Link to the “plugin version blacklist” bug from bullet 1.

Done. The page with specific instructions for Windows users on keeping plugins up-to-date also mentions this bug.

Given that this is a page explicitly for Firefox users, bullet 3 is unnecessary. Perhaps that point could be made in the introduction?

Good point. I moved it to the introduction for that section.

I’m not sure 4 and 5 are really practical for your average user. The mode of browsing involved (every time you visit a new site, you need to enable script, Flash and Java) is unlikely to work for them. Firstly, they’ll soon get bored of having to turn them on for each new site they visit. Also, if they visit a new site and get some sort of error, the first thing they will do is turn on all those things to see if it goes away – so there’s lots of inconvenience, but not really any protection.

I shortened this section and added the following sentence:

“Of course, this requires you to make decisions such as “should I trust this site to run JavaScript?” frequently when you visit new sites, and if your answer is always “yes”, it doesn’t protect you much.”

Your point about OSes should come before the one about AV software…

Switching OSes is more effective against today’s widespread attacks than installing AV software, but it’s also a lot harder. Depending on the OS you want to switch to, you might even have to purchase new hardware.

… and the one about AV software should say “If you stick with Windows, …”

I’m not sure I agree; viruses can strike other platforms. I think I’ll add something to the point about switching operating systems instead. Something like “Because attacks against Mac users are so infrequent, a Mac user without anti-virus software is quite a bit safer than a Windows user with anti-virus software.”

“On Windows, Mac and Linux…” is fairly redundant in section 2. Yes, perhaps there are some highly specialised OSes where this is not necessarily true, but isn’t that being a bit pedantic?

I originally had this in there as a reminder that not only Firefox but also operating systems can make changes to improve security. But you’re right, it does sound more pedantic than hopeful. I took it out and added this to the bottom of the section:

“(Hopefully, future operating systems will make it safe to download and install software by separating programs from each other and from your documents.)”

People probably won’t understand the word “native”; perhaps best to just remove it.

Ok.

In fact, perhaps it would be good to have a “Windows-specific” section, including the AV, double-clicking and extensions advice?

I don’t think so.

The domains and hostnames section should like both to the “make hostname bold” bug, and to a Bugzilla bug which advocates making this a normal part of Firefox.

Is this feature request in Bugzilla yet?

I think there’s also a case for hiding the protocol. (We already have an option for this.) It would help when and if we implement security UI which shows bad HTTPS connections as if they were plain HTTP – because the “s” wouldn’t be there to confuse. For that reason, I think recommending looking for the “s” (as opposed to the lock or the gold bar) is bad.

We already have an option for hiding the protocol in the address bar, aside from installing Locationbar²? I didn’t know that.

I assume you’re referring to the first proposal in bug 327181. I hope we don’t do that; see comment 14 in the bug.

The status bar is always-on; people should check that (for secure sites) to avoid chrome spoofing. As we seem to have lost the battle on this one, though, we should switch the address bar to be always-on, and if the page requests that it be hidden, replace the editable version with a read-only version which displays only the hostname. This is neater without being a risk (in fact, it’s less risky, as sites can’t use other URL parts to obfuscate.)

I did mention that in the section on chrome spoofing. I agree that we should make that change to Firefox (making the entire section moot). I’m not sure I agree about showing only the hostname, though; it would be inconsistent with a normal Firefox window and it would be harmful in instances where a MySpace profile displays a fake MySpace login page.

I don’t think we should always show the hostname in the status bar; that devalues it as a security indicator, because we are showing untrusted data.

Whether you consider the hostname to be “untrusted data” depends on how much certainty you need at the moment and on how much you trust your Internet connection. I feel that the current UI ties “don’t force users to parse URLs and hostnames in their head” to https, and I don’t like that. Maybe we should revisit this argument when I’m happier with the address bar UI.

You should make it clear which of the long-standing holes/tradeoffs are problems with all browsers.

I added some “Safari is not vulnerable”, etc. I did it mostly from memory; hopefully I got it right.

Unfortunately, this makes the page seem a little unfair to Firefox, since it doesn’t talk about long-standing holes in other browsers that Firefox doesn’t have.

Thanks for the detailed comments :)

I realise that explaining all of the more ‘geeky’ terms would make the document much more ‘wordy’ and put some people off, but there are some fairly technical terms in there that just aren’t in common English usage yet. Maybe you need some form of glossary page, or perhaps just making use of title attributes to give expansions/explanations on mouse-hover?

For instance, picking on a couple of (fairly) random paragraphs I know that my Mother isn’t going to have a clue what a “URL” or a “domain” is, or what a “man-in-the-middle attack” is, or what a “router” is and what it has to do with connecting to a webpage.

- Number the bullets and sections so I can refer to them more easily :-)

- Link to the “plugin version blacklist” bug from bullet 1.

- Given that this is a page explicitly for Firefox users, bullet 3 is unnecessary. Perhaps that point could be made in the introduction?

- I’m not sure 4 and 5 are really practical for your average user. The mode of browsing involved (every time you visit a new site, you need to enable script, Flash and Java) is unlikely to work for them. Firstly, they’ll soon get bored of having to turn them on for each new site they visit. Also, if they visit a new site and get some sort of error, the first thing they will do is turn on all those things to see if it goes away – so there’s lots of inconvenience, but not really any protection.

- Your point about OSes should come before the one about AV software, and the one about AV software should say “If you stick with Windows, …”.

- “On Windows, Mac and Linux…” is fairly redundant in section 2. Yes, perhaps there are some highly specialised OSes where this is not necessarily true, but isn’t that being a bit pedantic?

- People probably won’t understand the word “native”; perhaps best to just remove it.

- In fact, perhaps it would be good to have a “Windows-specific” section, including the AV, double-clicking and extensions advice?

- The domains and hostnames section should like both to the “make hostname bold” bug, and to a Bugzilla bug which advocates making this a normal part of Firefox.

- I think there’s also a case for hiding the protocol. (We already have an option for this.) It would help when and if we implement security UI which shows bad HTTPS connections as if they were plain HTTP – because the “s” wouldn’t be there to confuse.

- For that reason, I think recommending looking for the “s” (as opposed to the lock or the gold bar) is bad.

- The status bar is always-on; people should check that (for secure sites) to avoid chrome spoofing. As we seem to have lost the battle on this one, though, we should switch the address bar to be always-on, and if the page requests that it be hidden, replace the editable version with a read-only version which displays only the hostname. This is neater without being a risk (in fact, it’s less risky, as sites can’t use other URL parts to obfuscate.)

I don’t think we should always show the hostname in the status bar; that devalues it as a security indicator, because we are showing untrusted data.

- You should make it clear which of the long-standing holes/tradeoffs are problems with all browsers.

Gerv