Very nice touch! Does the location bar turn yellow as well or is that some local theme tweak? I'm hoping it does change, it makes it even more visible.

I'm taking it that double-clicking the icon will open up the Security Manager that's in the works? Wow... Just seeing that screenshot makes me want to give the Firefox nightlies another spin! ;-) I'm perfectly happy with .9 right now though, although it's crashed about three times since I installed it, which didn't happen in the earlier milestone.

Ah well, when seeing such nice improvements, I'm confident that 1.0 is going to be the best browser ever.

To be completely honest, I think this move defeats the purpose of having a status bar in the first place. Yes, it is more noticeable this way. But still, the convention is to use the /status bar/ for displaying the /status/ and I don't really see the point of making it more noticeable in the first place.

Is there really a need to make the secure site notification more discoverable? Have real users or product reviewers expressed this need or was it just added because Ben had problems discovering the status icon when it was located in the status bar? The bug report didn't explain the rationale behind this decision.

Markus, yes, the yellow is for secure sites, and clicking the icon launches the security panel of page info.

David, status bars suck :) Content developers can shove crap in there that can mislead and confuse as well as annoy. I'd like to see the progress meter move to the urlbar as well, like MSN Explorer did a couple of years ago and then Safari copied.

--Asa

Nice! That's some smart thinking :)

It's a shame the status bar has become just another toolbar though. The stylesheet switcher probably doesn't belong there as it's not really a status - perhaps it could join the security icon? Or, even better, add Seamonkey's toolbar back in and include it there.

looks good to me, especially if you are changing the address box color too. I seldom remember to look at it down in the status bar.

Greg, or the stylesheet switcher could just go away. I think it would make a fantastic extension :)

--Asa

nice touch!

On a sidenote: Who on earth choose such a weird gmail account ????

I agree with the change. I think the status bar is ignored by most folks most of the time (including me). This will make it more obvious that you are on a secure site, which is good. /Especially/ if you are expecting to be on a secure site, and you aren't. Most people will just cruz right along and fill out an order, without checking to make sure they are secure. If people get used to seeing the yellow up there, then they should notice when they are on a http connection but shouldn't be.

Henrik, I chose that gmail account :-)

--Asa

Such prominent visual feedback goes along way in promoting concept of secure websites and online security in general. I'm sure that this feature is so user-friendly that it is going to be copied by other browser makers soon. Before this change, one had to know that status bar icon exists to start paying attention to it. Now, it's in your face, and level of user interaction has not changed, i.e. no new dialog or window is introduced. I love it!

I didn't have a chance to try it out, but I have a question for those who did: is address bar color different for mixed content sites (secure and not), and for low grade encryption sites? I'd say the color should be different.

BTW, Asa, nice email you have. Do you remember it by heart? ;)

It's definitely better - although getting end-users to figure out what a secure site _is_ is still an issue.

Why isn't my gmail account secure when I log in?

Well, there's an ongoing discussion about it in the bug: http://bugzilla.mozilla.org/show_bug.cgi?id=245406

The issue with is that if the site turns the URL bar off, then this new indication disappears. That's an issue with the status bar, but to fix it there was a proposal to not allow it to be turned off (something that IE is implementing). That's feasible for the status bar, but preventing sites turning the whole URL/toolbar off is probably not an option.

To solve that, it's been suggested that there could be an indication on the status bar if the URL box is turned off, but then you'd have different indications at different times, which is confusing.

Anyway, I think this coloured URL bar looks fine, but the issue with making it always available needs to be resolved, and so far it looks like that goal is being moved further away. Hopefully something can be worked out...

Doh - wrong bug (that's another parallel bug that happened separately). The current discussion is in bug 244025 - http://bugzilla.mozilla.org/show_bug.cgi?id=244025

Walter, yeah, I remember the email address. It's the name of a fish. I saw a lot of them on our recent trip to Hawaii.

--Asa

Yes, per current Rule-By-Fiat policy (Ch. 12, Sec 619 Firefox charter), I had trouble noticing the icon (or rather - LACK of icon) in the status bar until near the end of a transaction process one day, and figured we needed a better way of ensuring the basic trust that transactions are being handled securely.

The next step is verifying the identity of a given site, and there are numerous people developing ideas as to how to do that.

Surely the background colour change alerts users when they are at a secure site, but in reality the user needs to do nothing unless they are *not* at a secure site.

Maybe a better way would be to turn the URL bar red/light pink if they are not at a secure site, yet are entering a password field or credit card or some other heuristic to determine if they really should be at a secure site.

As for status bars, I think the Opera 6 loading status bar was just perfect - it only appeared while a site was loading, and told you how many images had loaded (and how many to go), Kb/s (or bytes/s on my modem sometimes), % of website done. And yet when the page had loaded, and you could no longer care, it disappeared.

That is a great email account name :). The fish, humuhumunukunukuapua'a is the state fish of Hawaii... Someone in my office just came back with a shirt about the very same fish. The front of it says something like "Humu-humu-blah-blah-whatever" and the back says: "Only in Hawaii. Long name, but little fish."

I think a lot of users really do ignore the little 15 pixel icons in the corner of applications... it will be easier for me to point them out to the security settings now that it is in a prominent position by the URL. Keep up the good work Ben and Asa. 1.0 should be great!

^_^ paul

Sure this defeats the point of the status bar, but it is far more recognizable - and that is all that matters.

personally i like it, but normal people are trained to watch for the lock at the bottom of the browser, and if they don't see it there then they might not think the site is secure, even if it is.

perhaps the lock icon should be animated (like a spinning lock) to attract the eye's attention?

jason

Asa, you said "I'd like to see the progress meter move to the urlbar as well." Have you tried Stephen Clavering's Fusion extension? Darned if I can find a homepage for it, but the XPI is on mozdev.org.

