> On 19 Dec 2014, at 23:37, 'Tyler Larson' via Security-dev <security-dev@chromium.org> wrote:
>
> In current implementations, there's no signaling by the browser to say "this site isn't encrypted." There's the *absence* of signaling about security, but that's not the same thing as positively saying that a site was delivered over an insecure channel.
This is why some websites get away with changing their Favicon to a lock, or even showing a lock image on the page ("see our site is secure")... It's much easier than buying a certificate :-P
It would be better if there was something in the browser... e.g. a red unlocked padlock, with a cross over it, where a HTTPS site either shows a gold/green locked icon, or nothing at all (as the browser doesn't know if the website has other security problems)... then there would be a consistent/better indicator of the connection state.
Craig