backout cset b36d5c933092 due to orange
authorBrian Smith <bsmith@mozilla.com>
Sat, 10 Nov 2012 19:09:07 -0800
changeset 112968 782f9b92815c5596c7e7c0729f22a3403fdfa03e
parent 112967 c80941a6582bfefb674b43a08a43906f104b0923
child 112969 b9a8253986f7ef00d9d92c9ed160bceef32df0f1
push id23843
push userryanvm@gmail.com
push dateSun, 11 Nov 2012 12:00:20 +0000
treeherdermozilla-central@ba4903cc7523 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
milestone19.0a1
backs outb36d5c933092c4f0b57ea58c58e5b7916e0f2088
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
backout cset b36d5c933092 due to orange
browser/app/profile/firefox.js
browser/base/content/browser.js
js/src/tests/e4x/Regress/regress-308111.js
js/src/tests/user.js
mobile/android/chrome/content/browser.js
mobile/xul/chrome/content/browser.js
netwerk/base/public/security-prefs.js
netwerk/protocol/http/HttpChannelChild.cpp
netwerk/protocol/http/HttpChannelParent.cpp
netwerk/protocol/http/HttpChannelParent.h
netwerk/protocol/http/PHttpChannel.ipdl
security/manager/boot/public/nsISecurityUITelemetry.idl
security/manager/boot/public/nsISecurityWarningDialogs.idl
security/manager/boot/src/nsSecureBrowserUIImpl.cpp
security/manager/boot/src/nsSecureBrowserUIImpl.h
security/manager/boot/src/nsSecurityWarningDialogs.cpp
security/manager/locales/en-US/chrome/pipnss/security.properties
security/manager/ssl/public/nsIAssociatedContentSecurity.idl
security/manager/ssl/src/TransportSecurityInfo.cpp
security/manager/ssl/src/TransportSecurityInfo.h
security/manager/ssl/src/nsNSSCallbacks.cpp
security/manager/ssl/src/nsNSSComponent.cpp
--- a/browser/app/profile/firefox.js
+++ b/browser/app/profile/firefox.js
@@ -575,16 +575,17 @@ pref("network.protocol-handler.warn-exte
 pref("network.protocol-handler.expose-all", true);
 pref("network.protocol-handler.expose.mailto", false);
 pref("network.protocol-handler.expose.news", false);
 pref("network.protocol-handler.expose.snews", false);
 pref("network.protocol-handler.expose.nntp", false);
 
 // Default security warning dialogs to show once.
 pref("security.warn_entering_secure.show_once", false);
+pref("security.warn_entering_weak.show_once", true);
 pref("security.warn_leaving_secure.show_once", false);
 pref("security.warn_viewing_mixed.show_once", true);
 pref("security.warn_submit_insecure.show_once", false);
 
 pref("accessibility.typeaheadfind", false);
 pref("accessibility.typeaheadfind.timeout", 5000);
 pref("accessibility.typeaheadfind.linksonly", false);
 pref("accessibility.typeaheadfind.flashBar", 1);
@@ -998,16 +999,17 @@ pref("services.sync.prefs.sync.privacy.d
 pref("services.sync.prefs.sync.privacy.sanitize.sanitizeOnShutdown", true);
 pref("services.sync.prefs.sync.security.OCSP.disable_button.managecrl", true);
 pref("services.sync.prefs.sync.security.OCSP.enabled", true);
 pref("services.sync.prefs.sync.security.OCSP.require", true);
 pref("services.sync.prefs.sync.security.default_personal_cert", true);
 pref("services.sync.prefs.sync.security.enable_ssl3", true);
 pref("services.sync.prefs.sync.security.enable_tls", true);
 pref("services.sync.prefs.sync.security.warn_entering_secure", true);
+pref("services.sync.prefs.sync.security.warn_entering_weak", true);
 pref("services.sync.prefs.sync.security.warn_leaving_secure", true);
 pref("services.sync.prefs.sync.security.warn_submit_insecure", true);
 pref("services.sync.prefs.sync.security.warn_viewing_mixed", true);
 pref("services.sync.prefs.sync.signon.rememberSignons", true);
 pref("services.sync.prefs.sync.spellchecker.dictionary", true);
 pref("services.sync.prefs.sync.xpinstall.whitelist.required", true);
 #endif
 
--- a/browser/base/content/browser.js
+++ b/browser/base/content/browser.js
@@ -4274,23 +4274,30 @@ var XULBrowserWindow = {
 
     this._hostChanged = false;
 
     // aState is defined as a bitmask that may be extended in the future.
     // We filter out any unknown bits before testing for known values.
     const wpl = Components.interfaces.nsIWebProgressListener;
     const wpl_security_bits = wpl.STATE_IS_SECURE |
                               wpl.STATE_IS_BROKEN |
-                              wpl.STATE_IS_INSECURE;
+                              wpl.STATE_IS_INSECURE |
+                              wpl.STATE_SECURE_HIGH |
+                              wpl.STATE_SECURE_MED |
+                              wpl.STATE_SECURE_LOW;
     var level;
 
     switch (this._state & wpl_security_bits) {
-      case wpl.STATE_IS_SECURE:
+      case wpl.STATE_IS_SECURE | wpl.STATE_SECURE_HIGH:
         level = "high";
         break;
+      case wpl.STATE_IS_SECURE | wpl.STATE_SECURE_MED:
+      case wpl.STATE_IS_SECURE | wpl.STATE_SECURE_LOW:
+        level = "low";
+        break;
       case wpl.STATE_IS_BROKEN:
         level = "broken";
         break;
     }
 
     if (level) {
       // We don't style the Location Bar based on the the 'level' attribute
       // anymore, but still set it for third-party themes.
@@ -6667,17 +6674,17 @@ var gIdentityHandler = {
     this._lastStatus = currentStatus;
     this._lastLocation = location;
 
     let nsIWebProgressListener = Ci.nsIWebProgressListener;
     if (location.protocol == "chrome:" || location.protocol == "about:")
       this.setMode(this.IDENTITY_MODE_CHROMEUI);
     else if (state & nsIWebProgressListener.STATE_IDENTITY_EV_TOPLEVEL)
       this.setMode(this.IDENTITY_MODE_IDENTIFIED);
-    else if (state & nsIWebProgressListener.STATE_IS_SECURE)
+    else if (state & nsIWebProgressListener.STATE_SECURE_HIGH)
       this.setMode(this.IDENTITY_MODE_DOMAIN_VERIFIED);
     else if (state & nsIWebProgressListener.STATE_IS_BROKEN)
       this.setMode(this.IDENTITY_MODE_MIXED_CONTENT);
     else
       this.setMode(this.IDENTITY_MODE_UNKNOWN);
   },
 
