User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a9pre) Gecko/2007110103 Minefield/3.0a9pre Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a9pre) Gecko/2007110103 Minefield/3.0a9pre These are probably two bugs. First, if you view a partially encrypted page there is no info about the used encryption for the base page like for fully encrypted pages. Is this intended behaviour? Sometimes i like to see the encryption for partially encrypted pages but this information is not shown at all. Second, "Larry" says "not encrypted" for partially encrypted pages. In my eyes this is simply wrong. Reproducible: Always Steps to Reproduce: View the mentioned page. Double click on the crossed lock. You see no encryption type. Click on "Larry". "Larry" days "not encrypted" which is wrong. Actual Results: No encryption shown for partially encrypted pages. "Larry" says "not encrypted". Expected Results: Encryption shown at least for the base page. "Larry" should say "partially encrypted"
I think too that it should say "partially encrypted" or maybe "not fully encrypted". I guess it depends on if you see the glass as half full or half empty.
The question I have is whether changing the behaviour in this case would help users make better decisions. "Partially encrypted" is more technically accurate, but does it matter? Let's take Jo's example in comment 1. In this case, an otherwise https site includes script from an http source. So we would say "partially encrypted" to what end? To tell users things are "probably" okay? I think that's not the message we want to provide. One http script is enough to totally rewrite the page with arbitrary content. So they are certainly not "safe from eavesdropping." Nor do they have any guarantee that the content hasn't been tampered with. Basically, the promises we can make are precisely those that we could make with http, which is to say, none in particular. Now, if we had bug 62178 supported, so that we could block http content in an https page load, we'd be in a much better spot, because these sites could be presented with only their https content, at which point they could be trusted like other SSL content. I understand that the current text is inaccurate, but I would hesitate to put more accurate text in there if it made it harder for users to make good decisions. Maybe if we talked in terms of "This site uses broken encryption" or otherwise suggested that really, things were no better than http... Of course, from page info, you can still inspect the certificate, and I agree that that is surprising and inconsistent. If we can find a way to fix that part without letting more truth act as a misleading influence, I'm all for it.
Talking about "broken encryption" seems good, it would be consistent with the broken lock displayed in the status bar. I think telling something about this in the UI can help the user to make better decisions. I personally think that a partially encrypted page is more alarming than a page with a self signed or expired by only a few days certificate. It indicates that the site tried to protect the data you are viewing (probably because there is personal data included in the page) and failed.
In Internet Explorer 8, it gives you the option to "view only the webpage that was delivered securely" or to view the whole webpage (with both secure and unsecure material). Is there a way to do that in Firefox or could it be implemented?