Pale Moon displays secure sites slightly differently than other browsers, so here is a short explanation about the different statuses you may see, and what exactly they mean:
- Normal site: The connection to the site is not encrypted, and anything you post to or get from the website is transferred normally. This is the normal state for a lot of public web pages you will visit, and is normal for regular browsing.
- Secure site:
Unlike Firefox, Pale Moon will display the verified domain name for these types of connections by default, and will display the raw IDN code (punycode, starting with "xn--") for internationalized domain names in this case to prevent spoofing dangers.
The connection to the site is encrypted, all parts are transferred over a secure connection, and anything you post to or get from the website is securely transferred to prevent eavesdropping. This is a common state for on-line shopping, most e-mail providers who supply webmail, and for login pages, etc.
- Secure site with extended validation: The connection is encrypted like in (2), but the certificate owner has also been verified through an extended validation process. This is a common state for higher-security sites like on-line banking, eMoney providers, and secure governmental sites dealing with highly personal information. Pale Moon will display the verified organization name. Because these kinds of certificates are much more expensive, most smaller businesses will not use extended validation for their encrypted pages and you will see a "domain verified" encrypted connection instead (as in (2)).
- Mixed content:
The connection to the site is encrypted, but some parts of the site were transferred over non-encrypted connections. This specific mode indicates that the connection to the site is not as secure as it could be, but the content that isn't sent over an encrypted connection is passive content (display content like images) which is relatively low risk and fairly common on e.g. bulletin boards or social media where users can post embedded images from external sources.
Please note: This should never happen on highly secure sites, and for this reason mixed content on extended validated domains will not be displayed this way, but will be displayed as broken (see below)
New in 28.14.0
- Low-grade encrypted:
Although the protocol used is https, the connection is weak indicated with the a yellow/orange padlock. This can be caused by the server only supporting an old TLS protocol (TLS 1.0 or 1.1) or a known-weak cipher (e.g. 3DES or RC4). Be careful when you see this indicator. If it is a legitimate site, the webmaster probably needs to be informed their site security is weak and needs to be addressed.
New in 28.14.0
- Broken encryption:
This status is displayed when there is a serious problem with the security of the connection. This happens in the following situations:
Do not enter any login, financial or personal information when you see this icon displayed. If it was a cached/restored page, completely refresh the page (Ctrl+F5) and check for proper encryption.
- The site is Extended Validated, but there is any sort of unencrypted content. Typical EV sites should never have mixed content so this is considered broken.
- There is unencrypted content on the site that isn't passive, e.g. scripting or embeds. This is by default blocked to keep the site secure but if you manually allow it, the connection state is degraded to not secure, with the indicator matching that state.
- The certificate is self-signed or not trusted, but you have allowed the connection anyway.