website is protected from eavesdropping LARRY [x] This website is verified to be mozilla.com LARRY [ ] The owner of this website isn't verified (information verified by Equifax, Inc) Consequences and suggestions go here ( Ability to look deeper goes here! )

(to be clear [x] needn't be checkboxes, but some other sort of indicator)

Ok, here's the way I see it (and I like the name badge analogy so I'm going with it) If websites are like people, a regular cert is like a name badge that's issued just because you say you have a name. You can prove it (you show a credit card, say) but the issuer just looks at the fact that you own the site, but it doesn't know the company who's behind it. It just knows that you're connected to blah.com, it can't tell if blah.com is run by Blah, Inc or by John Q Hacker. In other words, it doesn't know if that credit card is a fake or stolen. It just knows you have it. The real danger is that John Q hacker can hack in and redirect blah.com to his site blahh.com and get a valid cert for blahh.com. So the user who isn't paying attention (like me) will see a valid cert and end up in lots of trouble. (There's phishing protection but it's never safe to rely on that since that relies on users who are vigilant and say "Hey, something isn't right!) With an EV cert, the issuer has to verify the company behind the cert. So it checks with Blah, Inc and makes sure that it's actually the one behind blah.com. So when John Q Hacker gets blahh.com, his EV cert will say John Q Hacker which is very obviously wrong. This is like forcing the person issuing name badges to take your credit card and then checking photo ID and calling your credit card company to make sure that everything is in order. Most users can probably trust both name badges but if I ever go to Paypal (who I know use EV) and get a regular cert, I'm liable to run the other way really fast. Hopefully more of the sites I really worry about will start using the EV certs and for the other sites, the regular cert is fine since I only care about interacting with the website, not the company. While this seems like overkill and frankly, I agree the standard is pretty darn high, it's unfortunately necessary in this new internet world we live in. We can't simply punish the offenders after the fact because they can have already stolen hundreds of thousands of identities and flooded your system with viruses before even Google phishing protection catches it.

My 2 cents on the patch 1. The wording change is an improvement 1a. It won't satisfy rich f et al. because it still doesn't recognize a middle-ground between EV and DV certs. The middle-ground does exist but not formalized like EV. That's got to be in a different bug 2. This is the wrong bug I think, since you didn't do anything to bring the identity panel and page info together. 3. The order is now different between EV and DV certs

Comment on attachment 354564 [details] [diff] [review] change larry ui Removing my review request as I don't work on Larry UI.

I recently came across this and would like to point out that the page info box appears to display contradictory information: 1. Website: bugzilla.mozilla.org 2. Owner: This web site does not supply identity information 3. Verified by: Equifax 4. This web site provides a certificate to verify its identity. It would appear that lines 2 and 4 contradict each other. I understand that line 2 refers to ownership identity and that line 4 refers to hostname/domain-name identity, but without a good knowledge of the difference between EV and non-EV certificates, the information seems to be self-contradictory. In addition, the statement, "This web site does not supply identity information" is false. If you look at the certificate, the ownership of the website is identified as "Mozilla Corporation". A less untrue statement would be something like "This web site does not supply verified identity information about its owner."

Comment on attachment 354564 [details] [diff] [review] change larry ui Moving UI-review requests over to the ux-review@mozilla.com alias

Comment on attachment 354564 [details] [diff] [review] change larry ui Review of attachment 354564 [details] [diff] [review]: ----------------------------------------------------------------- Yes, I believe the right course of action here is to make the indicator more readable, and call out the various aspects of security, line-by-line — like Beltzner suggested: ______________________________________________ ✓ This website is protected from eavesdropping ✓ This website is verified to be mozilla.com (verified by Equifax, Inc) The *owner* of this website is *not* verified ______________________________________________ I also know Jesse has some other things he wants to list in a pulldown like this. Make no mistake, though — this is expert-level UI, and will do nothing to protect or help most people. Currently, people trust a 16x16 GIF of a lock placed next to a "Buy Now!" button, and they don't understand the content/chrome barrier at all. That doesn't mean that we shouldn't fix the expert UI and make it more useful, of course. (Also, to address an earlier point: omitting information doesn't work because people never notice the *absence of an indicator*, only the presence or change of an indicator.) As implemented in the patch, I don't think this does enough to help anyone.

> I also know Jesse has some other things he wants to list in a pulldown like this. Bug 711816 :)

This doesn't even work right for some EV certificates. Try https://www.boj.or.jp the web site of the Bank of Japan, Japan's central bank, assets Y144,457,758,359,000. Firefox 10.0 displays that cert with "This website does not supply ownership information." That's a Verisign Class 3 Extended Validation certificate. It has the OID "2.16.840.1.113733.1.7.23.6", which is Verisign's proper OID for an EV cert. (http://www.oid-info.com/get/2.16.840.1.113733.1.7.23.6). It has a valid O field, a valid locality field, a valid countryName, all the jurisdiction fields, and the serialNumber (of the corporation) field, as required for an EV cert. But Mozilla didn't properly recognize the ownership information.

(In reply to John Nagle from comment #39) > This doesn't even work right for some EV certificates. Try > > https://www.boj.or.jp > > the web site of the Bank of Japan, Japan's central bank, assets > Y144,457,758,359,000. Firefox 10.0 displays that cert with "This website > does not supply ownership information." That's not what I see when I load that site with Firefox 11. I recommend you file a separate bug report to investigate this issue - it doesn't seem related to this one.

Yes, broken in 10.0, works in 11.0. What change fixed it?

Two points to add here. One: Firefox should not decide for the user if information is reliable. It should state the facts. Indication is insufficient. When the O= Subject field is available it should be displayed with an indication that is it verified but to a lesser extend than EV. Two: IT developers have a problem to identify shades of grey. It's either black or white. In real life you have these shades. If you want FF to be a browser for humans, then you should better indicate the "in between" levels of identity verification, just like in real life. There should be one more shade: - Identity EV verified (implemented) - Identity less than EV verified (missing) - No Identity given (implemented) - Invalid certificate (implemented) - No certificate (no ssl, implemented) What is asked here is the missing shade, which I would call a feature to make Firefox a more friendly, warmer but also more honest browser.

The Baseline Requirements provide that CAs may issue certificates that populate the "O" field by following section 11.2 of the Baseline Requirements. It seems to me that we now have plenty of basis to assert that clicking on the lock icon should no longer result with an "(unknown)" statement where the "O" field is populated by a CA that complies with the Baseline Requirements. Similarly, if the user is willing to click on the link for more information, then he/she should not be presented with a statement that "This website does not supply ownership information" when such is not the case.