Exactly my point ... usability trumps above everything else. Putting your site on HTTPS makes it a pain to use (red bar , certificate error and all that crap ) .
And additionally, I don't think you achieve anything at all by having a HTTPS , except maybe some sort of idealism that everything should be secure. But that is also lost by having a few images that are not secure. You can't have it both ways!

Exactly my point ... usability trumps above everything else. Putting your site on HTTPS makes it a pain to use (red bar , certificate error and all that crap ) .
And additionally, I don't think you achieve anything at all by having a HTTPS , except maybe some sort of idealism that everything should be secure. But that is also lost by having a few images that are not secure. You can't have it both ways!

@anonymous
If you installed the root cert from www.cacert.org, you wouldn't have any problems using this blog.

The images' not being secure is part of a more general problem with https. I was at a site that displayed a secure iframe from the online order system. Now that may well be secure, but the user is left with no visible indication of security or lack thereof.

Some browsers will warn the user about insecure content displayed on a secure page, but not all of them. And sites like gmail like to mix and match secure and insecure modes. They have you enter your password by https, but then do your e-mail and so forth completely unsecured. What good is it to enter a password via a secure form if a plaintext cookie is used to verify identity once you have logged in?

I feel that to have any hope of security for an https session, a browser should have to obey the following restrictions when visiting a secure site:

* No external content should be displayed or loaded from a secure page, including images, dtds, scripts, frames. All content on a page must be authenticated with the same certificate.

* No form on a secure site should be allowed to post anything to any other site. The POST connection must be authenticated with the same certificate as the source page before any data is sent.

* No cookie that is set via https should ever be presented insecurely or to any other server than the one that set the cookie.

* Exceptions may be made only if the external site has a certificate with a valid chain of trust leading up to a certificate that identifies the original site.

But when people mix and match secure and insecure willy-nilly, the overall security is reduced to the lowest common denominator: insecure.