Jump to content
Login new information ×
Login new information

Mozilla revamps Firefox's HTTPS address bar information

Karlston

By Karlston
in Software News

Recommended Posts

Karlston

Karlston

Posted
Posted

Mozilla revamps Firefox's HTTPS address bar information

Mozilla plans to make changes to the information that the organization's Firefox browser displays in its address bar when it connects to sites.

 

Firefox displays an i-icon and a lock symbol currently when connecting to sites. The i-icon displays information about the security of the connection, content blocking, and permissions, the lock icon indicates the security state of the connection visually. A green lock indicates a secure connection and if a site has an Extended Validation certificate, the name of the company is displayed in the address bar as well.

 

Mozilla plans to make changes to the information that is displayed in the browser's address bar that all Firefox users need to be aware of.

 

One of the core changes removes the i-icon from the Firefox address bar, another the Extended Validation certificate name, a third displays a crossed out lock icon for all HTTP sites, and a fourth changes the colour of the lock for HTTPS sites from green to gray.

Why are browser makers making these changes?

Most Internet traffic happens over HTTPS; latest Firefox statistics show that more than 79% of global pageloads happen using HTTPS and that it is already at more than 87% for users in the United States.

 

The shield icon was introduced to indicate to users that the connection to the site uses HTTPS and to give users options to look up certificate information. It made sense to indicate that to users back when only a fraction of sites used HTTPS.

 

With more and more connections using HTTPS, browser makers like Mozilla or Google decided that it was time to evaluate what is displayed to users in the address bar.

 

firefox no i-icon

 

Google revealed plans in 2018 to remove Secure and HTTPS indicators from the Chrome browser; Chrome 76, released in August 2019, does not display HTTPS or WWW anymore in the address bar by default.

 

Mozilla launched changes in Firefox in 2018, hidden behind a flag, to add a new "not secure" indicator to HTTP sites in Firefox.

 

Google and Mozilla plan to remove information that indicate that a site's connection is secure. It makes some sense, if you think about it, considering that most connections are secure on today's Internet. Instead of highlighting that a connection is secure, browsers will highlight if a connection is not secure instead.

 

The changes are not without controversy though. For more than two decades, Internet users were told that they needed to verify the security of sites by looking at the lock symbol in the browser's address bar. Mozilla does not remove the lock icon entirely in Firefox 70 and the organization won't touch the protocol in the address bar either at this point; that is better than what Google has already implemented in recent versions of Chrome.

 

The following changes will land in Firefox 70:

  • Firefox won't display the i-icon anymore in the address bar.
  • Firefox won't display the owner of Extended Verification certificates anymore in the address bar.
  • A shield icon is displayed that lists protection information.
  • The lock icon is still displayed, it displays certificate and permission information and controls.
  • HTTPS sites feature a gray lock icon.
  • All sites that use HTTP will be shown with a crossed out shield icon (previously only HTTP sites with login forms).

Mozilla aims to launch these changes in Firefox 70. The browser is scheduled for a release on October 23, 2019.

 

Firefox users may add a "not secure" indicator to the browser's address bar. Mozilla, just like Google, plans to display it for sites that use HTTP. The additional indicator needs to be enabled separately at the time of writing, it won't launch in Firefox 70.

  1. Load about:config in the Firefox address bar.
  2. Search for security.identityblock.show_extended_validation.
  3. Set the preference to TRUE to display the name of the owner of Extended Validation certificates in Firefox's address bar, or set it to FALSE to hide it.

The new gray icon for HTTPS sites can be toggled as well in the advanced configuration:

  1. On about:config, search for security.secure_connection_icon_colour_gray
  2. Set the value to TRUE to display a gray icon for HTTPS sites, or set it to FALSE to return to the status quo.

