Yeah, there's a team working on this stuff (and they/we have been in touch with the Chrome people for a long time) and this is not a call we should make on a mailing list. There's a valid concern around warning fatigue (plastering so many sites with "Insecure" that users easily dismiss it) and we made those prefs to be able to run user studies on it.
I believe the original question was whether there are any blockers to shipping this in Firefox right now. Technically? No. We should still give product the chance to take a good look at the potential impact and how it works in our design concept and not make this a race to the moon. Thanks Johann Jonathan Kingston wrote: > Hey, > > So we have two issues here: > - We have less testing on security.insecure_connection_text.enabled > - security.insecure_connection_icon.enabled is a lot heavier handed as MT > notes and also we use this for insecure passwords too. > > We also have the pbmode variants if we wanted both enabled when in Private > Browsing mode. > > We are discussing the impact of shipping the "Not Secure" text with product > at the moment which is likely much safer to ship right now. > > Thanks > Jonathan > > On Fri, Feb 9, 2018 at 2:02 PM, Tom Schuster <t...@schuster.me> wrote: > >> If you flip just security.insecure_connection_text.enabled and not >> security.insecure_connection_icon.enabled you get Chrome's behavior. >> Flipping both gives you the broken lock and the "Not Secure" text. I >> don't see a big difference there and I hope we can ship this as soon >> as possible. >> >> On Fri, Feb 9, 2018 at 1:55 AM, Martin Thomson <m...@mozilla.com> wrote: >>> +ffxdev >>> >>> There's a tangible difference between text saying "Not Secure" and a >>> broken lock icon. I think that we're close, but we'd be making a >>> stronger statement than Chrome if we did this. >>> >>> On Fri, Feb 9, 2018 at 8:17 AM, Chris Peterson <cpeter...@mozilla.com> >> wrote: >>>> Chrome will start marking HTTP pages as "Not secure" in July 2018 >> (Chrome >>>> 68): >>>> >>>> https://security.googleblog.com/2018/02/a-secure-web-is- >> here-to-stay.html >>>> Firefox has a similar insecure HTTP warning icon, currently disabled by >> the >>>> `security.insecure_connection_icon.enabled` pref added in bug 1310447. >>>> >>>> Are there any blockers for Firefox shipping this feature? >>>> _______________________________________________ >>>> dev-platform mailing list >>>> dev-platform@lists.mozilla.org >>>> https://lists.mozilla.org/listinfo/dev-platform >>> _______________________________________________ >>> firefox-dev mailing list >>> firefox-...@mozilla.org >>> https://mail.mozilla.org/listinfo/firefox-dev >>> >> _______________________________________________ >> dev-platform mailing list >> dev-platform@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-platform >> > _______________________________________________ > dev-platform mailing list > dev-platform@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-platform _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
