Bug 904189 - Document changes in SSL warnings and new options for mixed content blocker in Security Socket Layer preference pane. r=IanN

2013-09-25 18:02:48 -05:00 · 2013-09-25 18:02:48 -05:00 · 6ae2b6f062
--- a/suite/locales/en-US/chrome/common/help/help-index1.rdf
+++ b/suite/locales/en-US/chrome/common/help/help-index1.rdf
@ -2036,6 +2036,16 @@
       <rdf:Description ID="SSL:protocols"
         nc:name="SSL protocols"
         nc:link="ssl_help.xhtml#ssl_protocol_versions"/>
+     </rdf:li>
+     <rdf:li>
+       <rdf:Description ID="SSL:warnings"
+         nc:name="SSL warnings"
+         nc:link="ssl_help.xhtml#ssl_warnings"/>
+     </rdf:li>
+     <rdf:li>
+       <rdf:Description ID="SSL:mixed_content"
+         nc:name="mixed content"
+         nc:link="ssl_help.xhtml#mixed_content"/>
     </rdf:li></rdf:Seq>
   </nc:subheadings>
 </rdf:Description>
--- a/suite/locales/en-US/chrome/common/help/ssl_help.xhtml
+++ b/suite/locales/en-US/chrome/common/help/ssl_help.xhtml
@ -90,12 +90,19 @@

 <p>It&apos;s easy to tell when the website you are viewing is using an encrypted
  connection. If the connection is encrypted, the lock icon in the lower-right
-  corner of the browser window is locked. If the connection is not encrypted,
-  the lock icon is unlocked.</p>
+  corner of the browser window is locked
+  (<img src="chrome://communicator/skin/icons/lock-secure.png"/>). If the
+  connection is not encrypted, the lock icon is unlocked
+  (<img src="chrome://communicator/skin/icons/lock-insecure.png"/>). Encrypted
+  pages which contain some unencrypted items (mixed content) are shown with a
+  broken-lock icon
+  (<img src="chrome://communicator/skin/icons/lock-broken.png"/>).</p>

 <p>If you want additional warnings, you can select one or more of the warning
-  checkboxes in the SSL preferences panel. Some people find these warnings
-  annoying.</p>
+  checkboxes in the SSL preferences panel. Unless stated otherwise, a
+  notification bar will be presented at the top of the page triggering the
+  alert, with an option to enter this panel to change the option if the alert
+  is considered annoying.</p>

