Bug 119849

Summary: location bar is yellow with "lock" icon, although connection is not SSL encrypted
Product: [Applications] konqueror Reporter: Jens <jens-bugs.kde.org>
Component: generalAssignee: Konqueror Developers <konq-bugs>
Status: RESOLVED NOT A BUG    
Severity: normal CC: k74yeung-kde
Priority: NOR    
Version: 3.5   
Target Milestone: ---   
Platform: unspecified   
OS: Linux   
Latest Commit: Version Fixed In:

Description Jens 2006-01-10 11:07:39 UTC
Version:           3.5 (using KDE 3.5.0 Level "a" , SUSE 10.0 UNSUPPORTED)
Compiler:          Target: i586-suse-linux
OS:                Linux (i686) release 2.6.13-15.7-default

Hi,
this one seems to be new in KDE 3.5. I used to hit Alt-F2 and type "freemail.web.de" for my webmail address. WEB.DE supports both non-SSL and SSL connections.

Now when I do this with KDE 3.5, the location bar says "http://freemail.web.de", but the location bar background is yellow, and the "lock" icon at the bottom  is closed. BUT the tooltip that appears when hovering over the lock icon says "the connection is not secured".

When I change the "http:" to "https:" above, and hit ENTER, nothing (visible) changes but the tooltip now shows "The connection is secured by SSL-bla MAC-SHA-foo whatever".

Something is very wrong here =;)

Jens
Comment 1 Thiago Macieira 2006-01-10 14:11:10 UTC
If you look at it closely, you'll see the padlock icon is half-transparent. Clicking the icon reports "Parts of this webpage are secure but the main part isn't".

No bug.
Comment 2 Jens 2006-01-10 15:05:49 UTC
Hello,

So this is perhaps technically correct, but I still think it is very bad behaviour in terms of usability. Users can be tricked into believing they are visiting a secure site by the yellow background which has become "common" for indicating secure connections. Plus, the tooltip of the status bar icon is (IMHO) misleading.

I didn't know there was a distinction between "encrypted" and "half encrypted" for web sites and you really need to look very closely at the icon to see the difference. If there is no other way to make this difference clear I would suggest a popup window that says "This web site is partially encrypted, indicated by this icon: [_]" with a "Don't show again" checkbox, like Konq does with normally encrypted web sites.

However, this way, the user still does not know which parts of the web site are encrypted. Maybe (e.g. in the case of HTML forms) the parts that are SSL encrypted could be highlighted when clicking on the icon, like when showing the DOM tree?

Thanks!
Comment 3 Thiago Macieira 2006-01-10 16:27:53 UTC
George is aware of this. Konqueror/KDE4 will have a revamped interface wrt to SSL and will match the behaviour of the other major browsers.
Comment 4 Dirk Stoecker 2006-08-22 10:26:38 UTC
*** Bug 122529 has been marked as a duplicate of this bug. ***