On Thu, Apr 30, 2015 at 5:57 PM, <diaf...@gmail.com> wrote: > Here's two relevant Bugzilla bugs: > > Self-signed certificates are treated as errors: > https://bugzilla.mozilla.org/show_bug.cgi?id=431386 > > Switch generic icon to negative feedback for non-https sites: > https://bugzilla.mozilla.org/show_bug.cgi?id=1041087 > > Here's a proposed way of phasing this plan in over time: > > 1. Mid-2015: Start treating self signed certificates as unencrypted > connections (i.e. stop showing a warning, but the UI would just show the > globe icon, not the lock icon). This would allow website owners to choose > to block passive surveillance without causing any cost to them or any > problems for their users. >
I think you're over-focusing on the lock icon and not thinking enough about the referential semantics. The point of the https: URI is that it tells the browser that this is supposed to be a secure connection and the browser needs to enforce this regardless of the UI it shows. To give a concrete example, say the user enters his password in a form that is intended to be submitted over HTTPS and the site presents a self-signed certificate. If the browser send the password, then it has possible compromised the user's password even if it subsequently doesn't show the secure UI (because the attacker could supply a self-signed certificate). -Ekr _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
