As it is now, you are not notified of security issues when you have no security whatsoever. HTTP sites should be given a dire, red warning because they represent the least secure position online. An SSL site with an expired certificate is far more desirable than an HTTP website.
Green should represent proper SSL certificates, as it does now.
But there's one more problem with SSL/HTTPS sites that nobody talks about: the fake SSL certificate. Your browser *probably* trust a multitude of SSL certificate vendors, and *any* of them can issue a certificate for *any* domain.
So there are literally hundreds of SSL certificate vendors that could issue a cert for google.com or whatever, and you wouldn't know. If the NSA offered a bit of $$ to a commonly trusted (but otherwise unheard of) certificate vendor to issue a few certificates to be used discreetly....
See the problem?
If I go to Thawte or RapidSSL to get a cert, I should have the ability to publish my vendor of choice, and nobody else's certificates should be considered trustworthy. Similarly, I should be able to publish revoked certificates the same way.
Why hasn't this already been done?