Created attachment 8688039 [details] Is this page secure or not? The Fennec awesomebar needs to either hide or clearly separate the favicon out of the address bar. Firefox (Desktop) only shows the favicon for bookmarks and the like, and never shows it in the address bar. Other mobile browsers behave the same way. This makes it very clear what the security status of a website is. See attachment for demonstration of this vulnerability. If you know what you're looking for -- namely, the lack of the globe and the missing grayed out https -- you can tell that it's not a secure resource. But I would hazard a guess that 90% of Fennec users would mistakenly think that the URL was secure when it was not.
(that should read that you _can't_ tell that it's not a secure resource)
Unlike the real lock icon, tapping on this icon won't say your connection is secure. But this is an issue that has come up in the past, maybe we need to revisit the decision to display favicons in the toolbar.
Sure, but I don't think many users think to tap the lock icon, especially when there are no other errors present.
This is a dupe of bug 1018994, I believe.
Ah yes, it totally is, although it doesn't use the actual Fennec lock icon. I missed that in my bugzilla search, when working on badssl.com. We can mark this a duplicate if you wish, but it really should get fixed (imo). sworkman: Given that it's now been an open and unfixed security bug for 2 years now, any problems with me adding it to the badssl.com website?
I guess since it's a known issue already per comment #4 we can dup this to bug 1018994. Re: putting on badssl.com, I think the Fennec folks would appreciate more time to decide how and when they're going to fix it.
Moved NI to the other bug.