   /**
--- a/js/src/tests/e4x/Regress/regress-308111.js
+++ b/js/src/tests/e4x/Regress/regress-308111.js
@@ -28,16 +28,17 @@ var xml = <prefs>
 <pref><name>font.name.sans-serif.x-unicode</name></pref>
 <pref><name>capability.policy.mailnews.SOAPEncoding.setDecoder</name></pref>
 <pref><name>font.name-list.sans-serif.ko</name></pref>
 <pref><name>browser.chrome.site_icons</name></pref>
 <pref><name>app.update.auto</name></pref>
 <pref><name>security.ssl2.des_64</name></pref>
 <pref><name>print.always_cache_old_pres</name></pref>
 <pref><name>security.ssl3.rsa_des_sha</name></pref>
+<pref><name>security.warn_entering_weak.show_once</name></pref>
 <pref><name>network.proxy.http_port</name></pref>
 <pref><name>browser.display.use_document_colors</name></pref>
 <pref><name>browser.preferences.animateFadeIn</name></pref>
 <pref><name>browser.search.defaultenginename</name></pref>
 <pref><name>capability.principal.codebase.p0.id</name></pref>
 <pref><name>config.use_system_prefs</name></pref>
 <pref><name>font.name.monospace.x-guru</name></pref>
 <pref><name>security.default_personal_cert</name></pref>
@@ -819,16 +820,17 @@ var xml = <prefs>
 <pref><name>network.protocol-handler.expose.mailto</name></pref>
 <pref><name>font.default.el</name></pref>
 <pref><name>network.http.default-socket-type</name></pref>
 <pref><name>browser.display.focus_background_color</name></pref>
 <pref><name>editor.use_custom_colors</name></pref>
 <pref><name>network.proxy.gopher</name></pref>
 <pref><name>ui.key.saveLink.shift</name></pref>
 <pref><name>font.name.serif.ko</name></pref>
+<pref><name>security.warn_entering_weak</name></pref>
 <pref><name>font.name.sans-serif.th</name></pref>
 <pref><name>capability.policy.mailnews.*.substringData.get</name></pref>
 <pref><name>font.name.cursive.x-central-euro</name></pref>
 <pref><name>browser.chrome.favicons</name></pref>
 <pref><name>font.size.variable.ar</name></pref>
 <pref><name>accessibility.typeaheadfind.autostart</name></pref>
 <pref><name>font.default.ar</name></pref>
 <pref><name>capability.policy.mailnews.SOAPFault.faultCode</name></pref>
--- a/js/src/tests/user.js
+++ b/js/src/tests/user.js
@@ -12,16 +12,17 @@ user_pref("dom.allow_scripts_to_close_wi
 user_pref("dom.disable_open_during_load", false);
 user_pref("dom.max_script_run_time", 0);
 user_pref("hangmonitor.timeout", 0);
 user_pref("dom.max_chrome_script_run_time", 0);
 user_pref("javascript.allow.mailnews", true);
 user_pref("javascript.options.showInConsole", true);
 user_pref("layout.css.report_errors", true);
 user_pref("security.warn_entering_secure", false);
+user_pref("security.warn_entering_weak", false);
 user_pref("security.warn_leaving_secure", false);
 user_pref("security.warn_submit_insecure", false);
 user_pref("security.warn_viewing_mixed", false);
 user_pref("signed.applets.codebase_principal_support", true);
 user_pref("browser.warnOnQuit", false);
 user_pref("browser.cache.check_doc_frequency", 1);
 user_pref("extensions.checkCompatibility", false);
 user_pref("extensions.checkUpdateSecurity", false);
--- a/mobile/android/chrome/content/browser.js
+++ b/mobile/android/chrome/content/browser.js
@@ -6283,17 +6283,17 @@ var IdentityHandler = {
 
     return result;
   },
 
   getIdentityMode: function getIdentityMode(aState) {
     if (aState & Ci.nsIWebProgressListener.STATE_IDENTITY_EV_TOPLEVEL)
       return this.IDENTITY_MODE_IDENTIFIED;
 
-    if (aState & Ci.nsIWebProgressListener.STATE_IS_SECURE)
+    if (aState & Ci.nsIWebProgressListener.STATE_SECURE_HIGH)
       return this.IDENTITY_MODE_DOMAIN_VERIFIED;
 
     return this.IDENTITY_MODE_UNKNOWN;
   },
 
   /**
    * Determine the identity of the page being displayed by examining its SSL cert
    * (if available). Return the data needed to update the UI.
--- a/mobile/xul/chrome/content/browser.js
+++ b/mobile/xul/chrome/content/browser.js
@@ -2128,17 +2128,17 @@ IdentityHandler.prototype = {
 
     try {
       // make a copy of the passed in location to avoid cycles
       this._lastLocation = { host: location.hostPort, hostname: location.host, port: location.port == -1 ? "" : location.port};
     } catch(e) { }
 
     if (state & Ci.nsIWebProgressListener.STATE_IDENTITY_EV_TOPLEVEL)
       this.setMode(this.IDENTITY_MODE_IDENTIFIED);
-    else if (state & Ci.nsIWebProgressListener.STATE_IS_SECURE)
+    else if (state & Ci.nsIWebProgressListener.STATE_SECURE_HIGH)
       this.setMode(this.IDENTITY_MODE_DOMAIN_VERIFIED);
     else
       this.setMode(this.IDENTITY_MODE_UNKNOWN);
   },
 
   /**
    * Return the eTLD+1 version of the current hostname
    */
--- a/netwerk/base/public/security-prefs.js
+++ b/netwerk/base/public/security-prefs.js
@@ -13,51 +13,66 @@ pref("security.ssl.treat_unsafe_negotiat
 pref("security.ssl.require_safe_negotiation",  false);
 pref("security.ssl.warn_missing_rfc5746",  1);
 pref("security.ssl.enable_false_start", false);
 
 pref("security.ssl3.rsa_rc4_128_md5", true);
 pref("security.ssl3.rsa_rc4_128_sha", true);
 pref("security.ssl3.rsa_fips_des_ede3_sha", true);
 pref("security.ssl3.rsa_des_ede3_sha", true);
+pref("security.ssl3.rsa_fips_des_sha", false);
+pref("security.ssl3.rsa_des_sha", false);
+pref("security.ssl3.rsa_1024_rc4_56_sha", false);
+pref("security.ssl3.rsa_1024_des_cbc_sha", false);
+pref("security.ssl3.rsa_rc4_40_md5", false);
+pref("security.ssl3.rsa_rc2_40_md5", false);
 pref("security.ssl3.dhe_rsa_camellia_256_sha", true);
 pref("security.ssl3.dhe_dss_camellia_256_sha", true);
 pref("security.ssl3.rsa_camellia_256_sha", true);
 pref("security.ssl3.dhe_rsa_camellia_128_sha", true);
 pref("security.ssl3.dhe_dss_camellia_128_sha", true);
 pref("security.ssl3.rsa_camellia_128_sha", true);
 pref("security.ssl3.dhe_rsa_aes_256_sha", true);
 pref("security.ssl3.dhe_dss_aes_256_sha", true);
 pref("security.ssl3.rsa_aes_256_sha", true);
 pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", true);
 pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", true);
 pref("security.ssl3.ecdhe_ecdsa_des_ede3_sha", true);
 pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", true);
+pref("security.ssl3.ecdhe_ecdsa_null_sha", false);
 pref("security.ssl3.ecdhe_rsa_aes_256_sha", true);
 pref("security.ssl3.ecdhe_rsa_aes_128_sha", true);
 pref("security.ssl3.ecdhe_rsa_des_ede3_sha", true);
 pref("security.ssl3.ecdhe_rsa_rc4_128_sha", true);
+pref("security.ssl3.ecdhe_rsa_null_sha", false);
 pref("security.ssl3.ecdh_ecdsa_aes_256_sha", true);
 pref("security.ssl3.ecdh_ecdsa_aes_128_sha", true);
 pref("security.ssl3.ecdh_ecdsa_des_ede3_sha", true);
 pref("security.ssl3.ecdh_ecdsa_rc4_128_sha", true);
+pref("security.ssl3.ecdh_ecdsa_null_sha", false);
 pref("security.ssl3.ecdh_rsa_aes_256_sha", true);
 pref("security.ssl3.ecdh_rsa_aes_128_sha", true);
 pref("security.ssl3.ecdh_rsa_des_ede3_sha", true);
 pref("security.ssl3.ecdh_rsa_rc4_128_sha", true);
+pref("security.ssl3.ecdh_rsa_null_sha", false);
 pref("security.ssl3.dhe_rsa_aes_128_sha", true);
 pref("security.ssl3.dhe_dss_aes_128_sha", true);
 pref("security.ssl3.rsa_aes_128_sha", true);
 pref("security.ssl3.dhe_rsa_des_ede3_sha", true);
 pref("security.ssl3.dhe_dss_des_ede3_sha", true);
+pref("security.ssl3.dhe_rsa_des_sha", false);
+pref("security.ssl3.dhe_dss_des_sha", false);
+pref("security.ssl3.rsa_null_sha", false);
+pref("security.ssl3.rsa_null_md5", false);
 pref("security.ssl3.rsa_seed_sha", true);
 
 pref("security.default_personal_cert",   "Ask Every Time");
 pref("security.remember_cert_checkbox_default_setting", true);
 pref("security.ask_for_password",        0);
 pref("security.password_lifetime",       30);
 pref("security.warn_entering_secure",    false);
+pref("security.warn_entering_weak",      true);
 pref("security.warn_leaving_secure",     false);
 pref("security.warn_viewing_mixed",      true);
 pref("security.warn_submit_insecure",    false);
 
 pref("security.OCSP.enabled", 1);
 pref("security.OCSP.require", false);
--- a/netwerk/protocol/http/HttpChannelChild.cpp
+++ b/netwerk/protocol/http/HttpChannelChild.cpp
@@ -1319,16 +1319,60 @@ HttpChannelChild::GetAssociatedContentSe
   if (!assoc)
     return false;
 