I like it a lot. I don't think any user, "normal" or not, is going to miss the address bar changing color.

Nice touch :)

I assume the status bar icon remains on the status bar, and this is just an addition - as someone else mentioned "people have been told to look for the little yellow padlock down the bottom"

Changing the background colour is nice - however the only slight problem with that is if you already have the "window background" set to (the same or a similar) yellow (I know some people that do).

I dont think it is a huge issue, and please dont force all the inputs to be bright white, that would be worse :/

I don't think any user, "normal" or not, is going to miss the address bar changing color.

That's assuming the address bar is present. Are we planning to make it permanent? And it still doesn't do anything about phishing.

Asa: you may think that "status bars suck", but it's become clear that every browser window needs some permanent UI to avoid user confusion (malicious or otherwise). IE has opted for the status bar in XP SP 2 - if we opt for something different, we are really going to irritate website authors.

People are already trained to "look for the lock" - we need to leverage that glance.

Fuller discussion and justification of a statusbar-based solution can be found in bug 245406.

Gerv

I agree that the icon is more noticable in the URL field. But why should it be noticable? Shouldn't the user rather be alerted, when the connection is NOT encrypted?

I look for the icon e.g. when entering my credit card details. When I don't do something that requires encryption, I don't really care whether the connection is secure or not. Surely, encryption is always nice no matter which website I visit, but I don't like being alerted when entering a site that happened to install an SSL certificate on their server.

yeah the huma huma trigger :), also formerly seen at the Netscape Fischcam on http://wp.netscape.com/fishcam/fishcam.html (see at buttom of the site "Former Residents"). Unfortunatelly the fishcam isn't working since a while.

Another important visual indication is what the site is secured as. For instance if the certificate says "phisher.example.com" and the URL is something like "http://www.good-guy.com@phisher.example.com" having "phisher.example.com" shown somewhere prominent would ruin the poor phisher.

I have to agree this is a much more intuitive place for the average user (at least, my time in helpdesk support would seem to indicate that). I have to agree with Asa's comments regarding the status bar, its pretty much useless currently.

Meh, /I/ don't think the status bar is useless. If you do, try turning it off for a day. Pure agony, or for me at least.

And I love the email address, Asa... but are you really expecting very many people to email you there? ;-)

well, with an email like that, you won't have to worry about spam by dictionary attack... ;-)

I'll bet there won't be a bunch of people requesting that same one... with gmail adding numbers... humuhumunukunukuapua73@...

Asa says: ...the stylesheet switcher could just go away....

The w3c says that a stylesheet switcher should be provided by the user agent. For that reason, it seems less appropriate for an extension.

on the topic of your email, check out today's user friendly comic ;-)
http://www.userfriendly.org/cartoons/archives/04jun/xuf006853.gif

Dolphinling, no :-) I don't expect many people will email me there. I plan on using it for quick searching of a bunch of existing mail that I've exported from my local drive.

Jeff, that's a pretty good comic. Yeah, no dictionary attack spams will be nice and I probably won't have to worry about anyone emailing me either ;-)

A different Greg, there are lots of things that the w3c says we should be doing that we aren't. This one doesn't seem like it ranks that high to me. Everyone in the world (besides me) who has alternate style sheets provides their own switching mechanism on the site itself.

--Asa

It's a nice initiative, but I don't like the yellow. Perhaps it should be a little less obtrusive, e.g. a gradient to white?

"Everyone in the world (besides me) who has alternate style sheets provides their own switching mechanism on the site itself."

That's because IE doesn't provide the mechanism. Shouldn't Fx maintain its lead in the standards field and continue to be the one of the first browsers (or the first altogether, dunno) to have native alternate stylesheet support? It doesn't exactly make the UI bloated imho.

Great!

What I think is you can colour the username/password in red (or other color), so you can notice the fake URL "http://www.good-guy.com@phisher.example.com"

"What I think is you can colour the username/password in red"

I know at least one person who'd be looking for a UI to turn that off.

I filed a bug for that as soon as I saw this feature, which was a few days ago. http://bugzilla.mozilla.org/show_bug.cgi?id=247875
color the url bar when username and password are part of the url

btw: Thanks, Asa for the gmail account ;)

also, it would be great if there was an option to make wesite host name bold

eg.
http://[bold]www.cnn.com[/bold]/worldnews/today/etc

talking about status bar things, can we make browser UI improvement suggestion http://bugzilla.mozilla.org/show_bug.cgi?id=155482 into Firefox 1.0 whether or not it will appear on Mozilla? Reason is it looks like Firefox 1.0 is going to be the most widespread version of Firefox, many users will not be updating it for ages after having installed it, and raising awareness about web standards among not that power users will be a good thing. What do you think?

there was such a suggestion on Dave Massy's "Return of the xxxx?" blog entry for ie, by the way.

vr, I will do everything in my power to make sure that feature does _not_ make it into Firefox. Thanks for pointing it out :-)

--Asa

Asa, could you spare some time to reason why you object it? It is controversial, I was weighting pro et contra very carefully before pointing it out, but anyway, I am interested what makes you think it's a no go? :)

The Web Developer extension implements such a feature in its toolbar, and I think that's good enough. From personal experience, I wasn't even aware of the existence of different rendering modes before I noticed the icon in WebDev, and I really think that it's best that the average Joe doesn't know about it. He doesn't _need_ to.

Anyway, I wanted to ask: aren't the latest UI changes, especially the location bar and bookmarks manager updates going to be checked in into the 0.9.1 branch? If not, what a shame! ;-)

The upgraded Winstripe looks marvelous, by the way.

Get it up boy! She will be happy!