Why no warning for HTTP?
HTTPS with a bad or self-signed certificate is better than HTTP - it's protected from passive sniffing - and certainly no worse.
So surely it makes no sense to give a scary warning for a HTTPS site with a bad certificate, but no warning at all for HTTP. How many people look at the letter 's' in the URL bar?
I suggest browsers should show:
- red (and no padlock) for both HTTP and HTTPS with bad cert
- a severe warning message which interrupts your workflow, if you try to POST a form containing any sort of text field, or use HTTP basic auth, over either HTTP or HTTPS with bad cert
The flaw in this argument is cookies. Some cookies contain an authentication token which could be used to impersonate you; but the majority are just tracking junk. So unfortunately, you can't just give a blanket warning for all cookies which are sent over an insecure channel.
Biting the hand that feeds IT