   if (_result)
     assoc.forget(_result);
   return true;
 }
 
+/* attribute unsigned long countSubRequestsHighSecurity; */
+NS_IMETHODIMP
+HttpChannelChild::GetCountSubRequestsHighSecurity(
+                    int32_t *aSubRequestsHighSecurity)
+{
+  nsCOMPtr<nsIAssociatedContentSecurity> assoc;
+  if (!GetAssociatedContentSecurity(getter_AddRefs(assoc)))
+    return NS_OK;
+
+  return assoc->GetCountSubRequestsHighSecurity(aSubRequestsHighSecurity);
+}
+NS_IMETHODIMP
+HttpChannelChild::SetCountSubRequestsHighSecurity(
+                    int32_t aSubRequestsHighSecurity)
+{
+  nsCOMPtr<nsIAssociatedContentSecurity> assoc;
+  if (!GetAssociatedContentSecurity(getter_AddRefs(assoc)))
+    return NS_OK;
+
+  return assoc->SetCountSubRequestsHighSecurity(aSubRequestsHighSecurity);
+}
+
+/* attribute unsigned long countSubRequestsLowSecurity; */
+NS_IMETHODIMP
+HttpChannelChild::GetCountSubRequestsLowSecurity(
+                    int32_t *aSubRequestsLowSecurity)
+{
+  nsCOMPtr<nsIAssociatedContentSecurity> assoc;
+  if (!GetAssociatedContentSecurity(getter_AddRefs(assoc)))
+    return NS_OK;
+
+  return assoc->GetCountSubRequestsLowSecurity(aSubRequestsLowSecurity);
+}
+NS_IMETHODIMP
+HttpChannelChild::SetCountSubRequestsLowSecurity(
+                    int32_t aSubRequestsLowSecurity)
+{
+  nsCOMPtr<nsIAssociatedContentSecurity> assoc;
+  if (!GetAssociatedContentSecurity(getter_AddRefs(assoc)))
+    return NS_OK;
+
+  return assoc->SetCountSubRequestsLowSecurity(aSubRequestsLowSecurity);
+}
+
 /* attribute unsigned long countSubRequestsBrokenSecurity; */
 NS_IMETHODIMP 
 HttpChannelChild::GetCountSubRequestsBrokenSecurity(
                     int32_t *aSubRequestsBrokenSecurity)
 {
   nsCOMPtr<nsIAssociatedContentSecurity> assoc;
   if (!GetAssociatedContentSecurity(getter_AddRefs(assoc)))
     return NS_OK;
@@ -1369,25 +1413,29 @@ HttpChannelChild::SetCountSubRequestsNoS
 NS_IMETHODIMP
 HttpChannelChild::Flush()
 {
   nsCOMPtr<nsIAssociatedContentSecurity> assoc;
   if (!GetAssociatedContentSecurity(getter_AddRefs(assoc)))
     return NS_OK;
 
   nsresult rv;
-  int32_t broken, no;
+  int32_t hi, low, broken, no;
 
+  rv = assoc->GetCountSubRequestsHighSecurity(&hi);
+  NS_ENSURE_SUCCESS(rv, rv);
+  rv = assoc->GetCountSubRequestsLowSecurity(&low);
+  NS_ENSURE_SUCCESS(rv, rv);
   rv = assoc->GetCountSubRequestsBrokenSecurity(&broken);
   NS_ENSURE_SUCCESS(rv, rv);
   rv = assoc->GetCountSubRequestsNoSecurity(&no);
   NS_ENSURE_SUCCESS(rv, rv);
 
   if (mIPCOpen)
-    SendUpdateAssociatedContentSecurity(broken, no);
+    SendUpdateAssociatedContentSecurity(hi, low, broken, no);
 
   return NS_OK;
 }
 
 //-----------------------------------------------------------------------------
 // HttpChannelChild::nsIHttpChannelChild
 //-----------------------------------------------------------------------------
 
--- a/netwerk/protocol/http/HttpChannelParent.cpp
+++ b/netwerk/protocol/http/HttpChannelParent.cpp
@@ -309,20 +309,24 @@ bool
 HttpChannelParent::RecvSetCacheTokenCachedCharset(const nsCString& charset)
 {
   if (mCacheDescriptor)
     mCacheDescriptor->SetMetaDataElement("charset", charset.get());
   return true;
 }
 
 bool
-HttpChannelParent::RecvUpdateAssociatedContentSecurity(const int32_t& broken,
+HttpChannelParent::RecvUpdateAssociatedContentSecurity(const int32_t& high,
+                                                       const int32_t& low,
+                                                       const int32_t& broken,
                                                        const int32_t& no)
 {
   if (mAssociatedContentSecurity) {
+    mAssociatedContentSecurity->SetCountSubRequestsHighSecurity(high);
+    mAssociatedContentSecurity->SetCountSubRequestsLowSecurity(low);
     mAssociatedContentSecurity->SetCountSubRequestsBrokenSecurity(broken);
     mAssociatedContentSecurity->SetCountSubRequestsNoSecurity(no);
   }
   return true;
 }
 
 bool
 HttpChannelParent::RecvRedirect2Verify(const nsresult& result, 
--- a/netwerk/protocol/http/HttpChannelParent.h
+++ b/netwerk/protocol/http/HttpChannelParent.h
@@ -71,17 +71,19 @@ protected:
   virtual bool RecvConnectChannel(const uint32_t& channelId);
   virtual bool RecvSetPriority(const uint16_t& priority);
   virtual bool RecvSetCacheTokenCachedCharset(const nsCString& charset);
   virtual bool RecvSuspend();
   virtual bool RecvResume();
   virtual bool RecvCancel(const nsresult& status);
   virtual bool RecvRedirect2Verify(const nsresult& result,
                                    const RequestHeaderTuples& changedHeaders);
-  virtual bool RecvUpdateAssociatedContentSecurity(const int32_t& broken,
+  virtual bool RecvUpdateAssociatedContentSecurity(const int32_t& high,
+                                                   const int32_t& low,
+                                                   const int32_t& broken,
                                                    const int32_t& no);
   virtual bool RecvDocumentChannelCleanup();
   virtual bool RecvMarkOfflineCacheEntryAsForeign();
 
   virtual void ActorDestroy(ActorDestroyReason why);
 
 protected:
   friend class mozilla::net::HttpChannelParentListener;
--- a/netwerk/protocol/http/PHttpChannel.ipdl
+++ b/netwerk/protocol/http/PHttpChannel.ipdl
@@ -56,17 +56,19 @@ parent:
   // Used to connect redirected-to channel on the parent with redirected-to
   // channel on the child.
   ConnectChannel(uint32_t channelId);
 
   SetPriority(uint16_t priority);
 
   SetCacheTokenCachedCharset(nsCString charset);
 
-  UpdateAssociatedContentSecurity(int32_t broken,
+  UpdateAssociatedContentSecurity(int32_t high,
+                                  int32_t low,
+                                  int32_t broken,
                                   int32_t no);
   Suspend();
   Resume();
 
   Cancel(nsresult status);
 
   // Reports approval/veto of redirect by child process redirect observers
   Redirect2Verify(nsresult result, RequestHeaderTuples changedHeaders);
--- a/security/manager/boot/public/nsISecurityUITelemetry.idl
+++ b/security/manager/boot/public/nsISecurityUITelemetry.idl
@@ -1,17 +1,17 @@
 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
  *
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "nsISupports.idl"
 
-[scriptable, uuid(8dad8f23-bdb5-458c-b38c-8eab77578e60)]
+[scriptable, uuid(39823a45-dd9e-4f8b-9b0a-0ad144eb0db6)]
 
 interface nsISecurityUITelemetry : nsISupports {
 
 /*
  * Addon installation warnings
  */
 
 // Firefox prevented this site from asking you to install addon
@@ -24,17 +24,17 @@ const uint32_t WARNING_CONFIRM_ADDON_INS
 const uint32_t WARNING_CONFIRM_ADDON_INSTALL_CLICK_THROUGH  = 4;
 
 
 /*
  * modal dialogs/warnings 
  */
 
 const uint32_t WARNING_ENTERING_SECURE_SITE = 5;
-//     removed WARNING_ENTERING_WEAK_SITE = 6;
+const uint32_t WARNING_ENTERING_WEAK_SITE = 6;
 const uint32_t WARNING_LEAVING_SECURE_SITE = 7;
 const uint32_t WARNING_MIXED_CONTENT  = 8;
 
