===== This Padlock-Or-Eye Add-On was a User Interface Experiment.
===== I recommend you should switch to my other, primary Padlock addon.===== That other Padlock Add-On can show an "eye", too :) (see preferences)
Description of this experimental Addon:
Depending on the encryption and identification status of your connection to a site, this addon will show a padlock or an eye in the URL bar, to the left of the site address.
When viewing content from a remote site without using encryption, the URL bar will show an eye icon, reminding you that other people might be able to look at your data easily.
When viewing content from a remote site using the https protocol, the connection is supposed to be encrypted. However, the security of your connection also depends on being able to verify the identity of the remote site. If the site uses a domain validated identification certificate, this addon will display a golden padlock icon (in addition to the blue identity button shown by Firefox).
Some sites have invested more time and money to get their identity verified and are using an Extended Validation certificate. This addon will display a green padlock for such sites (in addition to the green identity button shown by Firefox).
However, sometimes web sites are configured incorrectly and they use a mix of encrypted, incorrectly identified or unencrypted content. When Firefox encounters such a site, it will drop the colors in the identity button. In past versions of Firefox, some variation of a broken padlock was displayed, either with an exclamation mark, or with a red strikeout, or similar. In order to follow the idea of the Padlock-Or-Eye addon, it will show a new variation. It will show a red padlock, combined with an eye that has a red pupil, to remind you that something is going wrong.
The intention of using the red color is to attract your attention. Often, when visiting a secure page, you might check that security indicators are present, but often, people only do so at the beginning of a session. While performing your transactions at a site, most people don't recheck the indicators each time they click. When indicators are simply being dropped, this might go unnoticed. Showing a red icon, which usually isn't being shown, hopefully draws your attention to this new state.
Finally, when viewing content that is stored on your local computer or local network (about:, chrome: and file: protocols), no icon will be shown.
You might ask, "Why an eye?". This is to remind us, that without encryption, hackers, IT staff or Firesheep users might be able to view our data quite easily.
You might ask, "Why do you still suggest a padlock?". I know the argument that the padlock might be misleading. I agree that showing a padlock alone is not sufficient, because the world is more complex than telling users "you're secure" or "you're not secure". It's a good idea to show additional information, but in my opinion, this intention doesn't justify removing a well known indicator altogether. I welcome the introduction of the new identity button that gives additional information about the level of identity verification that has been performed. On the other hand, in order to get a padlock, the connection must be encrypted and we must have verified a site is using a certificate that demonstrates domain ownership, so in my opinion, showing a padlock still has value. Furthermore, that's what people are used to and have been trained to look for. In my opinion it's a reasonable approach to use a padlock icon to draw the attention to the area where identity information is displayed.