The Saving Sensitive Information alert displays one of UI's biggest crimes: giving the user a long list of directions that he or she must remember. I'm doubtful as to how many users are going to remember to "choose Preferences from the Edit menu, open the Advanced category, and select Forms and Passwords" and the situation is worsened by the fact that the message only appears once. Though it would obviously be extra work (and would probably involve using another method besides alert), I think this dialog would benefit greatly from the addition of a button that would say something to the effect of "Go to Preferences" What do you think?

This dialog was put in for one reason and one reason only. Legal was concerned that the browser manufacturer (be it Netscape or any third party that decides to repackage the browser) would be liable if we stored the users sensitive information unencrypted by default and didn't tell him. So now we are telling him. We would all be much happier if we didn't have to put up this dialog at all. I've gotten a lot of criticism in the past for blasting the user with numerous dialogs when he first stumbles across the single-signon feature and I worked hard to reduce the number of dialogs to a minimum. And now here we go putting up yet another dialog. Consider what happens when the user first submits a form to log on to a website. He gets the following dialogs: - username & password form presented by the website. He clicks submit. - single signon dialog saying "do you want to saved." He clicks yes. - this legal disclaimer dialog (technically unnecessary). He clicks OK - a security warning dialog (technically unnecessary). He clicks OK By now he's so fed up that he probably never wants to use this feature again. I, for one, was agains adding this disclaimer dialog but I do see legal's point. We either encrypt by default (and then we have to put up an "enter master password dialog" once per session) or we don't encrypt by default (in which case we need to put up this disclaimer dialog once in the lifetime of the browser).

Ok, I don't have a build to check what that `security warning dialog (technically unnecessary)' is for ... but as for the first three dialogs, you could quite easily combine them into one. User name: [ ] Password: [ ] [/] Save this login (Warning: <legal disclaimer>) ( Cancel ) (( Log in )) So this is what would happen when an authentication came up: EITHER * `enter master password' dialog (if this login has been stored) OR * the above dialog * IF this is the first time Single Sign-on has ever been used, THEN the `specify a master password' dialog * the security warning dialog (assuming it's necessary). This is -- with the exception of the legal disclaimer bit -- what I suggested a-way back in bug 19935, which has twice been marked as a duplicate of bugs which (IMO) it wasn't a duplicate of.

mpt, I don't think you realize how long the disclaimer is :) I'll post a screenshot (I thought I already did that)

No, you can't combine them. The username/password form is part of the content of the website and we are not going to alter that content. So we need a separate dialog for "do you want to save." Only when the browser itself puts up the username/password dialog (such as for http authentication and ftp authentication) do we have control of the dialog and so we can (and do) combine it with the "do you want to save". And we don't want to combine the "do you want to save" with the legal disclaimer. If we did, nobody would ever see the "do you want to save" because it would be overshadowed by the legal disclaimer.

I had a mid-air collision with Blake and basically we were saying the same thing. It is the shear length of the disclaimer that would overshadow the real meat which is "do you want to save".

Steve, you referred to the user-name/password form as one of the four `dialogs' the user had to go through. That's why I thought it was a dialog, rather than part of the Web content. At some point you have to get out your stopwatch and compare the amount of time taken to read all these dialogs with the amount of time saved by auto-filling the form (and the probability that the user will forget to choose `Capture Form') ... I have a feeling that a complete redesign of this feature is called for. :-|

vrfy (although i do agree with folks' annoyance about all the 'necessary' verbiage and dialogs we gotta have in this version. sigh.)...

I don't understand why this dialog is necessary. If I ask Mozilla to remember a web site password for me, it makes sense that someone else using the computer would be able to access my account at the web site and possibly the password. Explaining that shouldn't require a dialog half as tall as my screen. Furthermore, if I'm not the only person using a computer, then chances are I won't be the first person to save a password and so I won't ever see this one- time dialog. The information in this dialog should be moved to the part of prefs that lets you set a master password. It might also make sense to make this choice visible when you create a new profile, with the choice being between - "not password-protected", - "completely password-protected" (bug 16489), and - "only prefilled information and web passwords-protected" (this feature).