 // For confirmation dialogs, the clickthrough constant needs to be 1
 // more than the dialog constant so that
 // WARNING_CONFIRM_<X> + 1 == WARNING_CONFIRM_<X>_CLICK_THROUGH
 const uint32_t WARNING_CONFIRM_POST_TO_INSECURE_FROM_SECURE = 9;
 const uint32_t WARNING_CONFIRM_POST_TO_INSECURE_FROM_SECURE_CLICK_THROUGH = 10;
--- a/security/manager/boot/public/nsISecurityWarningDialogs.idl
+++ b/security/manager/boot/public/nsISecurityWarningDialogs.idl
@@ -6,33 +6,46 @@
 #include "nsISupports.idl"
 
 interface nsIInterfaceRequestor;
 
 /**
  * Functions that display warnings for transitions between secure
  * and insecure pages, posts to insecure servers etc.
  */
-[scriptable, uuid(ba1f7293-c633-4e4c-b3e8-ae2feedb3c09)]
+[scriptable, uuid(1c399d06-1dd2-11b2-bc58-c87cbcacdb78)]
 interface nsISecurityWarningDialogs : nsISupports
 {
   /**
    *  Inform the user that a transition 
    *    from an insecure page 
    *    to a secure page
    *  is happening.
    *
    *  @param ctx A user interface context.
    *
    *  @return true if the user confirms to continue
    */
   boolean confirmEnteringSecure(in nsIInterfaceRequestor ctx);
 
   /**
    *  Inform the user that a transition 
+   *    from an insecure page 
+   *    or from a secure page
+   *    to a weak security page
+   *  is happening.
+   *
+   *  @param ctx A user interface context.
+   *
+   *  @return true if the user confirms to continue
+   */
+  boolean confirmEnteringWeak(in nsIInterfaceRequestor ctx);
+
+  /**
+   *  Inform the user that a transition 
    *    from a secure page 
    *    to an insecure page
    *  is happening.
    *
    *  @param ctx A user interface context.
    *
    *  @return true if the user confirms to continue
    */
--- a/security/manager/boot/src/nsSecureBrowserUIImpl.cpp
+++ b/security/manager/boot/src/nsSecureBrowserUIImpl.cpp
@@ -121,16 +121,18 @@ class nsAutoAtomic {
 nsSecureBrowserUIImpl::nsSecureBrowserUIImpl()
   : mReentrantMonitor("nsSecureBrowserUIImpl.mReentrantMonitor")
   , mNotifiedSecurityState(lis_no_security)
   , mNotifiedToplevelIsEV(false)
   , mNewToplevelSecurityState(STATE_IS_INSECURE)
   , mNewToplevelIsEV(false)
   , mNewToplevelSecurityStateKnown(true)
   , mIsViewSource(false)
+  , mSubRequestsHighSecurity(0)
+  , mSubRequestsLowSecurity(0)
   , mSubRequestsBrokenSecurity(0)
   , mSubRequestsNoSecurity(0)
   , mRestoreSubrequests(false)
   , mOnLocationChangeSeen(false)
 #ifdef DEBUG
   , mOnStateLocationChangeReentranceDetection(0)
 #endif
 {
@@ -268,16 +270,20 @@ nsSecureBrowserUIImpl::MapInternalToExte
     case lis_broken_security:
       *aState = STATE_IS_BROKEN;
       break;
 
     case lis_mixed_security:
       *aState = STATE_IS_BROKEN;
       break;
 
+    case lis_low_security:
+      *aState = STATE_IS_SECURE | STATE_SECURE_LOW;
+      break;
+
     case lis_high_security:
       *aState = STATE_IS_SECURE | STATE_SECURE_HIGH;
       break;
 
     default:
     case lis_no_security:
       *aState = STATE_IS_INSECURE;
       break;
@@ -546,17 +552,27 @@ nsSecureBrowserUIImpl::UpdateSubrequestM
 {
   // For wyciwyg channels in subdocuments we only update our
   // subrequest state members.
   uint32_t reqState = GetSecurityStateFromSecurityInfo(securityInfo);
 
   // the code above this line should run without a lock
   ReentrantMonitorAutoEnter lock(mReentrantMonitor);
 
-  if (reqState & STATE_IS_BROKEN) {
+  if (reqState & STATE_IS_SECURE) {
+    if (reqState & STATE_SECURE_LOW || reqState & STATE_SECURE_MED) {
+      PR_LOG(gSecureDocLog, PR_LOG_DEBUG,
+             ("SecureUI:%p: OnStateChange: subreq LOW\n", this));
+      ++mSubRequestsLowSecurity;
+    } else {
+      PR_LOG(gSecureDocLog, PR_LOG_DEBUG,
+             ("SecureUI:%p: OnStateChange: subreq HIGH\n", this));
+      ++mSubRequestsHighSecurity;
+    }
+  } else if (reqState & STATE_IS_BROKEN) {
     PR_LOG(gSecureDocLog, PR_LOG_DEBUG,
            ("SecureUI:%p: OnStateChange: subreq BROKEN\n", this));
     ++mSubRequestsBrokenSecurity;
   } else {
     PR_LOG(gSecureDocLog, PR_LOG_DEBUG,
            ("SecureUI:%p: OnStateChange: subreq INSECURE\n", this));
     ++mSubRequestsNoSecurity;
   }
@@ -913,17 +929,28 @@ nsSecureBrowserUIImpl::OnStateChange(nsI
   {
     f -= nsIWebProgressListener::STATE_IS_SECURE;
     info.Append("IS_SECURE ");
   }
   if (f & nsIWebProgressListener::STATE_SECURE_HIGH)
   {
     f -= nsIWebProgressListener::STATE_SECURE_HIGH;
     info.Append("SECURE_HIGH ");
-  }  if (f & nsIWebProgressListener::STATE_RESTORING)
+  }
+  if (f & nsIWebProgressListener::STATE_SECURE_MED)
+  {
+    f -= nsIWebProgressListener::STATE_SECURE_MED;
+    info.Append("SECURE_MED ");
+  }
+  if (f & nsIWebProgressListener::STATE_SECURE_LOW)
+  {
+    f -= nsIWebProgressListener::STATE_SECURE_LOW;
+    info.Append("SECURE_LOW ");
+  }
+  if (f & nsIWebProgressListener::STATE_RESTORING)
   {
     f -= nsIWebProgressListener::STATE_RESTORING;
     info.Append("STATE_RESTORING ");
   }
 
   if (f > 0)
   {
     info.Append("f contains unknown flag!");
@@ -1005,29 +1032,35 @@ nsSecureBrowserUIImpl::OnStateChange(nsI
       aProgressStateFlags & STATE_IS_REQUEST
       &&
       isToplevelProgress
       &&
       loadFlags & nsIChannel::LOAD_DOCUMENT_URI)
   {
     bool inProgress;
 
+    int32_t saveSubHigh;
+    int32_t saveSubLow;
     int32_t saveSubBroken;
     int32_t saveSubNo;
     nsCOMPtr<nsIAssociatedContentSecurity> prevContentSecurity;
 
+    int32_t newSubHigh = 0;
+    int32_t newSubLow = 0;
     int32_t newSubBroken = 0;
     int32_t newSubNo = 0;
 
     {
       ReentrantMonitorAutoEnter lock(mReentrantMonitor);
       inProgress = (mDocumentRequestsInProgress!=0);
 
       if (allowSecurityStateChange && !inProgress)
       {
+        saveSubHigh = mSubRequestsHighSecurity;
+        saveSubLow = mSubRequestsLowSecurity;
         saveSubBroken = mSubRequestsBrokenSecurity;
         saveSubNo = mSubRequestsNoSecurity;
         prevContentSecurity = do_QueryInterface(mCurrentToplevelSecurityInfo);
       }
     }
 
     if (allowSecurityStateChange && !inProgress)
     {
@@ -1038,21 +1071,23 @@ nsSecureBrowserUIImpl::OnStateChange(nsI
       if (prevContentSecurity)
       {
         PR_LOG(gSecureDocLog, PR_LOG_DEBUG,
                ("SecureUI:%p: OnStateChange: start, saving current sub state\n", this
                 ));
   
