User-Agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20041006 Firefox/0.10.1 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20041006 Firefox/0.10.1 In HTTPS sites that are setup so that some of the information is properly coming through HTTPS but some of the info comes through insecure HTTP, the lock icon changes to one with a slash in it (it didnt do that in previous releases- good job!) However when you click on the lock to find out WHY this is the case, there is no information, just the normal identity verified and connection encrypted messages. There should be, in this special case, a little explanation as to why the lock icon has the slash through it, and perhaps even a dialogue for the user the first time such a situation is encountered. Reproducible: Always Steps to Reproduce: 1.visit an HTTPS site where some of the elements come from a standard HTTP connection 2.click on the lock icon with the slash through it 3.notice there is no mention as to WHY that slash is there Actual Results: normal identity verified and connection encrypted messages Expected Results: same but also mentioned that the page contained some insecure items and this was the source of the broken lock

*** Bug 284658 has been marked as a duplicate of this bug. ***

Is this really a Firefox bug? Doesn't this dialog come from PSM, or does Firefox have its own version? I bet the Suite has the same problem.

i'm fairly certain pageinfo is forked, so it's a firefox bug with a parallel seamonkey bug

Page Info is forked, but they both use the same overlay ( http://lxr.mozilla.org/seamonkey/source/security/manager/pki/resources/content/PageInfoOverlay.xul ). I'm thinking that adding a description for mixed content should be relatively easy. This probably belongs in Core:Security UI, but I'll leave it as is for now.

Does anyone have a link to a mixed content page for testing?

Any XUL attachment with a chrome://global/skin stylesheet will trigger it.

(In reply to comment #6) > Any XUL attachment with a chrome://global/skin stylesheet will trigger it. That doesn't seem to be the case, see for example attachment 142844 [details].

I'm not going to be able to do this any time soon.

Mike: you're in charge of deciding what this should say, then find someone to do any code changes required.

Suggested text for mixed content pages -- the last line is an existing entity, and we can reuse it in order to minimize l10n impact: --------------------------------------------------------------- <b>Connection Partially Encrypted</b> Parts of the page you are viewing were not encrypted before being transmitted over the Internet. Information sent over the Internet without encryption can be seen by other people while it is in transit. --------------------------------------------------------------- Is this too harsh? I can't think of many valid, well-designed sites that are only partially encrypted, but if there are such cases, we can add a bit about how sometimes these sites are still trustworthy. (I don't think we need a dialog, since there already is a "This page contains some secure and some insecure items" popup IIRC which has a checkbox to make it always go away)

Comment on attachment 193865 [details] [diff] [review] Patch implementing provided text Thanks for the patch, Gavin. Looks good to my untrained eye, can we get a review?

Comment on attachment 193865 [details] [diff] [review] Patch implementing provided text > pageInfo_StrongEncryption=Connection Encrypted: High-grade Encryption (%S %S bit) > pageInfo_Privacy_Strong1=The page you are viewing was encrypted before being transmitted over the Internet. > pageInfo_Privacy_Strong2=Encryption makes it very difficult for unauthorized people to view information traveling between computers. It is therefore very unlikely that anyone read this page as it traveled across the network. > pageInfo_WeakEncryption=Connection Encrypted: Low-grade Encryption (%S %S bit) > pageInfo_Privacy_Weak1=The web site %S is using low-grade encryption for the page you are viewing. > pageInfo_Privacy_Weak2=Low-grade encryption may allow some unauthorized people to view this information. >+pageInfo_MixedContent=Connection Partially Encrypted >+pageInfo_MixedContent_Detail=Parts of the page you are viewing were not encrypted before being transmitted over the Internet. Nit: Looks as if pageInfo_Privacy_Mixed1 would be a more consistent name here. >+ var isBroken = null; Nit: Booleans are false, not null. > return { > hostName : hName, > cAName : issuerName, > encryptionAlgorithm : status.cipherName, > encryptionStrength : status.secretKeyLength, >- cert : cert >+ cert : cert, >+ isBroken : isBroken > }; Nit: isBroken belongs next to encryptionStrength

Comment on attachment 193950 [details] [diff] [review] Patch with Neil's comments addressed r=kaie

Trunk: Checking in locales/en-US/chrome/pippki/pippki.properties; /cvsroot/mozilla/security/manager/locales/en-US/chrome/pippki/pippki.properties,v <-- pippki.properties new revision: 1.3; previous revision: 1.2 done Checking in pki/resources/content/PageInfoOverlay.xul; /cvsroot/mozilla/security/manager/pki/resources/content/PageInfoOverlay.xul,v <-- PageInfoOverlay.xul new revision: 1.21; previous revision: 1.20 done

1.8 Branch: mozilla/security/manager/locales/en-US/chrome/pippki/pippki.properties; new revision: 1.2.6.1; mozilla/security/manager/pki/resources/content/PageInfoOverlay.xul; new revision: 1.20.20.1;

*** Bug 260127 has been marked as a duplicate of this bug. ***

see bug 251123, which requests better user interface feedback, when hovering the lock icon