I think the essence of my last post was lost in the screenshots. In particular, I am painfully aware of doron’s point that users don’t care about security. That’s not the point of this exercize. Instead, the point is to make sure that web content cannot be mistaken for browser chrome. This must involve (IMO at least) some sort of border around unsecure content. You can’t possible put a trustable border around all the browser chrome, but you can put a trustable border around untrusted content. Whether or not users actually read the security info is unimportant. You no longer have the opportunity to spoof the master password dialog.