How to supply "web site identity information" - as

[sdwilsh]

Yes, but this site (and Yahoo, Google) do not supply fresh water as well - so why don't we send a warning?:
This website does not supply fresh water.

Maybe because water isn't important on the Internet, but knowing who it is your computer is talking to is?

[BvdB]

A lot of things are "important on the Internet" - why should a browser warn you if one of those is missing?
Why should anyone naturally expect a "guarantee to really be on their site and that your DNS wasn't hijacked"?

The warning that is send now produces a completely wrong impression on the side of the user.
Did you ever see a warning sign on the dashboard of a low-powered car saying?: "This car has a weak engine."

[sdwilsh]

A lot of things are "important on the Internet" - why should a browser warn you if one of those is missing?
Why should anyone naturally expect a "guarantee to really be on their site and that your DNS wasn't hijacked"?

Well, I don't know about you, but I sure would want a warning if I was sending my password for my bank account to a server that wasn't my banks. There's all sorts of data and privacy issues that come up when you aren't communicating with the party you think you are communicating to.

The warning that is send now produces a completely wrong impression on the side of the user.
Did you ever see a warning sign on the dashboard of a low-powered car saying?: "This car has a weak engine."

Thanks for replying with yet another straw man argument. It doesn't help your argument, so I suggest you stop.

[BvdB]

Well, I don't know about you, but I sure would want a warning if I was sending my password for my bank account to a server that wasn't my banks. There's all sorts of data and privacy issues that come up when you aren't communicating with the party you think you are communicating to.

That's precisely what HTTPS was invented and is applied for.

In Internet-Explorer (at least 6.x) there comes a popup when submitting form data without encryption warning you about the consequences - everyone I know ticked the "[X] Don't warn me anymore" the second time he got the popup.
So you propose to warn him always and leave the checkbox out.
And call it "security" ..

[sdwilsh]

I'm really not sure how you got me proposing that out of my previous statement...

[cppgenius]

It looks like a shortcoming of the domain which is misleading.

That's the whole point, why is it so hard for certain people to understand!?

Well, I don't know about you, but I sure would want a warning if I was sending my password for my bank account to a server that wasn't my banks. There's all sorts of data and privacy issues that come up when you aren't communicating with the party you think you are communicating to.

There is a certain protocol to follow when you collect certain types of information. If you collect sensitive information you need to do this over a secure and encrypted connection, in other words SSL. If a site never collects any information what's the use of a stupid message that you are not communicating with the site you think you are communicating with? What are you afraid of, that the site is going to steal the letters you typed into the address bar? Are you afraid the site is going to steal the phrases you entered into Google. You are not supposed to do Google searches for your credit card number.

My point is that if you only collect an e-mail address on a contact form, purely for communication purposes, why should you suddenly get yourself an SSL certificate? Why should a browser like Firefox put doubt in the minds of your loyal visitors due to a bad oversight in wording?

Why does a website need to supply identity information? Only when there are concerns about the privacy of your visitors and the safety of the information that they submit to your site. But if people visit my blog, only to read my daily blog posts, what exactly puts their privacy at risk if I don't supply "identity information"?

[sdwilsh]

There is a certain protocol to follow when you collect certain types of information. If you collect sensitive information you need to do this over a secure and encrypted connection, in other words SSL. If a site never collects any information what's the use of a stupid message that you are not communicating with the site you think you are communicating with? What are you afraid of, that the site is going to steal the letters you typed into the address bar? Are you afraid the site is going to steal the phrases you entered into Google. You are not supposed to do Google searches for your credit card number.

I never said, nor meant to imply that I'm worried about my information going to a non-SSL based site. I also never said or meant to imply that all sites should be over SSL.

My point is that if you only collect an e-mail address on a contact form, purely for communication purposes, why should you suddenly get yourself an SSL certificate? Why should a browser like Firefox put doubt in the minds of your loyal visitors due to a bad oversight in wording?

You don't need to get an SSL certificate. First of all, the indicator that you are complaining about isn't in the primary UI - you have to click the Identity button before you can see it. Secondly, I'm not really sure how the statement "This web site does not provide any identity information." (which is the string I see in Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9.1b1pre) Gecko/20080901020926 Minefield/3.1b1pre) puts any doubt into anyone's mind. It's not being announced - it's there if the user clicks to get more information.

I might agree with your argument if this were in the primary UI, but alas, it is not.

Why does a website need to supply identity information? Only when there are concerns about the privacy of your visitors and the safety of the information that they submit to your site. But if people visit my blog, only to read my daily blog posts, what exactly puts their privacy at risk if I don't supply "identity information"?

There isn't any privacy risk, nor does the UI indicate anything like that.

[BvdB]

Fine, comrade, so we agree that we're not discussing what _you_ said or meant to imply - but what _Firefox_ says.

And there the simple fact is: There is no way how a non-https website _could_ supply the "identity information", so it makes no sense to inform the user that it did not.

[vodhner]

My objection to this pop-up message is that it invariably gets in the way when I am trying to drag the favicon handle from the address line down onto the links bar. Since that is the most likely intent when one clicks on the favicon, couldn't the tool tip be positioned elsewhere?

[a;skdjfajf;ak]

My objection to this pop-up message is that it invariably gets in the way when I am trying to drag the favicon handle from the address line down onto the links bar. Since that is the most likely intent when one clicks on the favicon, couldn't the tool tip be positioned elsewhere?

Long standing bug: https://bugzilla.mozilla.org/show_bug.cgi?id=312852

[vodhner]

Wow. Three years of chatter, several attempts, still doing it. Being a developer myself, I can only sympathize with the team: You think you're fixing something, you think you've tested it ... Software is just too doggoned complicated.

[BvdB]

Sorry vodhner, but what is going on for "three years" now, who or what is "still doing it" - and doing what? And what does it mean to "sympathize with the team"? -
Or, to cut it short, what is your comment on the question of this thread:
Should the warning that the current http-site does "not supply identity information" be kept in place - or not?

[Canyonero]

I'm confused by this argument. Shouldn't the wording be something more along the lines of "The identity of this website could not be verified". Not, "This website doesn't supply identity information". Who cares if the site tells me, "Uhmm... I'm.... Google. Yeah Google". That's not going to keep someone from spoofing or stealing data. There should be doubt in users minds, and there probably is if they're looking at the popup. In that case Firefox should tell them that it doesn't know anything, not just stare blankly. In fact, wasn't the old argument that its more important for users to know when they're not secure than it is for them to know when they are?

[BvdB]

I'm confused by this argument.

_Which_ argument?

In fact, wasn't the old argument that its more important for users to know when they're not secure than it is for them to know when they are?

So then the text should read:
"You're never secure on a website that uses only http - like this one."

This is empty talk and should be avoided, be it for software security or elsewhere.

[mrs260]

If I might put in my two cents... I think the mouseover "This website does not supply identity information" message is confusing, and that's what I think BvdB is trying to say. (When it first appeared, I didn't know what it meant until I happened to notice the different message on a secure site.)

Sure, if you think to click, the box that pops up clarifies the initial tooltip, but if you don't know it's clickable and don't visit (or notice a change at) a lot of secure sites, you're left wondering *what* identity information.

I would suggest that a tooltip along the lines of, "This website does not use encryption" would be clearer. More people will, I suspect, know or deduce what that means.