Since SSL covers two cases of security, both encryption and identity, maybe it's time to invent a new icon - i.e. this web site is secure (a lock) but its identity could not be verified (an id card).
Self-signed certs wouldn't show warnings, but wouldn't show the ID-verified icon. CA certs would show both.
If they're worried about user education, the first time firefox encounters a self-signed site, it could provide a permanently dismissible dialog.
You can't have one without the other. The first icon doesn't mean anything. You might as well add a third icon for "this connection is compressed". Attackers can't read your credit card number out of a compressed stream either.
Since SSL covers two cases of security, both encryption and identity, maybe it's time to invent a new icon - i.e. this web site is secure (a lock) but its identity could not be verified (an id card).
Self-signed certs wouldn't show warnings, but wouldn't show the ID-verified icon. CA certs would show both.
If they're worried about user education, the first time firefox encounters a self-signed site, it could provide a permanently dismissible dialog.