Firefox security levels

[Siamesecat]

Themes for Firefox have a stylesheet called "browser.css" which is under the subdirectory "browser". In this stylesheet there are settings for the status bar images which indicate whether a page is secure or not. The designations are "#security-button[level="low"]" and "#security-button[level="high"]".
My first question is: since there are two levels of security listed, why do many themes use the same image to represent both of them?
What is the difference between those two levels?

[nxIsle]

I'm not absolutely sure about this , but I think the low-level, indicated by a lock that is cut in half in some Mozilla Suite/SeaMonkey themes, means that the website identity has been verified by a certificate, but that some or all of the content is not encrypted (and thus is exposed in transit).

As for why some themes don't have a distinct image for each level ??? However, as you probably know, you can take the code you've found (adding !important as needed), put it in userChrome.css, drop images of your choice in your chrome folder, and voil?!

[Siamesecat]

nxIsle,

Quote: low-level, indicated by a lock that is cut in half in some Mozilla Suite/SeaMonkey themes

The padlock that is broken in half means that security is broken. For instance, if I absent-mindedly try to use a proxy server that does not handle https with a secure site, I get the broken padlock image plus an error message.

There used to be a "mixed" padlock image, with a padlock with a closed hasp with a fraction of a padlock body attached to it with an open hasp.
Internet Explorer used the term "mixed security" to mean that some frames on a page were encrypted, but not all. There are also different levels of encryption possible. I don't know which applies to the "low level" security in Mozilla browsers, but I would like to know.

I have fixed the themes which do not have a separate image for low level security by making a suitable image, adding it to the theme archive file, and modifying the stylesheet to use the new image. I want to see if my browser is using a lower level of security. So far, I have not seen that image appear on my status bar.

[nxIsle]

Well, this is peculiar.

I checked by visiting bugzilla with and without Proxo.

With Proxo, I get the broken lock, and page info > security states that the web site identity is verified, but not all parts are encrypted.

Without Proxo, I get the whole lock, with page info > security stating that the web site identity is verified, and all parts are encrypted.

The only warning I get is a dialogue saying that the Proxo certificate isn't the one for the site, and asking if I want to accept it, once per session.

This is in Linux, but I'm pretty sure I saw the same thing in windows.

Proxo is definitely filtering these pages; I have ssl set up, and both the page indicator and the bugzilla style sheet injected by Proxo are present when I visit bugzilla via Proxo.

Currently, Mozilla products have a weak authentication vulnerability.

[Guest]

With Prox filters in use, I cannot get into Bugzilla at all. I keep getting an error box from Prox. With filtering bypassed, I get the high-security padlock.

[nxIsle]

That's odd, guest. Are we talking about the same bugzilla -- bugzilla.mozilla.org? Can you get to other https sites okay with Proxo? I'm assuming you've got the right ssl files?

Looks like this to me with Proxo, using a local stylesheet: http://tinypic.com/dvt08z.png

[Siamesecat]

I just tried bugzilla again after re-unarchiving the ssleay & libeay files. It works now. I get the high security padlock image with or without Prox filtering. I get the certificate warning with any secure site.

[nxIsle]

I had some problems about six to ten months ago with ssl files becoming corrupted somehow, and getting an error message (something along the lines of "Exception [C000000] raised in ... Ssl etc, etc, ... "); I couldn't connect to https until I replaced a file, which I think was ssleay32.dll. Seems like I never could find much discussion of that problem anywhere.

The certificate warning is normal, I guess, since the name doesn't match the site, the browser asks if it's okay; I only get asked the first time each session.

I still get broken when using Proxo and full/unbroken with direct connection. Hmm ... I just checked the code in chrome://navigator/skin/navigator.css for mozilla, and have:

Code:

#security-button {
  list-style-image: url("chrome://navigator/skin/icons/lock-insecure.gif");
}

#security-button[level="high"] {
  list-style-image: url("chrome://navigator/skin/icons/lock-secure.gif");
}

#security-button[level="low"] {
  list-style-image: url("chrome://navigator/skin/icons/lock-secure.gif");
}

#security-button[level="broken"] {
  list-style-image: url("chrome://navigator/skin/icons/lock-broken.gif");
}

So I don't have a distinct image for low-level security either. I thought I'd used one when I hacked this theme. I'll have to make a low-level image to use and try it.

[Siamesecat]

It may be a long time before you see it on your status bar, if ever. I have yet to see the low-level security image, and I have tweaked all the themes I use on Firefox to have both a low-security image and a no-security image. Of course, I do see the latter one.