Opened 20 months ago

Closed 15 months ago

Last modified 15 months ago

#3203 closed change (fixed)

[Adblock Browser for iOS] add visible Indication of a secure connection

Reported by: Shikitita Assignee: pavelz
Priority: P2 Milestone: Adblock-Browser-for-iOS-1.3.0
Module: Adblock-Browser-for-iOS Keywords: salsita 2015q4
Cc: pavelz, vojtab, jand, mario, greiner Blocked By:
Blocking: #3284 Platform: Adblock Browser for iOS
Ready: yes Confidential: no
Tester: Scheer Verified working: yes
Review URL(s):

Description (last modified by pavelz)

Background

Modern Browser indicate the use of secure and validated SSL connections and certificates by showing a lock sign (and sometimes the URL) in different colors. Since users got used to this, it's wise to also include this indicator to Adblock Browser.

There are 4 different certificates and certificate states, which should each be visualized in a different way:

  1. No certificate present
  1. Malicious certificate present (e.g. wrong domain or wrong subdomain)
  1. Self-signed certificate present
  1. Signed certificate or signed EV certificate present

What to change

For each type of certificate as described in the background section, implement the visualization as outlined below:

  1. No visualization of a secured connection whatsoever. No changes to be implemented.
  1. Display a broken padlock in front of the URL as displayed in this screenshot. Every time a website with this state of certificate is visited show a notification as currently implemented in Kitt.

Color to be used for the URL: # da001b
Text of the notification headline: Warning
Text of the notification: The site's security certificate is not trusted. Do you want to proceed?
Text of the cancel-button: Cancel
Text of the proceed-button: Proceed

Tapping "Cancel" will close the notification and stop loading the requested website (thus staying at the currently opened website or - of no website was opened - at the dashboard).
Tapping "Proceed" will close the notification and load the requested website.

  1. Display a broken padlock in front of the URL as displayed in this screenshot. Every time a website with this state of certificate is visited show a notification as currently implemented in Kitt.

Color to be used for the URL: # da001b
Text of the notification headline: Warning
Text of the notification: The site's security certificate is not trusted. Do you want to proceed?
Text of the cancel-button: Cancel
Text of the proceed-button: Proceed

Tapping "Cancel" will close the notification and stop loading the requested website (thus staying at the currently opened website or - of no website was opened - at the dashboard).
Tapping "Proceed" will close the notification and load the requested website.

  1. Display a padlock in front of the URL as displayed in this screenshot.

Note to testers

The cert state recognition was not as much demanding as was keeping up with the aggresive iOS status caching of already once visited SSL sites. So the correct SSL status displayed on first load is not as critical as is a reproducible correct status when an already created browsing history with mixed type cert sites is navigated either through back/fwd or clicking history records.

Examples of test sites

  1. No cert: any plain http site
  2. Malicious cert: https://kitt.co/
  3. Self-signed cert: https://www.cacert.org/
  4. EV cert: twitter.com, square.com, ...

Attachments (7)

certificate.png (19.2 KB) - added by sven 19 months ago.
certificateEV.png (19.2 KB) - added by sven 19 months ago.
certificateEV v2.png (19.3 KB) - added by sven 19 months ago.
certificate v2.psd (28.8 KB) - added by sven 19 months ago.
certificate style guide.png (133.3 KB) - added by sven 19 months ago.
certificate v2.png (19.3 KB) - added by sven 19 months ago.
certificate broken.png (20.7 KB) - added by sven 19 months ago.

Download all attachments as: .zip

Change History (35)

comment:1 Changed 20 months ago by mario

  • Cc mario added

comment:2 Changed 20 months ago by philll

  • Cc mario removed
  • Description modified (diff)
  • Summary changed from [Adblock Browser for iOS] Indication of a secure connection missing to [Adblock Browser for iOS] add visible Indication of a secure connection
  • Type changed from defect to change

How is this a bug? It's just a not implemented feature.

comment:3 Changed 20 months ago by Shikitita

Yeah, sorry. Out of habit.

comment:4 Changed 20 months ago by mario

  • Cc mario added

comment:5 Changed 20 months ago by mario

  • Description modified (diff)

comment:7 Changed 19 months ago by greiner

  • Cc greiner added

Changed 19 months ago by sven

Changed 19 months ago by sven

Changed 19 months ago by sven

Changed 19 months ago by sven

Changed 19 months ago by sven

Changed 19 months ago by sven

Changed 19 months ago by sven

comment:8 Changed 19 months ago by sven

  • Description modified (diff)

comment:9 Changed 19 months ago by sven

  • Description modified (diff)

comment:10 Changed 19 months ago by sven

  • Description modified (diff)

comment:11 Changed 19 months ago by mario

  • Description modified (diff)

comment:12 Changed 19 months ago by mario

  • Description modified (diff)

comment:13 follow-up: Changed 19 months ago by mario

  • Description modified (diff)

I've modified the description to reflect the fact, that we can't differentiate between signed certificates and EV certificates: Both certificate types are visualized the same.

comment:14 in reply to: ↑ 13 Changed 19 months ago by greiner

Replying to mario:

I've modified the description to reflect the fact, that we can't differentiate between signed certificates and EV certificates: Both certificate types are visualized the same.