For the record, there have been several bug reports about the CYA dialog for saving sensitive information. Here is a cross-reference list of them: 043503: Bad UI in "Saving Sensitive Information" dialog 102288: Wordings for password manager are specific to the application 117552: opening Site with PW opens annoyance window 117989: Save password shows alert that is vague 119114: logging into hotmail: 6 dialogs

> I don't understand why this dialog is necessary I couldn't agree with you more. But, playing the devil's advocate, the reason that the legal department wanted this dialog is that user is unaware that his password is being saved insecurely and he could hold Netscape liable for the fact that his password got compromised. Ideally Legal wanted us to store passwords securely by default and require the user to take some action if he wanted them stored insecurely. But the novice user would never know to take that action, and so we chose the insecure method as the default method. > If I ask Mozilla to remember a web site password for me, it makes sense that > someone else using the computer would be able to access my account at the web > site and possibly the password. Not if they were stored securely. And the user might have the expectation that they were being stored securely unless we tell him otherwise. > Furthermore, if I'm not the only person using a computer, then chances are I > won't be the first person to save a password If it's your own machine, you will most likely be the first person to save a password. This caveat dialog was not to protect you in a shared-machine environment such as a cyber-cafe (a person would be a complete fool to save his passwords on such a machine) but rather in an environment such as an office where unauthorized people can walk up to your machine when you are away from your desk. > The information in this dialog should be moved to the part of prefs that > lets you set a master password. That won't satisfy the legal requirements. You don't go to the prefs unless you realize that your data is insecure and therefore you want to make it secure. The legal problem is that the user doesn't know that his data is insecure. All that said, the question boils down to whether we still have this legal requirement of not. The lawyer that originally insisted on this is no longer with Netscape, and I haven't heard anybody else defending this on legal grounds. I guess the only way we are going to find out is to run with it and see if anybody objects. So I'll create a patch to remove this dialog and see whether or not it gets approved.

sgehani, alecf please review. Thanks.

I think this will do the trick. Anyone mind trying this patch while I wait for a new DTD?

alecf, I think you posted to the wrong bug report.

Whoa, because a particular employee has left the company has little or no bearing on whether or not this is a requirement. I don't think that person, whoever it was, wanted it in there for his or her own personal edification. Do not check this in. If we would like to reopen this discussion and see if the requirement still stands, we can do that. My personal opinion here, without any legal background obviously, is that this is a better safe than sorry situation and that the fact that a user will only ever see this warning once is worth the cost. I am open to other ways to affect the same result (warn each user who chooses to use the functionality), or getting input from legal/UE on how we could improve/simplify the existing dialog, but it doesn't seem to me that this is very important to be working on given all the other work we need to do.

There are two unanswered questions here: 1. Can we build the warning into help or elsewhere in the interface in a way that gives an adequate heads up without pushing all this text in every user's face? 2. If the answer to #1 is yes, we need to define the solution and lobby Netscape legal to accept it. Jesse's proposal, if I understand it right, depends on password protection for profiles (bug 16489). I think the idea is that when you first set a password for a new profile, you would also have to set whether you want encryption turned on or not. This might take care of the legal issue--except for the person who has only one default profile and starts using Password Manager. Another possibility might be to attach a Help button to the Password Manager dialog that comes up when you click Submit after entering a new name and password. Then the attached Help text could provide a warning. A Help Button for appropriate Password Manager help might be a good idea for that dialog anyway. Not everyone would click it, but at least it would be accessible for people curious enough to read about it, without being in everybody's face. If either or both of these potential solutions seem like a reasonable compromise, I would be willing to demo them to Netscape legal and lobby for the necessary approval. I don't think they can expect us to guard against some users' vague notion that passwords provide cast-iron security, beyond improving the interface and help--within reason. This ugly dialog, which most people aren't going to read anyway, is not within reason. If the browser popped up a dailog every time a user did something that's potentially dangerous, nobody would use it. And there are lots more dangerous things you can do without getting any warning, like opening a mail attachment from somebody you don't know. Either solution would minimize the legal risk more effectively than the current dialog, in my unlawerly opinion.

