Based on the https://badssl.com test site, some suggestions on SSL certificate warnings:
- wrong host warning (the wrong.host test) should probably say something specific about it being for the wrong website, rather than just being a generic warning.
- self-signed warning should probably say something about the certificate not having any way to validate it is who it says it is.
- untrusted root should have a similar explanation.
- The 10k SANs test shows a standard "Webkit" error rather than a branded Orion one - not sure if this is intended or not (https://10000-sans.badssl.com/)
- Subjective one - Orion loads "mixed" content (i.e. HTTPS page, fetching in plain HTTP content on the page). It appears to only allow static content though, and won't let scripts load. It seems Chrome was planning to raise the bar on this, but it doesn't seem to have happened yet.
- Orion still allows 3DES ciphers (Firefox and Chrome don't) - https://3des.badssl.com/, though Safari still allows it.
There is probably a valid question around whether to change this or not - there have been various scenarios in the past where "smarter" errors end up causing issues, as they didn't stack properly - an "expired, wrong-host" certificate should not just show an "expired" message; it should show a "wrong-host" message (if only 1 is shown). Just flagging these in case any are helpful.
