News
Blogs
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
IT Careers
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Industry
This Week in Print
Print Subscriptions


Ads by TechWords

See your link here


Michael Horowitz's picture
Michael Horowitz

Defensive Computing

More posts | Read bio

February 19, 2009 - 12:56 P.M.

Make Firefox flag secure web pages as green

10 comments

I love Firefox, but it's far from perfect. As someone interested in Defensive Computing one of the biggest drawbacks to version three is that the address bar does not change color when viewing a secure web page (HTTPS as opposed to HTTP). Version 2 used to change to yellow, but version 3 doesn't change colors at all.  

Reports from the Black Hat security conference about new software that attacks secure web pages make this all the more important.

The new software, called "SSLstrip" by its developer Moxie Marlinspike, does a man-in-the-middle attack. It can go so far as to forge secure web pages. However, in a demonstration of the software, the developer didn't even bother with that, he simply changed secure HTTPS pages into insecure HTTP pages and many users didn't notice.

Non-techies can't be expected to train themselves to look for HTTPS rather than HTTP in the browser address bar. And while a lock icon is also used to indicate a secure page, the location of the lock varies with different browsers and the lock icon can be forged.

Web browsers need to indicate secure pages in a more intuitive way and do it where the user is already paying attention, the address bar. To that end, we can force Firefox 3 to show all HTTPS based pages with a green address bar.

Doing so, in Windows versions of Firefox, requires a file called userChrome.css that contains the two lines of code below.

#urlbar[level] .autocomplete-textbox-container
{ background-color: #D0F2C4 !important; }

The hard part is putting the file in the right place.

In Windows XP and 2000 go to:

C:\Documents and Settings\[User Name]\Application Data\
Mozilla\Firefox\Profiles\xxxxxxxx.default\chrome\

In Windows Vista go to:

C:\Users\<[User Name]>\AppData\Roaming\
Mozilla\Firefox\Profiles\xxxxxxxx.default\chrome

The Xs represent randomly generated characters. You may have first configure Windows to show hidden and/or system files.

Portable Firefox users should go to

X:\somefolder\Data\profile\chrome

Where X:\somefolder is the folder where the portable version of Firefox resides.

A sample userChrome.css file is provided at the bottom of this blog posting. Download this file to the correct folder, rename it (remove the .txt at the end) and you're done.

Alternatively, there may be a file in the target folder called userChrome-example.css that can be used as a model. Either rename it userChrome.css or, better yet, make a copy of it and rename the copy to userChrome.css. Then edit this new userChrome.css file with a text editor and add the two lines above.

This is the same green (#D0F2C4) that Internet Explorer 7 uses. However, IE7 frequently does not turn green on secure pages (I don't know the exact rules for this and as a devoted Firefox user, I don't care) whereas this zap makes the Firefox address bar green on all secure pages.

I'm going to try this is in a couple Linux distributions and will report back. If any Mac users read this, please leave a comment as to how well it works under OS X and what the target folder is.

AttachmentSize
userChrome.css_.txt359 bytes

What People Are Saying

Add new comment

I want to make my Firefox do

Submitted by Ben on April 5, 2009 - 10:55 P.M.

I want to make my Firefox do this, but I can't find the folder on my hard drive. I'm running Windows Vista and I followed the instructions to find the folder, but it was named a bit differently and was empty as well, no Firefox folder. Will reinstalling Firefox help? Or is there a specific version that I need?

Reply | Report this comment

This works in Vista

Submitted by Anonymous on April 7, 2009 - 8:23 P.M.

This does work in Vista, perhaps you have to first tell the OS not to hide system and hidden files/folders.

Reply | Report this comment

Thanks for the OS X testing

Submitted by Michael Horowitz on February 25, 2009 - 11:15 P.M.

Thanks Brian for testing this in OS X. I'm not a Mac person.

Reply | Report this comment

I meant Michael, not David

Submitted by Brian on February 25, 2009 - 4:51 P.M.

Michael, sorry I got your name confused in my last two posts.

Reply | Report this comment

your solution for Unbuntu and Mint works for Mac too

Submitted by Brian on February 25, 2009 - 4:48 P.M.

