(forked from bug 251123) The tooltip messages for the SSL lock icon are a little text-heavy and rely on words ("signed", "verified", "encrypted") that are not likely to mean a lot to users unfamiliar with security concepts. (I'm not sure that the tooltip is the best place to be educating people about those terms, and we in fact do a decent job of education in the Page Info/Security dialog.) As originally suggested in bug 251123 comment 36, I suggest that we move to: lock: "This page is secure (%S)" slashlock: "This page is partially secure"

What does "is secure" mean? Does it mean that the page doesn't contain any forms or links that go to a fraudulent phisher's site? (no) Does it mean that the data you fill into the form will be sent encrypted? (no) IMO, we shouldn't make broader claims than are true. SSL tells us only information about how we received the content, not about the content itself. - It tells us that the cert issuer assures us that the content came from the source named in the cert (not some other party), and - it tells us that the content was encrypted (protected from eavesdropping) and was not altered while in transit from that source to us. Note that some people think that it is important (for liability reasons) to tell users that the assurer is the cert issuer and not mozilla (.org, foundation, or corporation).

(In reply to comment #2) > Does it mean that the data you fill into the form will be sent encrypted? (no) It does mean that we will warn you and give you a chance to cancel an unencrypted form submit (a warning dialog that cannot be turned off). But that's only if the page is playing by the normal rules. If the site wants to intentionally expose your data there are an endless number of ways they could do that including printing it in the newspaper.

And we are NOT able to catch all kinds of form submit! This is long known and documented in another bug. The form submit warning can be suppressed using the following trick, that was even used in practice by a large webmail provider. Look here for an example how to do it. https://kuix.de/misc/test24/secure-to-insecure.php The only way we can solve this kind of problem is by solving bug 62178.

"Is secure" isn't meant to be a technically accurate term. What it needs to do is communicate the idea that it is more likely than not that the user is in a safe place (or a safer place). If we can't guarantee that with some degree of certainty, then I somewhat question the point of putting a lock and yellow URL bar there in the first place. I do understand your hesitation, though. In light of comment 2, how about: - Click here for security information - This page is encrypted (This page is partially encrypted) - Secure connection I know it's a bit of at-straw-grasping, but we should be doing out best to bridge between the horribly complex world of internet security and our poor users who want to know when it's more likely than not safe to enter their credit card information.

reassign bug owner. mass-update-kaie-20120918