Mozilla Improves Firefox's Certificates Visibility

Martin Brinkmann
May 13, 2012
Updated • May 13, 2012

Mozilla back in Firefox 14 introduced a change to the browser's address bar, or more precisely to the information displayed therein. If you are not yet on the Firefox Aurora channel, which happens to be Firefox 14 at the time of writing, you have probably not come into contact with the change yet.

The two core changes introduced in Firefox 14 are the removal of the favicon from the address bar of the browser, and a change to how certificates are displayed in the browser.  The favicons have been removed in an attempt to protect Firefox users from sites that try to look legit by using the secure site icon as their favicon.

The second change modified the way secure sites were displayed in the browser's address bar. Instead of going overboard with colors, the designers decided to only use colors for SSL certificates with extended validation.  What made matters worse, at least from a visibility point of view was that the same icon was used for regular and mixed content sites. A mixed content site is a site that is loading contents from secure and regular sites.

Mozilla has changed this behavior in the latest nighly versions of Firefox. Mixed content sites are now being highlighted with their own icon, a yellow triangle with a white exclamation point.

Regular websites are still displayed with the globe icon in front. It is not really clear why there needs to be an icon in front of regular sites, as the icon's only purpose is to provide users with a two-click shortcut to the site's information panel. If the developers want to be consistent with the removal of the http:// protocol from the address bar, they should consider removing the globe as well.

regular websites

SSL certificates with extended validation are displayed in a green font and padlock icon, which makes sites using these distinguishable from the rest.


Websites using SSL certifications without extended validation are visualized with a gray closed padlock icon.


What's your take on this change, and the visibility change introduced in Firefox 14?


Tutorials & Tips

Previous Post: «
Next Post: «


  1. MBroker said on July 19, 2012 at 12:36 pm

    All my non-EV HTTPS sites now look, well, unsecure. Is this just a ploy to push people to pay extra for EV certificates?

    Make non-EV locks blue or something. Gray just blends in and gets lost. How does something like this get into production? Don’t they have focus groups…

  2. Uhtred said on July 17, 2012 at 10:20 pm

    I use Nasa Launch Dark theme on FF which fits my system colours and provides dark scrollbars which I rather like. Having just updated to 14.0.1 I shall have to disable it pending an update…. as all favicons on URL bar render grey.. so difference in between padlocks doesn’t show clearly, whereas the old colour bars did using the theme on version 13

  3. Ken Saunders said on May 16, 2012 at 1:35 am

    For what’s it worth, I’ve just updated my add-on to reflect the changes.

  4. Gary said on May 14, 2012 at 9:42 pm

    I don’t like this change. SSL/TLS provides encryption AND identity verification. So WHY do sites that do not have extended validation not display their identity in the URL bar just like EV sites do? A non-EV site is still providing identity validation.

    This firefox change is too much like Google Chrome does. And Google Chrome got it wrong to not display identity in the URL bar.

  5. Peter (NL) said on May 14, 2012 at 12:11 pm

    Mmm, it leads towards more and more confusion to me. What about the first image you displayed ? It is a https-connection (Microsoft), but with a warning signal. What for me matters is: is a certain certificate reliable and trustworthy ? Mozilla may consider to block certificates that have a doubtful background. Certainly for a https-connection, I want (trust) to see only secure and valid certificates.

    Also the green font and padlock icon is hard to see on the screen (when I had a short look onto the Nightly version, a few weeks ago).

    1. Martin Brinkmann said on May 14, 2012 at 1:01 pm

      Peter, those are shown if a site loads both secure and standard elements.

  6. madperson said on May 13, 2012 at 10:50 pm

    favicons are only removed from the adress bar to make place for a reliable indicator of the site’s encryption – favicons are still showing up in all their beauty in the tab-bar, bookmarks & history…

  7. Keivan said on May 13, 2012 at 9:21 pm

    I think favicons are beautiful, and developers’ point of view about its security risk is not true. Even if it was true there is no incompatibility between the security features that is introduced here and the beauty of favicon. Do not remember that favicons are essential for pined apptabs where there is no title in the tab to make them identifiable.

  8. bastik said on May 13, 2012 at 7:34 pm

    What icon is displayed for local content? So the icon might be there to indicate that it’s “from the web”.

    Better than the last version of the change. I can live with it. SSL could be more prominent. e.g. with the domain name.

    We probably should wait for beta or something.

    BTW: You could change your favicon to a padlock, FF users with auto-update might think they got the new version already.

    Would be interesting if they improve the displayed information, when you click on the icon.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.