Any idea why we can't differentiate between those? If it's simply too much effort, I'd suggest creating a follow-up ticket for that.

comment:15 Changed 19 months ago by pavelz

Unfortunate wording - there is no "can't" in the requirement. It's just too much effort for being considered a simple task. If it's being removed from the scope of this ticket, i would expect a new one, yes. When creating a new one, please move over my tech notes in https://issues.adblockplus.org/ticket/3203#comment:6

comment:16 Changed 19 months ago by mario

  • Blocking 3284 added

comment:17 Changed 19 months ago by mario

  • Keywords 2015q4 added

I was under the impression, this was limited by iOS.
Created a follow up issue: #3284

comment:18 Changed 19 months ago by mario

  • Priority changed from Unknown to P2
  • Ready set

comment:20 Changed 18 months ago by pavelz

  • Resolution set to fixed
  • Status changed from new to closed

comment:21 Changed 18 months ago by mario

  • Milestone set to Adblock-Browser-for-iOS-next

Batch modify: Added "-next" milestone to recently closed ABB/iOS issues.

comment:22 Changed 15 months ago by philll

  • Ready unset
  • Resolution fixed deleted
  • Status changed from closed to reopened

What shall happen if the proceed or cancel button is pressed?
Also, the background section stated "There are 5 different certificates and certificate states," while only four get mentioned afterwards.

comment:23 Changed 15 months ago by mario

  • Description modified (diff)

There are only 4 states. This was an error.
Changed the description and added the missing information.

comment:24 Changed 15 months ago by pavelz

@mario What should happen with issue now? Will @philll reread the description and close?

comment:25 Changed 15 months ago by pavelz

And it's not "ready" anyway

comment:26 Changed 15 months ago by mario

  • Description modified (diff)
  • Ready set
  • Resolution set to fixed
  • Status changed from reopened to closed

comment:27 Changed 15 months ago by pavelz

  • Description modified (diff)

comment:28 Changed 15 months ago by scheer

  • Tester changed from Unknown to Scheer
  • Verified working set
  • 1. No change is displayed in normal websites without a certificate and plain text is displayed.
  • 2. Malicious certificate sites such as ​https://kitt.co/ display a warning message stating 'Warning - The site's security certificate is not trusted. Do you want to proceed? - 'Cancel' -'Proceed. Upon selecting 'Cancel' the user is presented with the page he was currently already viewing, or the Dashboard (dependant on the state before entering the address). Upon selecting 'Proceed' the page is loaded and a broken padlock is presented in the address bar and the address text changed from black to Red (# da001b)
  • 3. Self-signed certificate sites such as ​https://www.cacert.org/ display a warning message stating 'Warning - The site's security certificate is not trusted. Do you want to proceed? - 'Cancel' -'Proceed. Upon selecting 'Cancel' the user is presented with the page he was currently already viewing, or the Dashboard (dependant on the state before entering the address). Upon selecting 'Proceed' the page is loaded and a broken padlock is presented in the address bar and the address text changed from black to Red (# da001b)
  • 4. EV certificate sites such as twitter.com and paypal.com are loaded and a green (# 36aa46) padlock is displayed in the address bar and the address text is also changed from black to green (# 36aa46). Please note that the above states that only a complete padlock should be displayed, but not with green (# 36aa46), but I am now referring to the completed issue that already changes EV Certificates located here - #3284

With regards to -

'The cert state recognition was not as much demanding as was keeping up with the aggressive iOS status caching of already once visited SSL sites. So the correct SSL status displayed on the first load is not as critical as is a reproducible correct status when an already created browsing history with mixed type cert sites is navigated either through back/fwd or clicking history records.'

As well as checking the first load of the above-mentioned sites, I also loaded through each type multiple times, to confirm that the website states changed back to the correct ones in each website certificate type.

ABB 1.3.0-qa (824)
iPhone 6 Plus - iOS 9.2.1

Note: See TracTickets for help on using tickets.