How does Pale Moon indicate security?

Frequently Asked Questions about the Pale Moon browser and their answers.
User avatar
Pale Moon guru
Pale Moon guru
Posts: 29954
Joined: 2011-08-28, 17:27
Location: Tranås, SE

How does Pale Moon indicate security?

Post by Moonchild » 2015-06-30, 13:25

Since this behavior has changed a few times, here's a run-down of how Pale Moon's latest version indicates the different security states of websites visited:

Normal HTTP
Normal HTTP websites are indicated in the address bar with the site's icon and the address. No special formatting or indication is present because there is nothing special about the site. As opposed to some (IMHO rather pretentious) other browsers who want to start pushing "https always and everywhere" -- which is certainly not needed and has a good number of pitfalls especially for general information sites that do not, ever, need https.

Secure site
The connection to the site is encrypted, and anything you post to or get from the website is securely transferred to prevent eavesdropping. This is a common state for on-line shopping, most e-mail providers who supply webmail, and a number of systems for securely logging in, etc.
Pale Moon will display the verified domain name for these types of connections (unlike Firefox) so you can quickly verify that you are indeed on the domain you intended to connect to.

Secure site with extended validation
The connection is encrypted, but the certificate owner has also been verified through an extended validation process. This is a common state for higher-security sites like on-line banking, eMoney providers, and secure governmental sites dealing with highly personal information. Pale moon will display the verified organization name.
Because these kinds of certificates are much more expensive, most smaller businesses will not use extended validation for their encrypted pages and you will see a "domain verified" encrypted connection instead (as listed above).

Mixed-mode sites
The connection is encrypted, but some elements were retrieved from unencrypted (external) sites.
This is a common state for e.g. webmail interfaces and fora, because e-mails and posts often embed images that were not served over a secure connection.
Pale Moon will not list the domain name because you are pulling content from multiple domains. Pale Moon, by default, only allows "passive" content to be embedded in mixed-mode, keeping you safe from malicious scripts that might try to steal passwords, so in general, you can feel confident nothing malicious will be present on mixed-mode sites.
You should take care when seeing this state on e.g. eMoney or banking sites, because they should never serve anything in mixed-mode.

Low-grade encrypted, or broken security
Although the protocol used is https, the connection is not trusted. This can be caused by a particularly low-grade encryption used (which takes very little effort or time to circumvent) or by errors in authentication.
Be very careful when you see this icon!
Do not enter any login, financial or personal information when you see this icon displayed. If it was a cached page, completely refresh the page (Ctrl+F5) and check for proper encryption.[/list]

At all times, you can click the displayed website icon or domain name/organization name for basic details about the encrypted state, or you can click the padlock itself to open a more detailed window with information about your connection.

http.png (6.55 KiB) Viewed 4419 times
secure.png (6.3 KiB) Viewed 4419 times
secure-ev.png (5.71 KiB) Viewed 4419 times
mixed.png (5.81 KiB) Viewed 4419 times
https-broken.png (4.24 KiB) Viewed 4419 times
"Son, in life you do not fight battles because you expect to win, you fight them merely because they need to be fought." -- Snagglepuss