Closed Bug 605198 Opened 14 years ago Closed 14 years ago

URL Display Prevents Users from Easily Checking HTTP vs HTTPS

Categories

(Firefox for Android Graveyard :: General, defect)

Product:
Firefox for Android Graveyard
Component:
General
Platform:
All
Android
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 575950

People

(Reporter: mcoates, Unassigned)

Details

Attachments

(1 file)

screenshot
(deleted), image/png
Details 
Motorola Droid
Fennec Nightly - 4.0b2pre

Issue

The Fennec URL bar does not show the protocol of the current page. As a result a user that is concerned about submitting sensitive information, such as username and password, is unable to easily distinguish if they are currently on a page served over HTTP or HTTPS. It is possible to click on the settings button (second from left) and viewing the information here, but this is not a normal action to the user at all.

Steps to reproduce
1. Browse to a site that accepts login credentials over HTTP, such as http://www.twitter.com
2. Then browse to the HTTPS version of that same page, https://www.twitter.com
3. Observe that the user experience is the exact same between options 1 and 2 and there is no obvious indicator to the user that one option could submit their credentials in the clear text.

Recommended Remediation
Implement some sort of obvious indicator to the user to distinguish HTTP from HTTPS pages. One option is to simply the protocol in use (HTTP vs HTTPS). Another option is to use a color coding scheme such as making the URL yellow for HTTPS pages; however, this would require a lot more research into the effectiveness of a new scheme.
tracking-fennec: --- → ?
Attached image screenshot (deleted) — 
Fennec's URL bar is not onscreen all the time like in desktop Firefox, but you can display it by tapping on the titlebar, pressing Control-L (Menu-L on Android devices with hardware keyboards), or pressing Android's Search button.  When you display the URL bar, it does include the protocol of the current URL.

In addition, Fennec displays the favicon on a background that is color-coded to match the Larry colors (just like the favicon display in Firefox 4 for desktop) and clicking on the favicon reveals the Larry panel with additional security information.  This is broken in current builds but will be fixed soon (bug 575950).
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Matt,

Thanks for the info.  I guess this turns into more of a security/usability & design discussion. 

Will users take the steps to check if the page is HTTPS before they submit there user/pass?
Do users currently look at the URL in desktop FF for HTTP vs HTTPS?
Can we add some other indicator for the security conscious so they easily can distinguish between HTTP and HTTPS pages (perhaps your color-codes will work).

I'm not looking for any answers to the above questions - just some thoughts on the overall issue.  I'll watch the other bug for any progress on the issue.
I should note that the favicon colors and their interaction with the Larry panel are consistent not just with Firefox 4 but also with Firefox 3.6 (and possibly earlier - I don't have 3.5 or 3.0 installed).

I too am curious to see research on the questions in comment 3.

One reason for the Larry panel (and other security UI decisions in desktop Firefox) is that we *don't* want to train users that "https" means that their communication is secure.  Real security requires that they the communication is encrypted *and* the other party's identity is verified.  There are many ways a page can have "https:" at the start of the URI and still be insecure.
(In reply to comment #4)
  There are many ways a
> page can have "https:" at the start of the URI and still be insecure.

Agreed. Its a tough issue to address. Give the users something to judge security on and accept its not perfect (e.g. https), train them to look for lots of things, or give them nothing and hope things work out in the end.
One idea I had when looking at the attachments was to test the page title to see it if was in the form of a URL and if so, show the actual URL instead.
How much value do we get from displaying the title?  Looking through my history, less than half the pages I visit have titles that fit in Fennec's titlebar without being cut off (in portrait orientation).  Maybe it would be better to have some secondary UI where the title is displayed, in a way that allows for longer titles.
Oops, comment 7 was meant for bug 605206.  Moving it over there.
(In reply to comment #6)
> One idea I had when looking at the attachments was to test the page title to
> see it if was in the form of a URL and if so, show the actual URL instead.

That's a really interesting idea! Where by interesting, I mean we should probably do that.
tracking-fennec: ? → ---
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: