If you’re connected to a secure site, then the address bar will have a padlock by the arrow on the right and the background will turn yellow. The padlock also appears on the status bar as normal. Therefore, if the address bar isn’t yellow, then it’s not safe to give over credit card details.
He’s right, up to a point. If the address bar is not yellow, it’s certainly not safe to put in your credit card details. But a key observation is that if the address bar is yellow, it’s still not safe to put in your credit card details either. All the yellow says is that you are connected over SSL. It doesn’t say who you are connected to. It could easily be https://evilsite.com – or, more practically, https://www.mybank.com.long.domain.name.no-one.reads.these.evilsite.com.
That’s why I continue to insist that we need to display the domain in the status bar next to the lock, for secure sites, and why I hope to get a chance to update my patch to that effect soon, and persuade Ben to include it.
Update: patch updated. Result: no more confusion about the source of pop-up windows.