Todd: I wasn't saying that because someone left the company we can make the change. I clearly said "the only way we are going to find out is to run with it and see if anybody objects". Up to this point nobody seemed to be in favor of keeping this dialog and I was in the awkward position of having to defend the legal position, even though I disagreed with it. So you objected. Good. This is the first time I heard someone speak out defending it. So we won't drop the dialog. Therefore marking this as won't fix until we hear that there is no legal requirement to keep it. Sean said: > 1. Can we build the warning into help or elsewhere in the interface in a way > that gives an adequate heads up without pushing all this text in every user's > face? The answer to that is obviously no. If this is here for legal reasons, then it has to be in every user's face. If it's not in their face, that it offers us no legal protection. > I think the idea is that when you first set a password for a new profile, > you would also have to set whether you want encryption turned on or not. And what would the default be? Not Encrypted? Then we have the legal problem again because novice users will not realize that there passwords can be compromised. Unless, of course, you give the caveat dialog at this time. So what have you gained? > Another possibility might be to attach a Help button to the Password Manager > dialog that comes up when you click Submit after entering a new name and > password. Then the attached Help text could provide a warning. That requires the user to take an explicit action in order to see the warning, and therefore won't meet the legal requirements. > I don't think they can expect us to guard against some users' vague notion > that passwords provide cast-iron security, You're completely missing the point here. The point is that a master password does provide cast-iron security (that's not a vague notion) and we are telling the user that unless he uses one he does not have this security. If he wants to not use one after we gave him this warning, then he does so at his own risk and, since we warned him, we are not liable if his data is compromised.

cc mitchell for mozilla.org legal opinion. Does this really offer legal protection? Does mozilla need such protection? IMO, this alert does nothing to help the user be more secure, and dismissing it is no indication they read it or understood it, since there is only an OK button. What else *could* they click? I think this is a false sense of security, legal or otherwise.

As it is, the warning appears *after* the user chooses to save a web password, and doesn't give the user a way (or tell the user how) to either "unsave" the password or encrypt it under a master password. That makes the legal warning about as unhelpful as it would be if it were buried in the license agreement. So why not move the warning to the license agreement?

Once again, you won't hear any complaints from me -- I'm all for getting rid of the dialog. But as devil's advocate, the more in-your-face the dialog is, the better defense we have for saying "We told you so!" It's a matter of whether we openly disclosed or whether we hid the disclosure in the midst of a lot of fine print. From that perspective, putting it in the license agreement instead of a separate dialog would offer us less legal protection. Comment on trudelle's comment #19 > this alert does nothing to help the user be more secure, ... > I think this is a false sense of security, legal or otherwise. Legal never intended this dialog for the security of the *users*. Rather it was for the security of Netscape -- to give us legal protection in the event of a law suit. It's equivalent to the disclosure that you make when you sell a house.

Steve: I understand that. I doubt it even provides any legal CYA, which is why I cc'd Mitchell.

Given bugs like bug 119828, I think we should seriously consider encrypting by default... at the very least, the dialog that comes up when encryption is off should prominently feature a "turn encryption on" button or something like that which will enable encryption.

I guess I don't see what's so hard about putting "This is risky! You might want to encrypt it with a password. Click here to do that." on the very first dialog the user sees.

Encryption by default won't work. It means that the novice user, who never changes defaults, will always have encryption on. That means that in every session the novice user is going to be asked for his master password sooner or later. This will annoy novice user and make him hate the product. (The entire idea of password manager is that user doesn't have to supply a password when he enters mail for example, and now you are going to make him supply his master password at that time.)

Rowe: OK, so you are proposing make this CYA dialog longer.

Not at all. I'm suggesting that having the option to go right to those prefs is enough of, if not more of, a CYA than the disclaimer is. You could make the thing look like this: Do you want to save this blah blah Yes No Not For This Site This data will be unencrypted and this is very dangerous. Click HERE to turn on encryption. Click HERE to read more. Where the second HERE would be a link that opens a new browser window to a mozilla.org page explaining the whole thing to them. That's one dialog and it's the best of all worlds.

That doesn't explain to me as the end user that the first time i visit this page in a session (and until i correctly enter the password) i'll be nagged for my master password.

That's what the mozilla.org link would be for. If that's not good enough, the addition of the "However" sentence from the existing dialog doesn't grow the thing that much and does say that.

Rowe: What you are proposing in comment #27 is exactly what I talked against in the second paragraph of comment #5.

I guess I disagree with the second paragraph of comment #5 then. When I saw the existing CYA dialog, I thought "Oh that's a dialog about how the general concept of saving these passwords is iffy. I don't need to read that." So the current one isn't doing the job either. Perhaps it'd be better to have the "Yes No Not For This Site" buttons be checkboxes and have the only two real buttons be "Enable Encryption" and "Continue W/o Encryption" So that you could check "Yes, save this password" followed by "Continue W/o Encryption. That with the "However" sentence and a link to read more isn't a huge dialog and C'sYA.