         // before resetting our state, let's save information about
         // sub element loads, so we can restore it later
+        prevContentSecurity->SetCountSubRequestsHighSecurity(saveSubHigh);
+        prevContentSecurity->SetCountSubRequestsLowSecurity(saveSubLow);
         prevContentSecurity->SetCountSubRequestsBrokenSecurity(saveSubBroken);
         prevContentSecurity->SetCountSubRequestsNoSecurity(saveSubNo);
         prevContentSecurity->Flush();
-        PR_LOG(gSecureDocLog, PR_LOG_DEBUG, ("SecureUI:%p: Saving subs in START to %p as %d,%d\n", 
-          this, prevContentSecurity.get(), saveSubBroken, saveSubNo));      
+        PR_LOG(gSecureDocLog, PR_LOG_DEBUG, ("SecureUI:%p: Saving subs in START to %p as %d,%d,%d,%d\n", 
+          this, prevContentSecurity.get(), saveSubHigh, saveSubLow, saveSubBroken, saveSubNo));      
       }
 
       bool retrieveAssociatedState = false;
 
       if (securityInfo &&
           (aProgressStateFlags & nsIWebProgressListener::STATE_RESTORING) != 0) {
         retrieveAssociatedState = true;
       } else {
@@ -1072,20 +1107,22 @@ nsSecureBrowserUIImpl::OnStateChange(nsI
           newContentSecurity(do_QueryInterface(securityInfo));
     
         if (newContentSecurity)
         {
           PR_LOG(gSecureDocLog, PR_LOG_DEBUG,
                  ("SecureUI:%p: OnStateChange: start, loading old sub state\n", this
                   ));
     
+          newContentSecurity->GetCountSubRequestsHighSecurity(&newSubHigh);
+          newContentSecurity->GetCountSubRequestsLowSecurity(&newSubLow);
           newContentSecurity->GetCountSubRequestsBrokenSecurity(&newSubBroken);
           newContentSecurity->GetCountSubRequestsNoSecurity(&newSubNo);
-          PR_LOG(gSecureDocLog, PR_LOG_DEBUG, ("SecureUI:%p: Restoring subs in START from %p to %d,%d\n", 
-            this, newContentSecurity.get(), newSubBroken, newSubNo));      
+          PR_LOG(gSecureDocLog, PR_LOG_DEBUG, ("SecureUI:%p: Restoring subs in START from %p to %d,%d,%d,%d\n", 
+            this, newContentSecurity.get(), newSubHigh, newSubLow, newSubBroken, newSubNo));      
         }
       }
       else
       {
         // If we don't get OnLocationChange for this top level load later,
         // it didn't get rendered.  But we reset the state to unknown and
         // mSubRequests* to zeros.  If we would have left these values after 
         // this top level load stoped, we would override the original top level
@@ -1095,16 +1132,18 @@ nsSecureBrowserUIImpl::OnStateChange(nsI
     }
 
     {
       ReentrantMonitorAutoEnter lock(mReentrantMonitor);
 
       if (allowSecurityStateChange && !inProgress)
       {
         ResetStateTracking();
+        mSubRequestsHighSecurity = newSubHigh;
+        mSubRequestsLowSecurity = newSubLow;
         mSubRequestsBrokenSecurity = newSubBroken;
         mSubRequestsNoSecurity = newSubNo;
         mNewToplevelSecurityStateKnown = false;
       }
 
       // By using a counter, this code also works when the toplevel
       // document get's redirected, but the STOP request for the 
       // previous toplevel document has not yet have been received.
@@ -1199,29 +1238,35 @@ nsSecureBrowserUIImpl::OnStateChange(nsI
         // Drop this indication flag, the restore opration is just being
         // done.
         mRestoreSubrequests = false;
 
         // We can do this since the state didn't actually change.
         mNewToplevelSecurityStateKnown = true;
       }
 
+      int32_t subHigh = 0;
+      int32_t subLow = 0;
       int32_t subBroken = 0;
       int32_t subNo = 0;
 
       if (currentContentSecurity)
       {
+        currentContentSecurity->GetCountSubRequestsHighSecurity(&subHigh);
+        currentContentSecurity->GetCountSubRequestsLowSecurity(&subLow);
         currentContentSecurity->GetCountSubRequestsBrokenSecurity(&subBroken);
         currentContentSecurity->GetCountSubRequestsNoSecurity(&subNo);
-        PR_LOG(gSecureDocLog, PR_LOG_DEBUG, ("SecureUI:%p: Restoring subs in STOP from %p to %d,%d\n", 
-          this, currentContentSecurity.get(), subBroken, subNo));      
+        PR_LOG(gSecureDocLog, PR_LOG_DEBUG, ("SecureUI:%p: Restoring subs in STOP from %p to %d,%d,%d,%d\n", 
+          this, currentContentSecurity.get(), subHigh, subLow, subBroken, subNo));      
       }
 
       {
         ReentrantMonitorAutoEnter lock(mReentrantMonitor);
+        mSubRequestsHighSecurity = subHigh;
+        mSubRequestsLowSecurity = subLow;
         mSubRequestsBrokenSecurity = subBroken;
         mSubRequestsNoSecurity = subNo;
       }
     }
     
     return NS_OK;
   }
   
@@ -1300,25 +1345,49 @@ bool nsSecureBrowserUIImpl::UpdateMyFlag
 {
   ReentrantMonitorAutoEnter lock(mReentrantMonitor);
   bool mustTellTheWorld = false;
 
   lockIconState newSecurityState;
 
   if (mNewToplevelSecurityState & STATE_IS_SECURE)
   {
-    if (mSubRequestsBrokenSecurity
+    if (mNewToplevelSecurityState & STATE_SECURE_LOW
         ||
-        mSubRequestsNoSecurity)
+        mNewToplevelSecurityState & STATE_SECURE_MED)
     {
-      newSecurityState = lis_mixed_security;
+      if (mSubRequestsBrokenSecurity
+          ||
+          mSubRequestsNoSecurity)
+      {
+        newSecurityState = lis_mixed_security;
+      }
+      else
+      {
+        newSecurityState = lis_low_security;
+      }
     }
     else
     {
-      newSecurityState = lis_high_security;
+      // toplevel is high security
+
+      if (mSubRequestsBrokenSecurity
+          ||
+          mSubRequestsNoSecurity)
+      {
+        newSecurityState = lis_mixed_security;
+      }
+      else if (mSubRequestsLowSecurity)
+      {
+        newSecurityState = lis_low_security;
+      }
+      else
+      {
+        newSecurityState = lis_high_security;
+      }
     }
   }
   else
   if (mNewToplevelSecurityState & STATE_IS_BROKEN)
   {
     // indicating BROKEN is more important than MIXED.
   
     newSecurityState = lis_broken_security;
@@ -1342,30 +1411,38 @@ bool nsSecureBrowserUIImpl::UpdateMyFlag
 
     /*
       from                 to           shows alert
     ------------------------------     ---------------
 
     no or broken -> no or broken    => <NOTHING SHOWN>
 
     no or broken -> mixed           => mixed alert
+    no or broken -> low             => low alert
     no or broken -> high            => high alert
     
-    mixed, high  -> no, broken      => leaving secure
+    mixed, high, low -> no, broken  => leaving secure
 
+    mixed        -> low             => low alert
     mixed        -> high            => high alert
 
+    high         -> low             => low alert
     high         -> mixed           => mixed
     
+    low          -> high            => high
+    low          -> mixed           => mixed
+
+
       security    icon
       ----------------
     
       no          open
       mixed       broken
       broken      broken
+      low         low
       high        high
     */
 
     showWarning = true;
     
     switch (mNotifiedSecurityState)
     {
       case lis_no_security:
@@ -1451,16 +1528,20 @@ nsresult nsSecureBrowserUIImpl::TellTheW
       case lis_broken_security:
         ConfirmLeavingSecure();
         break;
 
       case lis_mixed_security:
         ConfirmMixedMode();
         break;
 
+      case lis_low_security:
+        ConfirmEnteringWeak();
+        break;
+
       case lis_high_security:
         ConfirmEnteringSecure();
         break;
     }
   }
 
   return NS_OK; 
 }
@@ -1601,16 +1682,17 @@ nsSecureBrowserUIImpl::GetSSLStatus(nsIS
 {
   NS_ENSURE_ARG_POINTER(_result);
 
