MozillaZine

How to supply "web site identity information" - as

Discussion of bugs in Mozilla Firefox
BvdB

User avatar
 
Posts: 90
Joined: October 28th, 2006, 3:04 am
Location: Berlin, Germany

Post Posted March 11th, 2008, 7:04 am

Hi,
by clicking on a website's favicon (left to the URL) Firefox3 provides a window with site information, one of which is the "Owner:" field.
But on my and various well-known sites I only see the comment:
"This web site does not supply identity information."

So how should a server admin provide this information?

Thanks for hints!
// BvdB

SK.
Moderator

User avatar
 
Posts: 20750
Joined: October 18th, 2007, 1:28 pm
Location: Third Rock From The Sun

Post Posted March 11th, 2008, 7:16 am

Moving to Firefox Builds.
John 3:16 and Philippians 4:13

Max Karl Ernst

User avatar
 
Posts: 107
Joined: February 5th, 2008, 3:43 am

Post Posted March 11th, 2008, 7:56 am

Yeah, UI has to see some more work done :)
I think "indentity information..." is bad wording and that's what gets people confused.

It would should be something like "Identity of this site is not confirmed by authoritative source".

So, in your case it really means you should get a certificate if you need your identity confirmed, and you probably don't really need that :)

|CK|
 
Posts: 239
Joined: January 10th, 2008, 8:13 am

Post Posted March 11th, 2008, 7:58 am

Yes, is this read from metatags? Or do you HAVE to have to by using https?

chob
 
Posts: 4278
Joined: May 17th, 2003, 12:05 pm
Location: London, UK

Post Posted March 11th, 2008, 8:17 am

I don't know if something's being lost in translation, or if the strings have changed, but for ordinary websites Larry will say something like:

"This web site does not supply identify information. Your connection to this web site is not encrypted."

If you get a proper SSL certificate for the site, Larry should say:

You are connected to
< website address >
Which is run by
(unknown)

If you want the "Which is run by" to read something other than "(unknown)" then you need an EV SSL certificate, and they cost a lot of cash.

|CK|
 
Posts: 239
Joined: January 10th, 2008, 8:13 am

Post Posted March 11th, 2008, 8:27 am

I don't often use SSL, because I run a game, and the overhead of encryption just isn't required.

BvdB

User avatar
 
Posts: 90
Joined: October 28th, 2006, 3:04 am
Location: Berlin, Germany

Post Posted March 11th, 2008, 9:38 am

chob wrote:... Larry will say something like:
"Your connection to this web site is not encrypted."

Yes, this seems to be the logic.
Precisely, it is the "Organisation" field of the Cert that is presented as "Owner" here.
As I left this field empty in my Cert - my company is already in the name - it now says that even my https-Site has "no owner".

Furthermore, "Connection not encrypted" is already written under "technical details".

Sorry folks, but there is some over-doing going on here, and I propose to think about and change this logic.

Ted Mielczarek
 
Posts: 1269
Joined: November 5th, 2002, 7:32 am
Location: PA

Post Posted March 11th, 2008, 10:27 am

This has been discussed to death. Compare:
http://www.mozilla.org/ - no SSL
https://bugzilla.mozilla.org/ - DV SSL cert
https://www.sierranevada.com/ - EV SSL cert

That's really all there is to it.

BvdB

User avatar
 
Posts: 90
Joined: October 28th, 2006, 3:04 am
Location: Berlin, Germany

Post Posted March 11th, 2008, 10:29 am

Yes, discussed to death of logic, it seems.

Morris Stuart
 
Posts: 120
Joined: December 12th, 2006, 12:53 pm
Location: London

Post Posted March 11th, 2008, 3:12 pm

BvdB wrote:Yes, discussed to death of logic, it seems.

Just because you don't understand the difference between a regular SSL cert and a EV SSL cert does not mean other people are illogical.

A normal SSL cert can never prove identity (anyone can fill in anything in the owner field in a SSL cert), it can only verify the cert belongs to that domain, not who owns that domain. So, when using a regular SSL cert it will always state that the owner is not verified because verification does not happen with normal SSL certs.

EV certs do require a lot of extra verification to check that the person who registered xyzbank.com is indeed XyzBank and not someone else. This extra verification makes them more costly and time consuming to register as well.

BvdB

User avatar
 
Posts: 90
Joined: October 28th, 2006, 3:04 am
Location: Berlin, Germany

Post Posted March 11th, 2008, 4:29 pm

The relation between "Organization" field here and "Owner" there is not what I consider illogical.

What I do consider illogical is the way that this information is presented: The sentence "This web site does not supply identity information." does not give a clue that one can never expect this kind of "identity information" on a http domain. It looks like a shortcoming of the domain which is misleading.

So the correct solution would be to omit the "Owner" field for http domains and write "Organization: ..." in the case of https.

If there was a thorough discussion on this and what we see is the result - then the discussion could not have been based on logic reasoning.
Last edited by BvdB on August 31st, 2008, 4:03 pm, edited 1 time in total.

rosemarydesigns
 
Posts: 1
Joined: August 30th, 2008, 8:49 am

Post Posted August 30th, 2008, 9:04 am

I agree that this is a matter of customer relations, not coding. The current message is misleading about what is going on and that http sites are not expected to provide this kind of website ID info. Sloppy at best. I hope it gets fixed soon.

rlktemp
 
Posts: 7
Joined: February 1st, 2005, 11:44 pm

Post Posted September 1st, 2008, 5:45 am

The message "This website does not supply identity information" would cause the average user to think they may be on a dangerous website. This is very bad wording and should be changed immediately. Note that that message is displayed for this very forum, and yahoo, and google, and just about any http website. So it seems to me that the text needs to be immediately changed to perhaps display the the meta name description from the website. And, if it is an https website, perhaps some clear message about the level of security being provided. Seems to me that would make more sense. Otherwise either average users will get scared to visit legitimate websites, or they will quickly realize that the message is meaningless and ignore it, leading to ignoring ANY message that may be of value.
RK

teoli2003
 
Posts: 5091
Joined: November 10th, 2005, 2:54 am

Post Posted September 1st, 2008, 7:24 am

But this site (or yahoo, or google) does not supply any real identity information...

You have no guarantee to really be on their site and that your DNS wasn't hijacked.

BvdB

User avatar
 
Posts: 90
Joined: October 28th, 2006, 3:04 am
Location: Berlin, Germany

Post Posted September 1st, 2008, 8:54 am

Yes, but this site (and Yahoo, Google) do not supply fresh water as well - so why don't we send a warning?:
This website does not supply fresh water.

Return to Firefox Bugs


Who is online

Users browsing this forum: Google [Bot] and 5 guests