From Bug 621459 Comment 2: > You put up warnings for "mixed secure and insecure > content" and you should. but you have NOTHING if > the embedded content is signed by anyone as long > as the CA chain is OK. If github.com was signed > by godaddy, but the images by the turkish CA, > and the javascript (which could replace the page) > was signed by HK, something would be really wrong. > But there would be no indication whatsoever. Similar concerns apply to EV/DV indicators and to the name shown in the site identity block. It is misleading to have the EV indicator (green) for a site where some subresources are not secured with EV certs, or to say "Foo Corporation (US)" when there are multiple companies' content (e.g. google-analytics) on the page.

I just want to reiterate what is implied if one of those subresources is javascript. As long as the CA is valid, it could rewrite the entire main page and probably redirect form content with the main bar still a green EV cert. Others have noted revocation is mostly broken so it compounds the problem. If someone hijacks a site with a valid cert and just modifies the base "secure" web page they wouldn't have to connect back to the original site to retrieve data (which might even be stored securely), but they could just add some hostile javascript pointing to any host anywhere with a any recognized cert. There is no point in having better certs if an embedded site of lower or even equal trust can rewrite and/or replace the entire page.

What the site identity block says is "the trust for elements on this page ultimately comes from here". That is, if subresources use certificates from different CAs, the data that caused those subresources to be fetched ultimately came from the one certificate. That's about as useful as the site identity block can be without dumping out a list of certificates and saying, "well, here's all the certificates I saw while loading this page. Good luck making any kind of informed decision of trust." Note that the networking panel does actually show this information. If a user is interested in collecting this information in a more easily-accessible way, developing an add-on would probably be best as this isn't a widely-applicable use-case.