   ReentrantMonitorAutoEnter lock(mReentrantMonitor);
 
   switch (mNotifiedSecurityState)
   {
     case lis_mixed_security:
+    case lis_low_security:
     case lis_high_security:
       break;
 
     default:
       NS_NOTREACHED("if this is reached you must add more entries to the switch");
     case lis_no_security:
     case lis_broken_security:
       *_result = nullptr;
@@ -1800,16 +1882,32 @@ ConfirmEnteringSecure()
 
   bool confirms;
   dialogs->ConfirmEnteringSecure(ctx, &confirms);
 
   return confirms;
 }
 
 bool nsSecureBrowserUIImpl::
+ConfirmEnteringWeak()
+{
+  nsCOMPtr<nsISecurityWarningDialogs> dialogs;
+  nsCOMPtr<nsIInterfaceRequestor> ctx;
+
+  if (!GetNSSDialogs(dialogs, ctx)) {
+    return false; // Should this allow true for unimplemented?
+  }
+
+  bool confirms;
+  dialogs->ConfirmEnteringWeak(ctx, &confirms);
+
+  return confirms;
+}
+
+bool nsSecureBrowserUIImpl::
 ConfirmLeavingSecure()
 {
   nsCOMPtr<nsISecurityWarningDialogs> dialogs;
   nsCOMPtr<nsIInterfaceRequestor> ctx;
 
   if (!GetNSSDialogs(dialogs, ctx)) {
     return false; // Should this allow true for unimplemented?
   }
--- a/security/manager/boot/src/nsSecureBrowserUIImpl.h
+++ b/security/manager/boot/src/nsSecureBrowserUIImpl.h
@@ -70,30 +70,33 @@ protected:
   nsCOMPtr<nsIStringBundle> mStringBundle;
   nsCOMPtr<nsIURI> mCurrentURI;
   nsCOMPtr<nsISecurityEventSink> mToplevelEventSink;
   
   enum lockIconState {
     lis_no_security,
     lis_broken_security,
     lis_mixed_security,
+    lis_low_security,
     lis_high_security
   };
 
   lockIconState mNotifiedSecurityState;
   bool mNotifiedToplevelIsEV;
 
   void ResetStateTracking();
   uint32_t mNewToplevelSecurityState;
   bool mNewToplevelIsEV;
   bool mNewToplevelSecurityStateKnown;
   bool mIsViewSource;
 
   nsXPIDLString mInfoTooltip;
   int32_t mDocumentRequestsInProgress;
+  int32_t mSubRequestsHighSecurity;
+  int32_t mSubRequestsLowSecurity;
   int32_t mSubRequestsBrokenSecurity;
   int32_t mSubRequestsNoSecurity;
   bool mRestoreSubrequests;
   bool mOnLocationChangeSeen;
 #ifdef DEBUG
   /* related to mReentrantMonitor */
   int32_t mOnStateLocationChangeReentranceDetection;
 #endif
--- a/security/manager/boot/src/nsSecurityWarningDialogs.cpp
+++ b/security/manager/boot/src/nsSecurityWarningDialogs.cpp
@@ -19,16 +19,17 @@
 #include "mozilla/Telemetry.h"
 #include "nsISecurityUITelemetry.h"
 
 NS_IMPL_THREADSAFE_ISUPPORTS1(nsSecurityWarningDialogs, nsISecurityWarningDialogs)
 
 #define STRING_BUNDLE_URL    "chrome://pipnss/locale/security.properties"
 
 #define ENTER_SITE_PREF      "security.warn_entering_secure"
+#define WEAK_SITE_PREF       "security.warn_entering_weak"
 #define LEAVE_SITE_PREF      "security.warn_leaving_secure"
 #define MIXEDCONTENT_PREF    "security.warn_viewing_mixed"
 #define INSECURE_SUBMIT_PREF "security.warn_submit_insecure"
 
 nsSecurityWarningDialogs::nsSecurityWarningDialogs()
 {
 }
 
@@ -64,16 +65,31 @@ nsSecurityWarningDialogs::ConfirmEnterin
                    false,
                    nsISecurityUITelemetry::WARNING_ENTERING_SECURE_SITE);
 
   *_retval = true;
   return rv;
 }
 
 NS_IMETHODIMP 
+nsSecurityWarningDialogs::ConfirmEnteringWeak(nsIInterfaceRequestor *ctx, bool *_retval)
+{
+  nsresult rv;
+
+  rv = AlertDialog(ctx, WEAK_SITE_PREF,
+                   NS_LITERAL_STRING("WeakSecureMessage").get(),
+                   NS_LITERAL_STRING("WeakSecureShowAgain").get(),
+                   false,
+                   nsISecurityUITelemetry::WARNING_ENTERING_WEAK_SITE);
+
+  *_retval = true;
+  return rv;
+}
+
+NS_IMETHODIMP 
 nsSecurityWarningDialogs::ConfirmLeavingSecure(nsIInterfaceRequestor *ctx, bool *_retval)
 {
   nsresult rv;
 
   rv = AlertDialog(ctx, LEAVE_SITE_PREF, 
                    NS_LITERAL_STRING("LeaveSecureMessage").get(),
                    NS_LITERAL_STRING("LeaveSecureShowAgain").get(),
                    false,
--- a/security/manager/locales/en-US/chrome/pipnss/security.properties
+++ b/security/manager/locales/en-US/chrome/pipnss/security.properties
@@ -2,17 +2,19 @@
 # This Source Code Form is subject to the terms of the Mozilla Public
 # License, v. 2.0. If a copy of the MPL was not distributed with this
 # file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
 Title=Security Warning
 MixedContentMessage=You have requested an encrypted page that contains some unencrypted information. Information that you see or enter on this page could easily be read by a third party.
 LeaveSecureMessage=You are about to leave an encrypted page. Information you send or receive from now on could easily be read by a third party.
 EnterSecureMessage=You have requested an encrypted page. The website has identified itself correctly, and information you see or enter on this page can't easily be read by a third party.
+WeakSecureMessage=You have requested a page that uses low-grade encryption. The website has identified itself correctly, but information you see or enter on this page could be read by a third party. 
 PostToInsecureFromSecureMessage=Although this page is encrypted, the information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.##Are you sure you want to continue sending this information?##
 PostToInsecureFromInsecureMessage=The information you have entered is to be sent over an unencrypted connection and could easily be read by a third party.##Are you sure you want to continue sending this information?##
 MixedContentShowAgain=Alert me whenever I'm about to view an encrypted page that contains some unencrypted information.
 LeaveSecureShowAgain=Alert me whenever I leave an encrypted page for one that isn't encrypted. 
 EnterSecureShowAgain=Alert me whenever I am about to view an encrypted page.
+WeakSecureShowAgain=Alert me whenever I am about to view a page that uses low-grade encryption.
 PostToInsecureFromInsecureShowAgain=Alert me whenever I submit information that's not encrypted.
 SecurityButtonTooltipText=Displays security information about the current page
 SecurityButtonMixedContentTooltipText=Warning: Contains unauthenticated content
 Continue=Continue
--- a/security/manager/ssl/public/nsIAssociatedContentSecurity.idl
+++ b/security/manager/ssl/public/nsIAssociatedContentSecurity.idl
@@ -9,15 +9,17 @@
  *
  * Some optimizations like bfcaching removes these callback notifications
  * and therefor the subcontent state could not be determined. In such
  * a case it is loaded from this object stored in nsIChannel.securityInfo.
  */
 
 #include "nsISupports.idl"
 
-[scriptable, uuid(a8285dae-f125-454f-9d1b-089e3f01b2c4)]
+[scriptable, uuid(6AC9A699-D12A-45dc-9B02-9E5E0DD831B9)]
 interface nsIAssociatedContentSecurity : nsISupports
 {
+  attribute long countSubRequestsHighSecurity;
+  attribute long countSubRequestsLowSecurity;
   attribute long countSubRequestsBrokenSecurity;
   attribute long countSubRequestsNoSecurity;
   void flush();
 };
--- a/security/manager/ssl/src/TransportSecurityInfo.cpp
+++ b/security/manager/ssl/src/TransportSecurityInfo.cpp
@@ -40,16 +40,18 @@ static NS_DEFINE_CID(kNSSComponentCID, N
 
 } // unnamed namespace
 
 namespace mozilla { namespace psm {
 
 TransportSecurityInfo::TransportSecurityInfo()
   : mMutex("TransportSecurityInfo::mMutex"),
     mSecurityState(nsIWebProgressListener::STATE_IS_INSECURE),
+    mSubRequestsHighSecurity(0),
+    mSubRequestsLowSecurity(0),
     mSubRequestsBrokenSecurity(0),
     mSubRequestsNoSecurity(0),
     mErrorCode(0),
     mErrorMessageType(PlainErrorMessage),
     mPort(0),
     mIsCertIssuerBlacklisted(false)
 {
 }
@@ -132,16 +134,50 @@ TransportSecurityInfo::GetSecurityState(
 
 nsresult
 TransportSecurityInfo::SetSecurityState(uint32_t aState)
 {
   mSecurityState = aState;
   return NS_OK;
 }
 