 

 

 

Source: Mozilla revamps Firefox's HTTPS address bar information (gHacks - Martin Brinkmann)

Link to comment
Share on other sites
  • Replies 1
  • Views 896
  • Created
  • Last Reply
Karlston

Karlston

Posted
  • Author
Posted

Chrome, Firefox to expunge Extended Validation cert signals

Google and Mozilla have decided to eliminate Extended Validation signals in their desktop browsers; the certificates were designed to assure users they landed on a legitimate site, not a malicious copycat.

7 safe browswer search legitimate url domains surfing the internet
Getty Images

Google and Mozilla have decided to eliminate visual signals in their Chrome and Firefox desktop browsers of special digital certificates meant to assure users that they landed at a legitimate site, not a malicious copycat.

 

The certificates, dubbed "Extended Validation" (EV) certificates, were a subset of the usual certificates used to encrypt browser-to-server-and-back communications. Unlike run-of-the-mill certificates, EVs can be issued only by a select group of certificate authorities (CAs); to acquire one, a company must go through a complicated process that validates its legal identity as the site owner. They're also more expensive.

 

The idea behind EVs was to give web users confidence that they were at their intended destination, that the site computerworld.com, for instance, was owned by its legal proprietor, IDG, and not a fishy - and phishy - URL run by It's Crooks All the Way Down LLC and chockablock with malware. Browsers quickly took to the concept, rewarding EV-secured sites with in-your-face visual cues, notably the verified legal identity in front of the domain in the address bar. The identity was often shaded in green as an additional tip-off. (Chrome dismissed the green in September 2018 as of Chrome 69.)

 

But Google and Mozilla claim that EVs are no longer worth calling out in their browsers' address bars.

 

"Through our own research as well as a survey of prior academic work, the Chrome Security UX [user experience] team has determined that the EV UI [user interface] does not protect users as intended," Google wrote in an online document detailing why it is scrubbing EV evidence from the address bar. "Users do not appear to make secure choices (such as not entering password or credit card information) when the UI is altered or removed, as would be necessary for EV UI to provide meaningful protection."

 

Plus, Google added, the legal entity's name takes up valuable browser real estate.

Mozilla said something similar on Monday. "The effectiveness of EV has been called into question numerous times over the last few years, there are serious doubts whether users notice the absence of positive security indicators and proof of concepts have been pitting EV against domains for phishing," said Johann Hofmann, a Firefox engineer, in a message posted to development forum.

Extended Validation (EV) certificate Mozilla

In October, Firefox will stop showing the legal entity behind the website when the browser encounters an Extended Validation (EV) certificate.

Chrome 77, slated to ship Sept. 10, will remove the EV information from the address bar and place it in the Page Info pop-up, which is accessed by clicking on the padlock icon.

Firefox will follow suit on Oct. 22 with version 70. "We intend to remove Extended Validation (EV) indicators from the identity block (the left hand side of the URL bar which is used to display security/privacy information)," Hofmann said.

 

Other browsers have already ditched the EV signs. Apple's Safari, for example, dropped the company name last year with version 12, the one packaged with macOS 10.14, aka Mojave; Safari still slaps a coat of green on the URL, though. Microsoft's "full-Chromium" Edge eschews any EV indicator.

 

Mobile browsers have usually done without EV extras in the address bar because of space issues, as in they have none to spare. Some of those which have - Safari in iOS, say - later removed it.

 

Opera Software's Opera, however, mimics Firefox's company-name-in-green, even though that browser is built atop the same engines as Chrome.

"EV is now really, really dead," said security professional Troy Hunt, in an Aug. 13 post to his personal blog. "The claims that were made about it have been thoroughly debunked and the entire premise on which it was sold is about to disappear."

 

Hunt, noted for creating and maintaining the "Have I Been Pwned?" website, first called EVs' demise in September 2018 when he wrote, "Their usefulness has now descended from 'barely there' to 'as good as non-existent,'" also on his blog.

 

"The writing might have been on the wall a year ago, but the death warrant is now well and truly inked with both Chrome and Firefox killing it stone cold dead," Hunt said Tuesday.

 

 

 

Source: Chrome, Firefox to expunge Extended Validation cert signals (Computerworld - Gregg Keizer)

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...