Security/Reviews/IdentityBox
From MozillaWiki
Please use "Edit with form" above to edit this page.
Item Reviewed
| New Idenity Box Design | |||||||||||||
| Target |
2 Total; 0 Open (0%); 1 Resolved (50%); 1 Verified (50%); |
||||||||||||
The given value "
| ID | Summary | Priority | Status |
|---|---|---|---|
| 612253 | Need a shortcut key to focus the input line in web console | P2 | VERIFIED |
| 742419 | Implement new identity block design (lighter weight with a generic icon) | -- | RESOLVED |
2 Total; 0 Open (0%); 1 Resolved (50%); 1 Verified (50%);
" contains strip markers and therefore it cannot be parsed sufficiently.Introduce the Feature
Goal of Feature, what is trying to be achieved (problem solved, use cases, etc)
- We will remove the favicon from the Firefox address bar and replace it with a generic icon in http and mixed content scenarios. Use a grey lock in https, and a green lock in https+ev. The verified domain will be hidden in https. The verified identity will be visible in https+ev.
What solutions/approaches were considered other than the proposed solution?
- current state
Why was this solution chosen?
- to make the state of pages clearer to users
Any security threats already considered in the design and why?
`
Threat Brainstorming
- "Your connection to this website has been encrypted to prevent eavesdropping."
- That statement makes me very uncomfortable, as encryption doesn't prevent eavesdropping: it attempts to protect a combination of confidentiality and integrity, depending on the algorithms chosen. I think this is an important distinction, not a pedantic argument, as it can lead users to assume a false level of security. I'm not sure what the right words to use are - a different question - but I believe that these are not it. If we change this, it's something we'll want to do a blog post explaining. - adamm
- Out of scope for this review, the Larry dialog is a separate effort.
- Property "SecReview feature goal" (as page type) with input value "* We will remove the favicon from the Firefox address bar and replace it with a generic icon in http and mixed content scenarios. Use a grey lock in https, and a green lock in https+ev. The verified domain will be hidden in https. The verified identity will be visible in https+ev." contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
- Property "SecReview threat brainstorming" (as page type) with input value "* "Your connection to this website has been encrypted to prevent eavesdropping."
- That statement makes me very uncomfortable, as encryption doesn't prevent eavesdropping: it attempts to protect a combination of confidentiality and integrity, depending on the algorithms chosen. I think this is an important distinction, not a pedantic argument, as it can lead users to assume a false level of security. I'm not sure what the right words to use are - a different question - but I believe that these are not it. If we change this, it's something we'll want to do a blog post explaining. - adamm
- Out of scope for this review, the Larry dialog is a separate effort." contains invalid characters or is incomplete and therefore can cause unexpected results during a query or annotation process.
Action Items
| Action Item Status | Complete | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Release Target | ` | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Action Items | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
6 Total; 0 Open (0%); 6 Resolved (100%); 0 Verified (0%); </td> </tr> </table>The given value "
Who bug Action By When Completed date [NEW] new [DONE] Done [MISSED] Miss
UX bug 747093 A blog post about how moving the display of favicon.ico from the area supplying trusted information from the browser, to the tab, protects users. during Beta [DONE] done
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
