Bug 904189 - Document changes in SSL warnings and new options for mixed content blocker in Security Socket Layer preference pane. r=IanN
authorrsx11m <rsx11m.pub@gmail.com>
Wed, 25 Sep 2013 18:02:48 -0500
changeset 13116 3d7e3c8d90418ee8e1e99e3340e279299a90559f
parent 13115 73fd8aa8529bdac3791b4afb31faf763039d2153
child 13117 412f68f827ecb3e187a74a7f56782db41eb8aa3d
push id9544
push userryanvm@gmail.com
push dateFri, 04 Oct 2013 16:17:28 +0000
treeherdercomm-central@d65201425440 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersIanN
bugs904189
Bug 904189 - Document changes in SSL warnings and new options for mixed content blocker in Security Socket Layer preference pane. r=IanN
suite/locales/en-US/chrome/common/help/help-index1.rdf
suite/locales/en-US/chrome/common/help/ssl_help.xhtml
suite/locales/en-US/chrome/common/help/using_certs_help.xhtml
--- a/suite/locales/en-US/chrome/common/help/help-index1.rdf
+++ b/suite/locales/en-US/chrome/common/help/help-index1.rdf
@@ -2031,16 +2031,26 @@
        <rdf:Description ID="SSL:preferences"
          nc:name="SSL preferences"
          nc:link="ssl_help.xhtml#privacy_and_security_preferences_ssl"/>
      </rdf:li>
      <rdf:li>
        <rdf:Description ID="SSL:protocols"
          nc:name="SSL protocols"
          nc:link="ssl_help.xhtml#ssl_protocol_versions"/>
+     </rdf:li>
+     <rdf:li>
+       <rdf:Description ID="SSL:warnings"
+         nc:name="SSL warnings"
+         nc:link="ssl_help.xhtml#ssl_warnings"/>
+     </rdf:li>
+     <rdf:li>
+       <rdf:Description ID="SSL:mixed_content"
+         nc:name="mixed content"
+         nc:link="ssl_help.xhtml#mixed_content"/>
      </rdf:li></rdf:Seq>
    </nc:subheadings>
 </rdf:Description>
 
 <rdf:Description about="help-indexAZ.rdf#t">
    <nc:subheadings>
      <rdf:Seq><rdf:li>
        <rdf:Description ID="Tab_Key_Navigation"
--- a/suite/locales/en-US/chrome/common/help/ssl_help.xhtml
+++ b/suite/locales/en-US/chrome/common/help/ssl_help.xhtml
@@ -85,56 +85,142 @@
     without violating these rules. Uncheck the outermost boxes to regain
     access to an enclosed intermediate version.</li>
 </ul>
 
 <h3 id="ssl_warnings">SSL Warnings</h3>
 
 <p>It&apos;s easy to tell when the website you are viewing is using an encrypted
   connection. If the connection is encrypted, the lock icon in the lower-right
-  corner of the browser window is locked. If the connection is not encrypted,
-  the lock icon is unlocked.</p>
+  corner of the browser window is locked
+  (<img src="chrome://communicator/skin/icons/lock-secure.png"/>). If the
+  connection is not encrypted, the lock icon is unlocked
+  (<img src="chrome://communicator/skin/icons/lock-insecure.png"/>). Encrypted
+  pages which contain some unencrypted items (mixed content) are shown with a
+  broken-lock icon
+  (<img src="chrome://communicator/skin/icons/lock-broken.png"/>).</p>
 
 <p>If you want additional warnings, you can select one or more of the warning
-  checkboxes in the SSL preferences panel. Some people find these warnings
-  annoying.</p>
+  checkboxes in the SSL preferences panel. Unless stated otherwise, a
+  notification bar will be presented at the top of the page triggering the
+  alert, with an option to enter this panel to change the option if the alert
+  is considered annoying.</p>
 