+/* attribute unsigned long countSubRequestsHighSecurity; */
+NS_IMETHODIMP
+TransportSecurityInfo::GetCountSubRequestsHighSecurity(
+  int32_t *aSubRequestsHighSecurity)
+{
+  *aSubRequestsHighSecurity = mSubRequestsHighSecurity;
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+TransportSecurityInfo::SetCountSubRequestsHighSecurity(
+  int32_t aSubRequestsHighSecurity)
+{
+  mSubRequestsHighSecurity = aSubRequestsHighSecurity;
+  return NS_ERROR_NOT_IMPLEMENTED;
+}
+
+/* attribute unsigned long countSubRequestsLowSecurity; */
+NS_IMETHODIMP
+TransportSecurityInfo::GetCountSubRequestsLowSecurity(
+  int32_t *aSubRequestsLowSecurity)
+{
+  *aSubRequestsLowSecurity = mSubRequestsLowSecurity;
+  return NS_OK;
+}
+
+NS_IMETHODIMP
+TransportSecurityInfo::SetCountSubRequestsLowSecurity(
+  int32_t aSubRequestsLowSecurity)
+{
+  mSubRequestsLowSecurity = aSubRequestsLowSecurity;
+  return NS_OK;
+}
+
 /* attribute unsigned long countSubRequestsBrokenSecurity; */
 NS_IMETHODIMP
 TransportSecurityInfo::GetCountSubRequestsBrokenSecurity(
   int32_t *aSubRequestsBrokenSecurity)
 {
   *aSubRequestsBrokenSecurity = mSubRequestsBrokenSecurity;
   return NS_OK;
 }
@@ -367,18 +403,18 @@ TransportSecurityInfo::Write(nsIObjectOu
                                    mErrorCode, mErrorMessageType,
                                    true, true, mErrorMessageCached);
   NS_ENSURE_SUCCESS(rv, rv);
   stream->WriteWStringZ(mErrorMessageCached.get());
 
   stream->WriteCompoundObject(NS_ISUPPORTS_CAST(nsISSLStatus*, status),
                               NS_GET_IID(nsISupports), true);
 
-  stream->Write32((uint32_t)0);
-  stream->Write32((uint32_t)0);
+  stream->Write32((uint32_t)mSubRequestsHighSecurity);
+  stream->Write32((uint32_t)mSubRequestsLowSecurity);
   stream->Write32((uint32_t)mSubRequestsBrokenSecurity);
   stream->Write32((uint32_t)mSubRequestsNoSecurity);
   return NS_OK;
 }
 
 static bool CheckUUIDEquals(uint32_t m0,
                             nsIObjectInputStream* stream,
                             const nsCID& id)
@@ -470,23 +506,24 @@ TransportSecurityInfo::Read(nsIObjectInp
   
   mSSLStatus = reinterpret_cast<nsSSLStatus*>(obj.get());
 
   if (!mSSLStatus) {
     NS_WARNING("deserializing nsNSSSocketInfo without mSSLStatus");
   }
 
   if (version >= 2) {
-    uint32_t dummySubRequests;
-    stream->Read32((uint32_t*)&dummySubRequests);
-    stream->Read32((uint32_t*)&dummySubRequests);
+    stream->Read32((uint32_t*)&mSubRequestsHighSecurity);
+    stream->Read32((uint32_t*)&mSubRequestsLowSecurity);
     stream->Read32((uint32_t*)&mSubRequestsBrokenSecurity);
     stream->Read32((uint32_t*)&mSubRequestsNoSecurity);
   }
   else {
+    mSubRequestsHighSecurity = 0;
+    mSubRequestsLowSecurity = 0;
     mSubRequestsBrokenSecurity = 0;
     mSubRequestsNoSecurity = 0;
   }
   return NS_OK;
 }
 
 NS_IMETHODIMP
 TransportSecurityInfo::GetInterfaces(uint32_t *count, nsIID * **array)
--- a/security/manager/ssl/src/TransportSecurityInfo.h
+++ b/security/manager/ssl/src/TransportSecurityInfo.h
@@ -83,16 +83,18 @@ public:
 private:
   mutable ::mozilla::Mutex mMutex;
 
 protected:
   nsCOMPtr<nsIInterfaceRequestor> mCallbacks;
 
 private:
   uint32_t mSecurityState;
+  int32_t mSubRequestsHighSecurity;
+  int32_t mSubRequestsLowSecurity;
   int32_t mSubRequestsBrokenSecurity;
   int32_t mSubRequestsNoSecurity;
   nsString mShortDesc;
 
   PRErrorCode mErrorCode;
   ::mozilla::psm::SSLErrorMessageType mErrorMessageType;
   nsString mErrorMessageCached;
   nsresult formatErrorMessage(::mozilla::MutexAutoLock const & proofOfLock, 
--- a/security/manager/ssl/src/nsNSSCallbacks.cpp
+++ b/security/manager/ssl/src/nsNSSCallbacks.cpp
@@ -805,18 +805,22 @@ void HandshakeCallback(PRFileDesc* fd, v
   if (SECSuccess != SSL_SecurityStatus(fd, &sslStatus, &cipherName, &keyLength,
                                        &encryptBits, &signer, nullptr)) {
     return;
   }
 
   int32_t secStatus;
   if (sslStatus == SSL_SECURITY_STATUS_OFF)
     secStatus = nsIWebProgressListener::STATE_IS_BROKEN;
+  else if (encryptBits >= 90)
+    secStatus = (nsIWebProgressListener::STATE_IS_SECURE |
+                 nsIWebProgressListener::STATE_SECURE_HIGH);
   else
-    secStatus = nsIWebProgressListener::STATE_IS_SECURE;
+    secStatus = (nsIWebProgressListener::STATE_IS_SECURE |
+                 nsIWebProgressListener::STATE_SECURE_LOW);
 
   PRBool siteSupportsSafeRenego;
   if (SSL_HandshakeNegotiatedExtension(fd, ssl_renegotiation_info_xtn, &siteSupportsSafeRenego) != SECSuccess
       || !siteSupportsSafeRenego) {
 
     bool wantWarning = (nsSSLIOLayerHelpers::getWarnLevelMissingRFC5746() > 0);
 
     nsCOMPtr<nsIConsoleService> console;
--- a/security/manager/ssl/src/nsNSSComponent.cpp
+++ b/security/manager/ssl/src/nsNSSComponent.cpp
@@ -985,49 +985,63 @@ typedef struct {
 } CipherPref;
 
