If anything, we should have a huge you cannot pass this page warning if the page we are trying to access is not served over HTTPS.

Instead we have a system where we do nothing when you access a page that is not secure, and put up an obnoxious warning when you access a page that is somewhat more secure.

If you perform certificate pinning, self-signed can be just as secure. I wish the message was slightly less scary, perhaps saying as SSH does, "you've never visited this site before, do you trust this certificate?"

(user clicks "yes" and proceeds oblivious)

as opposed to unencrypted HTTP?

I can teach my computer illiterate grandma simply "never do email unless the address bar is green", she can remember that.

As opposed to: Never do email unless unless the address bar is green, except when: - It's the first time you visit the web site - You use another browser - You bought a new computer/tablet/phone, reinstalled your computer etc. - You accidentally cleared your browser history - You are on a public wifi the very first time you visit a web site. - The website changed their certificate since last time you used it. - You happen to be unlucky and even at home you are under a MITM-attack the very first time you visit the page.

The last bullet is especially troublesome because even a programmer would have a hard time to judge that one.

Telling the user nothing would not impart a false sense of safety.

Heck, why not mark HTTP as insecure, don't mark self-signed HTTPS, and mark CA HTTPS as 'secure'?

Of course, CA HTTPS is not really secure at all, but that's another discussion entirely.

Then don't tell them it's secure? Just hide the https:// and don't show any padlock-icon, neither broken nor locked.