Firefox 3's Site Identification button

Deb Richardson from Mozilla explains Firefox 3's new Site Identification button and how it helps users recognize trusted web sites and avoid untrusted sites. He first points out how previous versions of Firefox have attempted to communicate whether a site is trustworthy by using the "trusty" (pardon the pun) padlock symbol.

fx2-paypal-locbar

Though commonly recognized as a symbol of trust, the padlock icon in browsers really only verifies that the connection is encrypted. It doesn't guarantee that that a particular organization owns a domain or that it can be trusted. There is also the problem of spoofing the padlock icon in various ways such as making a favicon like this:

fx2-emergentchaos-locbar

So how does Firefox 3 make things better? By introducing the Site Identification button. This button is displayed to the left of the address bar and displays in different colors depending on whether the site is encrypted and whether the identity of the site owner has been verified.

site-identification-button2

It will also display known security information about the site when clicked:

fx3-gray-dialog

So how do you tell the difference between a trusted site, an unencrypted site, and a phishing site? It's all in the colors.

gray-blue-green-icons

  • Gray means that there is no identity information and that the connection is not encrypted. You shouldn't transmit sensitive information on a website that displays in gray.
  • Blue means that the site is encrypted but the organization may or may not have been verified.
  • Green means that the site is using an Extended Validation Certificate so you can be completely sure that the connection is encrypted and that the domain is owned by the verified organization that is displayed when you click on the button.

fx3-green-dialog

Invalid Certificates and Known Phishing Sites

In addition to the Site Identification button, Firefox provides two other methods of identity assurance. First, when a site is using an invalid certificate (such as a self-signed certificate or an expired certificate), the user will be taken to a separate page making it clear what the problem is before allowing the user to continue to the potentially problematic site.

fx3-selfsigned-warning

However, if the site is known to be trusted (your mail server using a self-signed certificate, for example), then you can easily add the site as an exception so you don't have to bother with the message again. Pure elegance. Deb explains:

The page above is actually generated by Firefox 3 itself, and its purpose is to block you from going to a site that has an invalid identity certificate. Just like driver’s licenses and passports, site identifications need to be renewed or they expire. And just like only you can use your passport, each web site should present the credentials belonging to that site.

In the case pictured above, the problem being warned about is that the site has a “self signed” identity certificate. On the Web, self signed certificates are like passports you made at home — they don’t mean anything, no one’s verified them, and while maybe the information on them is real, Firefox wants you to know that the passport has not been validated.

There are many perfectly valid sites that use self signed certificates simply so they can support encrypted connections to the server, and are not doing anything untoward or nefarious at all. This is why Firefox 3 allows you to add exceptions for sites who have self signed certificates that you know are not trying to trick you. Adding an exception is a simple process that only needs to be done once for each site encountered.

Then there is this little guy:

red-icon

If you see him, run! It means Firefox 3's Malware and Phishing protection system has identified the site as a known phishing site.

Though simple, the new Site Identification button in Firefox will make it far easier to identify which sites can be trusted and which cannot.

Firefox 3: Site Identification button - [dria.org]

Originally posted on Sun May 11, 2008