Alternative To “Look For The Lock”

Firefox 4.0 will be the first major browser shipped without a ‘lock’ icon for SSL connections. Instead, we have identity indicators like the EV indicator and the domain indicator.

Lots of websites tell users to “look for the lock” to check they are secure. These websites will want to update their text to say something else. It would be awesome if we had already developed some (cross-browser) text and graphics they could use, one text for EV and one for non-EV sites. We could work to make it as simple as possible. We could even create a website which detected the user’s browser and explained what to look for, and also provided instructions for sites who wanted to take our explanation and ship it on their site.

If we don’t do this, we will get site authors writing messages like “look for a green bar” instead of the much more useful “look for site identity”. And another opportunity to improve the security of the web will be lost.

Anyone up for doing this?

7 thoughts on “Alternative To “Look For The Lock”

  1. I am willing to help out a bit, when / where I can, browser detection is not too difficult so the hardest part is getting the right imgs/txt for the site. Single page would probably do fine.

    Just give me a ping via email or irc if you need any assistance :D

  2. Sounds like a 10-year migration to me, where the people most in need will also be the last to know. It’s gonna take a while to change the entire internet.

  3. Hey Gerv,

    We’ve been lobbying the CA/B Forum to make their messages about having users understand the *identity* of a website, instead of looking for signals of security. All the browser can tell them is who they’re dealing with, to the best of its knowledge.

    “Make sure you know who you’re talking to, and only do business with websites you trust.”

    That sort of thing.

  4. Not sure I understand this. If I was ever unaware of the Site Identity Button / EV indicator, I had forgotten about it.
    Search on sumo for EV indicator

    The Site Identity Button is a Firefox security feature that gives you more information about the sites you visit. Using the Site Identity Button, you can find out if the website you are viewing is encrypted, if it is verified, who owns the website, and who verified it. This should help you avoid malicious websites that are trying to get you to provide important information.
    When I see various EV buttons, its easy to spot the green, not so easy to spot the gray. Amazon shows up as blue while I am in the order process.

    If a site makes the Site Identity Button turn green, it means that it is using a new Extended Validation (EV) certificate. An EV certificate is a special type of site certificate that requires a significantly more rigorous identity verification process than other types of certificates.
    I have only been using sites I completely trust lately, but If I was ordering something from an unknown vendor, the first thing I would have looker for was the lock.

    I consider myself knowledgeable about browsers and security. If I am confused about this, its time for a rethink.

  5. How many users know that the text on green/blue background is a button? This could be regarded as a browser user education issue.

  6. I think there will always be websites that prominently featured botched explanations of web browser features. Well, for as long as there are websites and browsers, anyway. It’s a symptom of the fact that creating websites is so easy, even people who have very little idea what they’re doing can manage it.

    The “look for the lock” phenomenon is just one part of the overall trend. If you look around a bit you’ll find sites with botched explanations of every aspect of browser operation, from the address bar to the back button to saving local copies of web pages.

    I’ve seen “Press Ctrl+D to bookmark this site” more times than I can count. Okay, yes, I just checked, and that *is* still the shortcut in Firefox. (This surprises me, because the letter D is not part of *any* of the words commonly used to refer to bookmarks or the process of bookmarking; I would have guessed that the shortcut would have been changed years ago, but apparently not.) In any case, the site shouldn’t be counting on every browser always having the same keyboard shortcuts. User interfaces vary. Also, it’s pointless to give the user a bookmarking method that doesn’t reveal how to find and use the bookmark subsequently. Also, telling users to bookmark your site is inherently lame, and telling the user how to do it really only makes sense if you’re a “how to use the web” tutorial site.

  7. Hm. In the current SeaMonkey trunk nightly (with my default profile’s userChrome.css) I see three possibilities: an open padlock on the statusbar (with white-background URL bar), page not encrypted; a closed padlock with no text on the statusbar (with pale-yellow-background URL bar), encrypted but identity not verified (e.g. ); a closed padlock with site name on the statusbar (with green Larry on the URL bar), page encrypted and identity verified (e.g. ).

    Maybe an industry-standard will emerge, but I suppose only in the long term if at all. In the short term, I believe that -for a time- browsers’ behaviour will first vary more than they used to do not so long ago (open padlock for “not encrypted”, closed padlock for “encrypted”, no other possibility).

    Mozilla/5.0 (X11; Linux i686; rv:2.0b9pre) Gecko/20110104 Firefox/4.0b9pre SeaMonkey/2.1b2pre ID:20110104003001