Welcome to Firefox Add-ons.
Choose from thousands of extra features and styles to make Firefox your own.Close
nice but red button too alarming... Rated 4 out of 5 stars
[MY APOLOGIES: when I foolishly tried to consolidate my original review with my later comments replying to developer, this apparently deleted the the developer's reply as well!]
Having a RED icon just because an https version of the site exists is too alarming for some users, and we don't want to numb them to red icons so that they ignore it when WOT, LinkExtend, Webutation, or other addons show a red icon.
Maybe use red only if the user has previously visited the https site, which indicates that he may have intended to do so this time. If I've never used the https version of google, I don't want to be so strongly told that it exists, though some less-alarming indication would be useful.
I do like the idea that it identifies an https alternative version of the site without automatically redirecting you there like Find Https(?).
Actually the feature I like best is that the add-on helps warn you when you're on an https site with certificate problems even when you've already entered an exception for it into firefox. As soon as you add the exception, most other ssl addons treat it as being just as safe as a site with no issues at all. Calomel (?) also warns of similar, but it is even more alarmist in displaying a huge blood-red icon even when the site merely isn't using the latest and greatest cryptographic strength, which isn't nearly as dangerous as a potential phishing site.
EDIT: THE REST OF MY REVIEW HERE IS MY RESPONSE to developer's reply down below.I've added a star for your prompt response and explanation.
Andrew, good points. But it isn't necessarily *less* dangerous to submit information insecurely just because there is *no* obvious ssl version of the page, so why "panic" only when there is an ssl version of the page. To me, a red icon should indicate whether there's unusual danger that you should look at carefully before doing *anything* on that site.
If the danger specifically relates to submitting sensitive information, I think any indication of this should ideally be at the input fields instead -- where did I see a browser that makes the field background a different color when it's secure? It would also be nice to know whether a secure version *exists*, but this part should look too alarming or it just desensitizes us to bigger dangers.
Certainly if you aren't on an open wifi hotspot, the biggest danger isn't that someone is going to steal the information that you're submitting to a legitimate site (and if it's a reputable site and there's no ssl version, they shouldn't be asking you for sensitive information anyway). The biggest danger is that you aren't on the site you think you're on, in which case switching to the ssl version of the same phony site isn't going to solve this problem! I would say that if you got there by following a link in email for example, why would the phisher have created an ssl version but directed you to the non-ssl one?
I wasn't suggesting that the add-on *store* any history, but only that you *read* history (if any exists) that's already been stored in the browser, to determine whether the user has visited the ssl version in recent months.
Also, how about trying to guess whether information is sensitive, like a password field or if the user is trying to submit a six-to-twelve digit (numeric) ID which may be an account number or social security/tax id or a date (possible birth date)?
I do like it to be obvious that one has a choice; maybe another option could be to automatically redirect to the https version the first time, or only when you've been to the ssl version before, but provide a button to go back to the non-ssl version (and remove the just-added ssl version from history so you won't go there automatically next time.)
[MY APOLOGIES: see my note all the way at the top above.]