 <p>To activate any of these warnings, select the corresponding checkbox:</p>
 
 <ul>
   <li><strong>Loading a page that supports encryption</strong>: Select this
     warning if you want to be reminded whenever you are loading a page that
     supports encryption.</li>
   <li><strong>Leaving a page that supports encryption</strong>: Select this
     warning if you want to be reminded whenever you are leaving a page that
     supports encryption for one that does not.</li>
   <li><strong>Sending form data from an unencrypted page to an unencrypted
-    page</strong>: Select this warning if you want to be reminded whenever you
-    are submitting data over an unencrypted connection. If you send unencrypted
-    information over the Internet, it can easily be intercepted by other
-    people.</li>
+    page</strong>: Select this warning if you want to be alerted whenever you
+    are submitting data over an unencrypted connection. When this option is
+    selected, a dialog box will be presented to the user <em>before</em> the
+    page is actually opened, which allows the loading of the page to be
+    canceled before any potentially sensitive information is sent over an
+    unencrypted connection that can easily be intercepted by others.
+
+    <p><strong>Note</strong>: Submitting a form from an encrypted to an
+      unencrypted page will always prompt a dialog prior to opening the page,
+      regardless of this setting.</p>
+  </li>
   <li><strong>Viewing a page with an encrypted/unencrypted mix</strong>:
     Select this warning if you want to be alerted whenever you are viewing a
-    page that includes any information that&apos;s not encrypted.</li>
+    page that includes any information that&apos;s not encrypted.
+
+    <p><strong>Note</strong>: See the options in the Mixed Content section
+      below for blocking of such content and for more differentiated control
+      of the warnings.</p>
+  </li>
+</ul>
+
+<h3 id="mixed_content">Mixed Content</h3>
+
+<p>In general, there are two major issues related to transmitting sensitive
+  information over an unencrypted connection: One is the danger of someone
+  eavesdropping on the line, thus listening to the content transmitted; the
+  other of someone intercepting requests for the desired page and replacing
+  the legitimate content of that page with own (potentially malicious)
+  content. While so-called <q>Man In The Middle</q> attacks can usually be
+  detected in encrypted connections (e.g., by a certificate mismatch or an
+  invalid certificate presented by the interceptor), no such verification
+  exists for unencrypted connections.</p>
+
+<p>The term <q>Mixed Content</q> refers to a web page which itself is
+  encrypted, but which includes content on the same or a different server
+  which is <em>not</em> encrypted. Consequently, this part of the page is
+  still subject to the vulnerabilities of an unencrypted line. While there
+  are legitimate uses of that concept (such as including a company logo from
+  a different insecure website into an otherwise secure page), such designs
+  should be avoided.</p>
+
+<p>There are two general types of mixed content:</p>
+
+<ul>
+  <li><strong>Mixed Active Content</strong> (or Mixed Script Content): This
+    is content which has the potential to hide or modify parts of a web page,
+    or to actively leak content from the secure part of the page to its
+    insecure part. Examples include scripts (JavaScript), style sheets (CSS),
+    or the embedding of entire web pages into the main web page (iframes).</li>
+  <li><strong>Mixed Passive Content</strong> (or Mixed Display Content):
+    This type of content does <em>not</em> have the potential to alter or
+    monitor the web page as such. Examples include images and audio or video
+    streams. It is however possible that sensitive information is passed as
+    an encoding of the content&apos;s location (URL), as cookies, or returned
+    with the content itself (e.g., as text included in an image). Thus, passive
+    content isn&apos;t entirely harmless either.</li>
+</ul>
+
+<p>The following options allow you to be warned about and/or to block both
+  mixed active and mixed passive content:</p>
+
+<ul>
+  <li><strong>Warn me when encrypted pages contain insecure content</strong>:
+    Check this to instruct &brandShortName; to present a notification bar when
+    mixed <em>active</em> content was loaded or blocked. The notification bar
+    contains a button to open this preference panel.</li>
+  <li><strong>Don&apos;t load insecure content on encrypted pages</strong>:
+    Check this to prevent mixed active content from being loaded at all but
+    to be blocked. If also the <q>Warn me</q> option is checked, the
+    notification bar will contain two additional buttons:
+    <ul>
+      <li><strong>Keep Blocking</strong>: Dismiss the notification bar without
+        loading the potentially insecure content.</li>
+      <li><strong>Unblock</strong>:
+        Load the potentially insecure content <em>once</em> but not
+        automatically when this page is visited again in the future.</li>
+    </ul>
+  </li>
+  <li><strong>Warn me when encrypted pages contain other types of mixed
+    content</strong>: Check this to instruct &brandShortName; to present a
+    notification bar when mixed <em>passive</em> content was loaded or blocked.
+    The notification bar contains a button to open this preference panel.</li>
+  <li><strong>Don&apos;t load other types of mixed content on encrypted
+    pages</strong>: Check this to prevent mixed passive content from being
+    loaded at all but to be blocked. If also the <q>Warn me</q> option is
+    checked, a notification is presented that such content was blocked.</li>
 </ul>
 
 <p>For short definitions, click
   <a href="glossary.xhtml#authentication">authentication</a>,
   <a href="glossary.xhtml#encryption">encryption</a>, or
   <a href="glossary.xhtml#certificate">certificate</a>.</p>
 
 <p>For more information about ciphers and encryption, see the following online
   documents:</p>
 
 <ul>
   <li>
-    <a href="http://developer.mozilla.org/en/Introduction_to_Public-Key_Cryptography">Introduction
+    <a href="https://developer.mozilla.org/en-US/docs/Introduction_to_Public-Key_Cryptography">Introduction
     to Public-Key Cryptography</a></li>
   <li>
-    <a href="http://developer.mozilla.org/en/Introduction_to_SSL">Introduction
+    <a href="https://developer.mozilla.org/en-US/docs/Introduction_to_SSL">Introduction
     to SSL</a></li>
   <li>
-    <a href="http://www.mozilla.org/projects/security/pki/nss/nss-3.11/nss-3.11-algorithms.html">Encryption
-    Technologies Available in NSS 3.11</a>.</li>
+    <a href="https://developer.mozilla.org/en-US/docs/NSS">Technologies
+      Available in the Network Security Services (NSS)</a>.</li>
 </ul>
 
 </body>
 </html>
--- a/suite/locales/en-US/chrome/common/help/using_certs_help.xhtml
+++ b/suite/locales/en-US/chrome/common/help/using_certs_help.xhtml
@@ -129,19 +129,20 @@
     verified. (For information on certificate verification, see
     <a href="#controlling_validation">Controlling Validation</a>.)</li>
   <li>The bottom half describes whether the contents of the page you are
     viewing is protected by encryption while in transit over the network.</li>
 </ul>
 
 <p><strong>Important</strong>: The lock icon describes only the encryption
   status of the page while it was being received by your computer. To be
-  notified before you send or receive information without encryption, select
-  the appropriate SSL warning options. See <a href="ssl_help.xhtml">Privacy
-  &amp; Security Preferences - SSL</a> for details.</p>
+  notified when you send or receive information without encryption, or to
+  block potentially harmful mixed content, select the appropriate SSL warning
+  and mixed content options. See <a href="ssl_help.xhtml">Privacy &amp;
+  Security Preferences - SSL</a> for details.</p>
 
 <p>[<a href="#using_certificates">Return to beginning of section</a>]</p>
 
 <h1 id="managing_certificates">Managing Certificates</h1>
 
 <p>You can use the Certificate Manager to manage the certificates you have
   available. Certificates may be stored on your computer&apos;s hard disk or on
   <a href="glossary.xhtml#smart_card">smart cards</a> or other security devices