<div dir="ltr"><div>Hey,</div><div><br></div><div>So we have two issues here:</div><div>- We have less testing on security.insecure_connection_text.enabled</div><div>- security.insecure_connection_icon.enabled is a lot heavier handed as MT notes and also we use this for insecure passwords too.</div><div><br></div><div>We also have the pbmode variants if we wanted both enabled when in Private Browsing mode.<br></div><div><br></div><div>We are discussing the impact of shipping the "Not Secure" text with product at the moment which is likely much safer to ship right now.<br></div><div><br></div><div>Thanks</div><div>Jonathan<br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Feb 9, 2018 at 2:02 PM, Tom Schuster <span dir="ltr"><<a href="mailto:tom@schuster.me" target="_blank">tom@schuster.me</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">If you flip just security.insecure_connection_<wbr>text.enabled and not<br>
security.insecure_connection_<wbr>icon.enabled you get Chrome's behavior.<br>
Flipping both gives you the broken lock and the "Not Secure" text. I<br>
don't see a big difference there and I hope we can ship this as soon<br>
as possible.<br>
<span class=""><br>
On Fri, Feb 9, 2018 at 1:55 AM, Martin Thomson <<a href="mailto:mt@mozilla.com">mt@mozilla.com</a>> wrote:<br>
> +ffxdev<br>
><br>
> There's a tangible difference between text saying "Not Secure" and a<br>
> broken lock icon. I think that we're close, but we'd be making a<br>
> stronger statement than Chrome if we did this.<br>
><br>
> On Fri, Feb 9, 2018 at 8:17 AM, Chris Peterson <<a href="mailto:cpeterson@mozilla.com">cpeterson@mozilla.com</a>> wrote:<br>
>> Chrome will start marking HTTP pages as "Not secure" in July 2018 (Chrome<br>
>> 68):<br>
>><br>
>> <a href="https://security.googleblog.com/2018/02/a-secure-web-is-here-to-stay.html" rel="noreferrer" target="_blank">https://security.googleblog.<wbr>com/2018/02/a-secure-web-is-<wbr>here-to-stay.html</a><br>
>><br>
>> Firefox has a similar insecure HTTP warning icon, currently disabled by the<br>
>> `security.insecure_connection_<wbr>icon.enabled` pref added in bug 1310447.<br>
>><br>
>> Are there any blockers for Firefox shipping this feature?<br>
>> ______________________________<wbr>_________________<br>
>> dev-platform mailing list<br>
>> <a href="mailto:dev-platform@lists.mozilla.org">dev-platform@lists.mozilla.org</a><br>
>> <a href="https://lists.mozilla.org/listinfo/dev-platform" rel="noreferrer" target="_blank">https://lists.mozilla.org/<wbr>listinfo/dev-platform</a><br>
><br>
> ______________________________<wbr>_________________<br>
</span>> firefox-dev mailing list<br>
> <a href="mailto:firefox-dev@mozilla.org">firefox-dev@mozilla.org</a><br>
> <a href="https://mail.mozilla.org/listinfo/firefox-dev" rel="noreferrer" target="_blank">https://mail.mozilla.org/<wbr>listinfo/firefox-dev</a><br>
<div class="HOEnZb"><div class="h5">><br>
______________________________<wbr>_________________<br>
dev-platform mailing list<br>
<a href="mailto:dev-platform@lists.mozilla.org">dev-platform@lists.mozilla.org</a><br>
<a href="https://lists.mozilla.org/listinfo/dev-platform" rel="noreferrer" target="_blank">https://lists.mozilla.org/<wbr>listinfo/dev-platform</a><br>
</div></div></blockquote></div><br></div>