 <p>To activate any of these warnings, select the corresponding checkbox:</p>

@ -107,13 +114,92 @@
    warning if you want to be reminded whenever you are leaving a page that
    supports encryption for one that does not.</li>
  <li><strong>Sending form data from an unencrypted page to an unencrypted
-    page</strong>: Select this warning if you want to be reminded whenever you
-    are submitting data over an unencrypted connection. If you send unencrypted
-    information over the Internet, it can easily be intercepted by other
-    people.</li>
+    page</strong>: Select this warning if you want to be alerted whenever you
+    are submitting data over an unencrypted connection. When this option is
+    selected, a dialog box will be presented to the user <em>before</em> the
+    page is actually opened, which allows the loading of the page to be
+    canceled before any potentially sensitive information is sent over an
+    unencrypted connection that can easily be intercepted by others.
+
+    <p><strong>Note</strong>: Submitting a form from an encrypted to an
+      unencrypted page will always prompt a dialog prior to opening the page,
+      regardless of this setting.</p>
+  </li>
  <li><strong>Viewing a page with an encrypted/unencrypted mix</strong>:
    Select this warning if you want to be alerted whenever you are viewing a
-    page that includes any information that&apos;s not encrypted.</li>
+    page that includes any information that&apos;s not encrypted.
+
+    <p><strong>Note</strong>: See the options in the Mixed Content section
+      below for blocking of such content and for more differentiated control
+      of the warnings.</p>
+  </li>
+</ul>
+
+<h3 id="mixed_content">Mixed Content</h3>
+
+<p>In general, there are two major issues related to transmitting sensitive
+  information over an unencrypted connection: One is the danger of someone
+  eavesdropping on the line, thus listening to the content transmitted; the
+  other of someone intercepting requests for the desired page and replacing
+  the legitimate content of that page with own (potentially malicious)
+  content. While so-called <q>Man In The Middle</q> attacks can usually be
+  detected in encrypted connections (e.g., by a certificate mismatch or an
+  invalid certificate presented by the interceptor), no such verification
+  exists for unencrypted connections.</p>
+
+<p>The term <q>Mixed Content</q> refers to a web page which itself is
+  encrypted, but which includes content on the same or a different server
+  which is <em>not</em> encrypted. Consequently, this part of the page is
+  still subject to the vulnerabilities of an unencrypted line. While there
+  are legitimate uses of that concept (such as including a company logo from
+  a different insecure website into an otherwise secure page), such designs
+  should be avoided.</p>
+
+<p>There are two general types of mixed content:</p>
+
+<ul>
+  <li><strong>Mixed Active Content</strong> (or Mixed Script Content): This
+    is content which has the potential to hide or modify parts of a web page,
+    or to actively leak content from the secure part of the page to its
+    insecure part. Examples include scripts (JavaScript), style sheets (CSS),
+    or the embedding of entire web pages into the main web page (iframes).</li>
+  <li><strong>Mixed Passive Content</strong> (or Mixed Display Content):
+    This type of content does <em>not</em> have the potential to alter or
+    monitor the web page as such. Examples include images and audio or video
+    streams. It is however possible that sensitive information is passed as
+    an encoding of the content&apos;s location (URL), as cookies, or returned
+    with the content itself (e.g., as text included in an image). Thus, passive
+    content isn&apos;t entirely harmless either.</li>
+</ul>
+
+<p>The following options allow you to be warned about and/or to block both
+  mixed active and mixed passive content:</p>
+
+<ul>
+  <li><strong>Warn me when encrypted pages contain insecure content</strong>:
+    Check this to instruct &brandShortName; to present a notification bar when
+    mixed <em>active</em> content was loaded or blocked. The notification bar
+    contains a button to open this preference panel.</li>
+  <li><strong>Don&apos;t load insecure content on encrypted pages</strong>:
+    Check this to prevent mixed active content from being loaded at all but
+    to be blocked. If also the <q>Warn me</q> option is checked, the
+    notification bar will contain two additional buttons:
+    <ul>
+      <li><strong>Keep Blocking</strong>: Dismiss the notification bar without
+        loading the potentially insecure content.</li>
+      <li><strong>Unblock</strong>:
+        Load the potentially insecure content <em>once</em> but not
+        automatically when this page is visited again in the future.</li>
+    </ul>
+  </li>
+  <li><strong>Warn me when encrypted pages contain other types of mixed
+    content</strong>: Check this to instruct &brandShortName; to present a
+    notification bar when mixed <em>passive</em> content was loaded or blocked.
+    The notification bar contains a button to open this preference panel.</li>
+  <li><strong>Don&apos;t load other types of mixed content on encrypted
+    pages</strong>: Check this to prevent mixed passive content from being
+    loaded at all but to be blocked. If also the <q>Warn me</q> option is
+    checked, a notification is presented that such content was blocked.</li>
 </ul>

 <p>For short definitions, click
@ -126,14 +212,14 @@

 <ul>
  <li>
-    <a href="http://developer.mozilla.org/en/Introduction_to_Public-Key_Cryptography">Introduction
+    <a href="https://developer.mozilla.org/en-US/docs/Introduction_to_Public-Key_Cryptography">Introduction
    to Public-Key Cryptography</a></li>
  <li>
-    <a href="http://developer.mozilla.org/en/Introduction_to_SSL">Introduction
+    <a href="https://developer.mozilla.org/en-US/docs/Introduction_to_SSL">Introduction
    to SSL</a></li>
  <li>
-    <a href="http://www.mozilla.org/projects/security/pki/nss/nss-3.11/nss-3.11-algorithms.html">Encryption
-    Technologies Available in NSS 3.11</a>.</li>
+    <a href="https://developer.mozilla.org/en-US/docs/NSS">Technologies
+      Available in the Network Security Services (NSS)</a>.</li>
 </ul>

 </body>
--- a/suite/locales/en-US/chrome/common/help/using_certs_help.xhtml
+++ b/suite/locales/en-US/chrome/common/help/using_certs_help.xhtml
@ -134,9 +134,10 @@

 <p><strong>Important</strong>: The lock icon describes only the encryption
  status of the page while it was being received by your computer. To be
-  notified before you send or receive information without encryption, select
-  the appropriate SSL warning options. See <a href="ssl_help.xhtml">Privacy
-  &amp; Security Preferences - SSL</a> for details.</p>
+  notified when you send or receive information without encryption, or to
+  block potentially harmful mixed content, select the appropriate SSL warning
+  and mixed content options. See <a href="ssl_help.xhtml">Privacy &amp;
+  Security Preferences - SSL</a> for details.</p>

 <p>[<a href="#using_certificates">Return to beginning of section</a>]</p>