How to supply "web site identity information" - as

Discussion of bugs in Mozilla Firefox
User avatar
BvdB
Posts: 90
Joined: October 28th, 2006, 3:04 am
Location: Berlin, Germany

How to supply "web site identity information" - as

Post by BvdB »

Hi,
by clicking on a website's favicon (left to the URL) Firefox3 provides a window with site information, one of which is the "Owner:" field.
But on my and various well-known sites I only see the comment:
"This web site does not supply identity information."

So how should a server admin provide this information?

Thanks for hints!
// BvdB
User avatar
SK.
Moderator
Posts: 20814
Joined: October 18th, 2007, 1:28 pm
Location: Third Rock From The Sun
Contact:

Post by SK. »

Moving to Firefox Builds.
John 3:16 and Philippians 4:13
User avatar
Max Karl Ernst
Posts: 107
Joined: February 5th, 2008, 3:43 am

Post by Max Karl Ernst »

Yeah, UI has to see some more work done :)
I think "indentity information..." is bad wording and that's what gets people confused.

It would should be something like "Identity of this site is not confirmed by authoritative source".

So, in your case it really means you should get a certificate if you need your identity confirmed, and you probably don't really need that :)
GSkRC33NJ9US
Posts: 239
Joined: January 10th, 2008, 8:13 am

Post by GSkRC33NJ9US »

Yes, is this read from metatags? Or do you HAVE to have to by using https?
chob
Posts: 4283
Joined: May 17th, 2003, 12:05 pm
Location: London, UK

Post by chob »

I don't know if something's being lost in translation, or if the strings have changed, but for ordinary websites Larry will say something like:

"This web site does not supply identify information. Your connection to this web site is not encrypted."

If you get a proper SSL certificate for the site, Larry should say:

You are connected to
< website address >
Which is run by
(unknown)

If you want the "Which is run by" to read something other than "(unknown)" then you need an EV SSL certificate, and they cost a lot of cash.
GSkRC33NJ9US
Posts: 239
Joined: January 10th, 2008, 8:13 am

Post by GSkRC33NJ9US »

I don't often use SSL, because I run a game, and the overhead of encryption just isn't required.
User avatar
BvdB
Posts: 90
Joined: October 28th, 2006, 3:04 am
Location: Berlin, Germany

Misleading information

Post by BvdB »

chob wrote:... Larry will say something like:
"Your connection to this web site is not encrypted."

Yes, this seems to be the logic.
Precisely, it is the "Organisation" field of the Cert that is presented as "Owner" here.
As I left this field empty in my Cert - my company is already in the name - it now says that even my https-Site has "no owner".

Furthermore, "Connection not encrypted" is already written under "technical details".

Sorry folks, but there is some over-doing going on here, and I propose to think about and change this logic.
Ted Mielczarek
Posts: 1269
Joined: November 5th, 2002, 7:32 am
Location: PA
Contact:

Post by Ted Mielczarek »

This has been discussed to death. Compare:
http://www.mozilla.org/ - no SSL
https://bugzilla.mozilla.org/ - DV SSL cert
https://www.sierranevada.com/ - EV SSL cert

That's really all there is to it.
User avatar
BvdB
Posts: 90
Joined: October 28th, 2006, 3:04 am
Location: Berlin, Germany

Post by BvdB »

Yes, discussed to death of logic, it seems.
Morris Stuart
Posts: 124
Joined: December 12th, 2006, 12:53 pm
Location: London

Post by Morris Stuart »

BvdB wrote:Yes, discussed to death of logic, it seems.

Just because you don't understand the difference between a regular SSL cert and a EV SSL cert does not mean other people are illogical.

A normal SSL cert can never prove identity (anyone can fill in anything in the owner field in a SSL cert), it can only verify the cert belongs to that domain, not who owns that domain. So, when using a regular SSL cert it will always state that the owner is not verified because verification does not happen with normal SSL certs.

EV certs do require a lot of extra verification to check that the person who registered xyzbank.com is indeed XyzBank and not someone else. This extra verification makes them more costly and time consuming to register as well.
User avatar
BvdB
Posts: 90
Joined: October 28th, 2006, 3:04 am
Location: Berlin, Germany

Post by BvdB »

The relation between "Organization" field here and "Owner" there is not what I consider illogical.

What I do consider illogical is the way that this information is presented: The sentence "This web site does not supply identity information." does not give a clue that one can never expect this kind of "identity information" on a http domain. It looks like a shortcoming of the domain which is misleading.

So the correct solution would be to omit the "Owner" field for http domains and write "Organization: ..." in the case of https.

If there was a thorough discussion on this and what we see is the result - then the discussion could not have been based on logic reasoning.
Last edited by BvdB on August 31st, 2008, 4:03 pm, edited 1 time in total.
rosemarydesigns
Posts: 1
Joined: August 30th, 2008, 8:49 am

Re: How to supply "web site identity information" - as

Post by rosemarydesigns »

I agree that this is a matter of customer relations, not coding. The current message is misleading about what is going on and that http sites are not expected to provide this kind of website ID info. Sloppy at best. I hope it gets fixed soon.
rlktemp
Posts: 7
Joined: February 1st, 2005, 11:44 pm

Re: How to supply "web site identity information" - as

Post by rlktemp »

The message "This website does not supply identity information" would cause the average user to think they may be on a dangerous website. This is very bad wording and should be changed immediately. Note that that message is displayed for this very forum, and yahoo, and google, and just about any http website. So it seems to me that the text needs to be immediately changed to perhaps display the the meta name description from the website. And, if it is an https website, perhaps some clear message about the level of security being provided. Seems to me that would make more sense. Otherwise either average users will get scared to visit legitimate websites, or they will quickly realize that the message is meaningless and ignore it, leading to ignoring ANY message that may be of value.
RK
teoli2003
Posts: 5091
Joined: November 10th, 2005, 2:54 am
Contact:

Re: How to supply "web site identity information" - as

Post by teoli2003 »

But this site (or yahoo, or google) does not supply any real identity information...

You have no guarantee to really be on their site and that your DNS wasn't hijacked.
User avatar
BvdB
Posts: 90
Joined: October 28th, 2006, 3:04 am
Location: Berlin, Germany

Re: How to supply "web site identity information" - as

Post by BvdB »

Yes, but this site (and Yahoo, Google) do not supply fresh water as well - so why don't we send a warning?:
This website does not supply fresh water.
Locked