 static CipherPref CipherPrefs[] = {
  /* SSL3/TLS cipher suites*/
  {"security.ssl3.rsa_rc4_128_md5", SSL_RSA_WITH_RC4_128_MD5}, // 128-bit RC4 encryption with RSA and an MD5 MAC
  {"security.ssl3.rsa_rc4_128_sha", SSL_RSA_WITH_RC4_128_SHA}, // 128-bit RC4 encryption with RSA and a SHA1 MAC
  {"security.ssl3.rsa_fips_des_ede3_sha", SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA}, // 168-bit Triple DES with RSA and a SHA1 MAC (FIPS)
  {"security.ssl3.rsa_des_ede3_sha", SSL_RSA_WITH_3DES_EDE_CBC_SHA}, // 168-bit Triple DES with RSA and a SHA1 MAC
+ {"security.ssl3.rsa_fips_des_sha", SSL_RSA_FIPS_WITH_DES_CBC_SHA}, // 56-bit DES encryption with RSA and a SHA1 MAC (FIPS)
+ {"security.ssl3.rsa_des_sha", SSL_RSA_WITH_DES_CBC_SHA}, // 56-bit DES encryption with RSA and a SHA1 MAC
+ {"security.ssl3.rsa_1024_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA}, // 56-bit RC4 encryption with RSA and a SHA1 MAC (export)
+ {"security.ssl3.rsa_1024_des_cbc_sha", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA}, // 56-bit DES encryption with RSA and a SHA1 MAC (export)
+ {"security.ssl3.rsa_rc4_40_md5", SSL_RSA_EXPORT_WITH_RC4_40_MD5}, // 40-bit RC4 encryption with RSA and an MD5 MAC (export)
+ {"security.ssl3.rsa_rc2_40_md5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5}, // 40-bit RC2 encryption with RSA and an MD5 MAC (export)
  /* Extra SSL3/TLS cipher suites */
  {"security.ssl3.dhe_rsa_camellia_256_sha", TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA}, // 256-bit Camellia encryption with RSA, DHE, and a SHA1 MAC
  {"security.ssl3.dhe_dss_camellia_256_sha", TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA}, // 256-bit Camellia encryption with DSA, DHE, and a SHA1 MAC
  {"security.ssl3.rsa_camellia_256_sha", TLS_RSA_WITH_CAMELLIA_256_CBC_SHA}, // 256-bit Camellia encryption with RSA and a SHA1 MAC
  {"security.ssl3.dhe_rsa_aes_256_sha", TLS_DHE_RSA_WITH_AES_256_CBC_SHA}, // 256-bit AES encryption with RSA, DHE, and a SHA1 MAC
  {"security.ssl3.dhe_dss_aes_256_sha", TLS_DHE_DSS_WITH_AES_256_CBC_SHA}, // 256-bit AES encryption with DSA, DHE, and a SHA1 MAC
  {"security.ssl3.rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA}, // 256-bit AES encryption with RSA and a SHA1 MAC
    /* TLS_DHE_DSS_WITH_RC4_128_SHA // 128-bit RC4 encryption with DSA, DHE, and a SHA1 MAC
       If this cipher gets included at a later time, it should get added at this position */
  {"security.ssl3.ecdhe_ecdsa_aes_256_sha", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA}, // 256-bit AES encryption with ECDHE-ECDSA and a SHA1 MAC
  {"security.ssl3.ecdhe_ecdsa_aes_128_sha", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA}, // 128-bit AES encryption with ECDHE-ECDSA and a SHA1 MAC
  {"security.ssl3.ecdhe_ecdsa_des_ede3_sha", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA}, // 168-bit Triple DES with ECDHE-ECDSA and a SHA1 MAC
  {"security.ssl3.ecdhe_ecdsa_rc4_128_sha", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA}, // 128-bit RC4 encryption with ECDHE-ECDSA and a SHA1 MAC
+ {"security.ssl3.ecdhe_ecdsa_null_sha", TLS_ECDHE_ECDSA_WITH_NULL_SHA}, // No encryption with ECDHE-ECDSA and a SHA1 MAC
  {"security.ssl3.ecdhe_rsa_aes_256_sha", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA}, // 256-bit AES encryption with ECDHE-RSA and a SHA1 MAC
  {"security.ssl3.ecdhe_rsa_aes_128_sha", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA}, // 128-bit AES encryption with ECDHE-RSA and a SHA1 MAC
  {"security.ssl3.ecdhe_rsa_des_ede3_sha", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA}, // 168-bit Triple DES with ECDHE-RSA and a SHA1 MAC
  {"security.ssl3.ecdhe_rsa_rc4_128_sha", TLS_ECDHE_RSA_WITH_RC4_128_SHA}, // 128-bit RC4 encryption with ECDHE-RSA and a SHA1 MAC
+ {"security.ssl3.ecdhe_rsa_null_sha", TLS_ECDHE_RSA_WITH_NULL_SHA}, // No encryption with ECDHE-RSA and a SHA1 MAC
  {"security.ssl3.ecdh_ecdsa_aes_256_sha", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA}, // 256-bit AES encryption with ECDH-ECDSA and a SHA1 MAC
  {"security.ssl3.ecdh_ecdsa_aes_128_sha", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA}, // 128-bit AES encryption with ECDH-ECDSA and a SHA1 MAC
  {"security.ssl3.ecdh_ecdsa_des_ede3_sha", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA}, // 168-bit Triple DES with ECDH-ECDSA and a SHA1 MAC
  {"security.ssl3.ecdh_ecdsa_rc4_128_sha", TLS_ECDH_ECDSA_WITH_RC4_128_SHA}, // 128-bit RC4 encryption with ECDH-ECDSA and a SHA1 MAC
+ {"security.ssl3.ecdh_ecdsa_null_sha", TLS_ECDH_ECDSA_WITH_NULL_SHA}, // No encryption with ECDH-ECDSA and a SHA1 MAC
  {"security.ssl3.ecdh_rsa_aes_256_sha", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA}, // 256-bit AES encryption with ECDH-RSA and a SHA1 MAC
  {"security.ssl3.ecdh_rsa_aes_128_sha", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA}, // 128-bit AES encryption with ECDH-RSA and a SHA1 MAC
  {"security.ssl3.ecdh_rsa_des_ede3_sha", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA}, // 168-bit Triple DES with ECDH-RSA and a SHA1 MAC
  {"security.ssl3.ecdh_rsa_rc4_128_sha", TLS_ECDH_RSA_WITH_RC4_128_SHA}, // 128-bit RC4 encryption with ECDH-RSA and a SHA1 MAC
+ {"security.ssl3.ecdh_rsa_null_sha", TLS_ECDH_RSA_WITH_NULL_SHA}, // No encryption with ECDH-RSA and a SHA1 MAC
  {"security.ssl3.dhe_rsa_camellia_128_sha", TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA}, // 128-bit Camellia encryption with RSA, DHE, and a SHA1 MAC
  {"security.ssl3.dhe_dss_camellia_128_sha", TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA}, // 128-bit Camellia encryption with DSA, DHE, and a SHA1 MAC
  {"security.ssl3.rsa_camellia_128_sha", TLS_RSA_WITH_CAMELLIA_128_CBC_SHA}, // 128-bit Camellia encryption with RSA and a SHA1 MAC
  {"security.ssl3.dhe_rsa_aes_128_sha", TLS_DHE_RSA_WITH_AES_128_CBC_SHA}, // 128-bit AES encryption with RSA, DHE, and a SHA1 MAC
  {"security.ssl3.dhe_dss_aes_128_sha", TLS_DHE_DSS_WITH_AES_128_CBC_SHA}, // 128-bit AES encryption with DSA, DHE, and a SHA1 MAC
  {"security.ssl3.rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA}, // 128-bit AES encryption with RSA and a SHA1 MAC
  {"security.ssl3.dhe_rsa_des_ede3_sha", SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA}, // 168-bit Triple DES with RSA, DHE, and a SHA1 MAC
  {"security.ssl3.dhe_dss_des_ede3_sha", SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA}, // 168-bit Triple DES with DSA, DHE, and a SHA1 MAC
+ {"security.ssl3.dhe_rsa_des_sha", SSL_DHE_RSA_WITH_DES_CBC_SHA}, // 56-bit DES encryption with RSA, DHE, and a SHA1 MAC
+ {"security.ssl3.dhe_dss_des_sha", SSL_DHE_DSS_WITH_DES_CBC_SHA}, // 56-bit DES encryption with DSA, DHE, and a SHA1 MAC
+ {"security.ssl3.rsa_null_sha", SSL_RSA_WITH_NULL_SHA}, // No encryption with RSA authentication and a SHA1 MAC
+ {"security.ssl3.rsa_null_md5", SSL_RSA_WITH_NULL_MD5}, // No encryption with RSA authentication and an MD5 MAC
  {"security.ssl3.rsa_seed_sha", TLS_RSA_WITH_SEED_CBC_SHA}, // SEED encryption with RSA and a SHA1 MAC
  {nullptr, 0} /* end marker */
 };
 
 static void
 setNonPkixOcspEnabled(int32_t ocspEnabled, nsIPrefBranch * pref)
 {
   // Note: this preference is numeric vs bolean because previously we
@@ -1715,16 +1729,18 @@ nsNSSComponent::InitializeNSS(bool showW
 
     // init phase 3, only if phase 2 was successful
 
     if (problem_no_security_at_all != which_nss_problem) {
 
       mNSSInitialized = true;
 
       ::NSS_SetDomesticPolicy();
+      //  SSL_EnableCipher(SSL_RSA_WITH_NULL_MD5, SSL_ALLOWED);
+      //  SSL_EnableCipher(SSL_RSA_WITH_NULL_SHA, SSL_ALLOWED);
 
       PK11_SetPasswordFunc(PK11PasswordPrompt);
 
       // Register an observer so we can inform NSS when these prefs change
       mPrefBranch->AddObserver("security.", this, false);
 
       SSL_OptionSetDefault(SSL_ENABLE_SSL2, false);
       SSL_OptionSetDefault(SSL_V2_COMPATIBLE_HELLO, false);