David, after I made my posting below I noticed your other article that gives a green bar solution for Unbuntu and Mint:

http://blogs.computerworld.com/make_firefox_flag_secure_web_pages_in_ubuntu_and_mint

To works for the Mac too! Thanks!

Reply | Report this comment

no green bar option for Firefox 3 on OS X

Submitted by Brian on February 25, 2009 - 4:39 P.M.

David, I introduced myself to you at the end of the nypc meeting last Thursday where you talked about this issue.

Thanks to the other person who posted their approach using Stylish. However, I tried the suggested solution using Stylish with Firefox version 3 and, while it worked on my Windows XP machine, it didn't quite work on my Mac (OS X leopard). Instead it resulted in a not very noticable green outline around the address bar and failed to color the text space green. It looks like the green is ending up as a background underneath the address bar where the user can't see it (except for what sticks out around the edges of the bar). The same thing happened when I applied the fix as a css instead. So much for cross-platform compatibility.

I searched for a solution but nothing yet.

Reply | Report this comment

Blue vs Green

Submitted by Anonymous on February 19, 2009 - 7:54 P.M.

Firefox has two levels of ssl certificates the blue to the left of the address bar is for the more commonly available CA verified (and self signing certificates only if you accept it). It does show the green in the same area (left of the address bar) if you get the Extended Validation Certificate, which are do more vetting of the site and also have a smaller trust base on Certificate Authorities.

One simplification is the blue will tell you that your communication is encrypted, the green tells you it is encrypted and the person at the other end is known to be this person (and say who said person was). Their have been some proof of concepts where you can set up a connection using man in the middle techniques with the older style, but still look encrypted since the middle site will encrypt the data from you to them.

Reply | Report this comment

Here are 3 examples Green

Submitted by Biju on February 27, 2009 - 12:15 A.M.

Here are 3 examples

Green colored bar with the name of the owner
https://addons.mozilla.org/en-US/firefox/

Blue normal certificate
https://bugzilla.mozilla.org/

Has SSL but broken site
https://www.wachovia.com/

Reply | Report this comment

Examples of site id button

Submitted by Michael Horowitz on February 28, 2009 - 4:41 P.M.

Biju - these are great examples, but they illustrate more the site identification button rather than the color of the address bar. In all cases the address bar displayed in green (at least for me).

I blogged about the site id button here
http://news.cnet.com/8301-13554_3-9974672-33.html

The Wachovia home page is very interesting indeed, thanks for pointing it out. Firefox says part of the page is encrypted and part is not. I hadn't ever seen the site id button act this way (neither blue nor green) before and I've been using the expanded version of it for a long time. It does not inspire confidence in Wachovia.

Reply | Report this comment

Michael, Thanks for this

Submitted by James on February 19, 2009 - 2:54 P.M.

Michael,
Thanks for this tip.

A much easier solution to installing this, is to download and install the Stylish add-on (https://addons.mozilla.org/en-US/firefox/addon/2108), which itself takes only a couple of mouse-clicks, then cut'n'paste the two highlighted lines in your article into Stylish.

Since I had Stylish already installed, it took me all of about 10 seconds to have your tip up and running. It would have been even quicker, but it took me a few seconds to enter a title ("Green address bar") for the style!

Reply | Report this comment

Related Posts

Are you competent to run Windows safely?
More issues with the Video ActiveX Control flaw workaround
It's time to get rid of Windows
How Twitter was killed

Editor's Picks

Attacks likely against Windows, PowerPoint, researchers say

Google Buzz takes the fight to Facebook, Twitter

Chinese artist-dissident lauds Google plan to stop censoring

Micron acquires flash memory maker Numonyx

Judge dismisses Windows anti-piracy software lawsuit

New Russian botnet tries to kill rival

About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDC IDG IDG Connect IDG Knowledge Hub IDG TechNetwork IDG Ventures
IDG.net InfoWorld ITwhitepapers ITworld JavaWorld LinuxWorld Macworld Network World PC World The Industry Standard
Copyright © 1994 - 2010 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of
Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.