An update to site-identity in desktop Firefox

23 April, 2012 § 61 Comments

Update (24 April): For clarification, there are no plans to remove favicons from tabs, bookmarks, or Awesomebar suggestions.

Starting with yesterday’s Nightly build of Firefox, we have introduced a change to how we display site-identity in the address bar. These changes are intended to increase the security of our users as well as reduce some visual weight.

Since the dawn of time, we have included the site favicon in the address bar as part of the site-identity block. While the favicon can represent a piece of a site’s identity, there are some sites that set their favicon to a padlock. This behavior can trick users in to thinking that a site is using a secure connection when on an unsecured connection. Starting with yesterdays’s Nightly, we will no longer include the favicon in the address bar.

Websites that use SSL certificates with Extended Validation will now have a green padlock next to the certificate owner’s organization name.

Websites that use SSL certificates without Extended Validation will now have a grey padlock. The effective hostname will no longer appear next to the padlock. This information is redundant with our darkening of the effective hostname in the website address.

Websites that do not use SSL certificates or have mixed-content will fallback to a globe icon.

These changes are planned to reach our Release channel in mid-July.

Tagged: , ,

§ 61 Responses to An update to site-identity in desktop Firefox

  • Zigboom says:

    I’m interested to know what would be the recommendations for theme designers (I’m the author of LavaFox & BlackFox themes).
    How should we approach this change while it’s in transition between Nightly to Default?

  • kensaunders says:

    Coming from a person who knows little about much of anything, there isn’t anything in place that I’m aware of to keep someone from using the https page-proxy-favicon(s) in add-on or some other way to fool people into thinking that they’re on a secure site.

    I started creating an add-on to apply the current color highlighting (Fx 12) for verifiedIdentity, verifiedDomain in Nightly and when I ran it through AMOs’s validator, the following -warning- came up. I emphasize warning because it still passes.

    Security Tests
    Modification to identity box.
    Warning: The identity box (#identity-box) is a sensitive piece of the interface and should not be modified.

    Perhaps add-ons doing such things should be flagged when uploaded and held for further security review by AMO editors?

    For what it’s worth, I prefer the stronger color highlighting. People with perfect visual acuity are commenting about how subtle the differences are in Nightly between verified and not, so think about those with poor eyesight including the massive amount of aging baby boomers coming online.

  • msujaws :
    It would be great if theme designers didn’t modify the site-identity block

    Unless there is a policy that requires adoption of the default identity box styling this is wishful thinking. The current policy is pretty lax when it comes to the identity box. All the current policy requires is that ESSL and SSL identity boxes use different colors from each other and from the normal identity box and that they be distinct. We have had numerous discussions on this policy and there is great reluctance to require any more than this.

    As far as my theme (Classic Compact) goes, while I may adopt the new icons and eliminate favicons from the identity box, my plan is to retain the current green and blue backgrounds for the identity box. Quite simply, I personally want an identity box that jumps out at me when sites are properly secure and more importantly I want really blatant notifiers when a sites aren’t secured properly.

    To be honest, the current (FF12 identity box is WAY better than the proposed identity box because it really jumps out at users and demands attention. The new method blends into the rest of the theme too much. Another problem is that the new identity box reintroduces the lock icon, which has been widely panned within Mozilla as a failed identifier due to how often the lock icon has been abused/misused. Even at EU MozCamp this past November, a senior Mozilla security person gave me a long explanation why the lock icon was abandoned by Mozilla. Now not six months later all those reasons are being conveniently forgotten.

    This is the fourth redesign of the way secure sites are identified in Firefox that I can remember offhand. The truth of the matter is every time Mozilla redesigns the identity box, it only leads to more confusion for users. This is doing users a great disservice. The identity box should only be radically redesigned if it were to adopt a uniform standard for all web browsers as to how to identify secure vs non-secure sites. Having a different identity method for every web browser only contributes to the confusion.

  • Zigboom says:

    msujaws :
    It would be great if theme designers didn’t modify the site-identity block

    Oh well, I agree to some extent. Of course Theme Authors will have to modify small details but this style is actually “theme friendly” because it doesn’t force colors that may look bad etc.

    I also found a way to handle the older versions while in transition to this style. I colored the identity text blue/green while keeping the lock (that gets an override by the favicon on older versions).

    I’m not sure if this will be safer but I sure like much better the style that doesn’t make my themes look too colorful 🙂

  • Ayesh says:

    Will there be any way to go back to the padlocks in ff 12 / 13 versions ? I mean in about:config or somewhere ?

    • msujaws says:

      These graphics and design were added to the Firefox 14 build, so they don’t exist in earlier versions of Firefox.

    • Ayesh says:

      Actually I’m a big fan/lover of the way how I currently see the padlock and favicon.
      But looks like I’m going to loose my love.
      Will there be any setting that changes the FF 14’s padlock icons to the way that we currently (firefox 12/13) have padlock/favicons ?

      Thank you for all your development and time to the software that the world love!

  • kensaunders says:

    @Bryan Quigley

    Please, feel free to improve it. It’s far from perfect.
    Especially the options. 😐

  • Fox says:


    Omg big thanks for this addon! I was looking exactly for something like this, bringing back the old color!! the new one is DEFINATELY too pale (light). Besides i dont get it, Mozilla removes redundatnt ‘http’ from location bar, and adds redundant ‘globe’ to look even more messy than with http… Padlock is OK, but what we need that stupid globe for regular sites for?

    • Ayesh says:

      “but what we need that stupid globe for regular sites for?”
      That’s something I too worried about.

    • msujaws says:

      The globe provides a place for users to access site-identity information, as well as a proxy object that users can drag to create bookmarks and shortcuts.

    • gervmarkham says:

      Ayesh :
      “but what we need that stupid globe for regular sites for?”
      That’s something I too worried about.

      Click it and see.

      If there were no icon, there would be nothing to click to get that info.


  • […] displays the favicon in the URL, showing it only on tabs, bookmarks and Awesome bar suggestions, according to Firefox developer Jared Wein. This version of Firefox adds the padlock to the Site Identity Button, while preventing webmasters […]

  • […] at times, this occasionally made the site identity button look like the forward button. I worked on a refresh of site identity for Firefox which removed favicons from the location bar and added back the lock […]

  • Sailfish says:

    I just noticed that the separate mixed-content identity icon was dropped in Fx14.0b9 and, as you state above, is now using the normal HTTP identity icon. I notice that the class “mixedContent” is still there for identifying mixed content and, in fact, my themes still display a unique icon for mixed so some insight about this decision would be helpful.

    • msujaws says:

      We are going to stick with the globe until we can differentiate between active and passive mixed-content. Once we have the platform support for determining if a piece of mixed-content could be malicious, we will reintroduce the warning triangle in some fashion to still be determined.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

What’s this?

You are currently reading An update to site-identity in desktop Firefox at JAWS.


%d bloggers like this: