You've just installed the mostly estimable Firefox 3. Now you proceed to make an online purchase and head straight for the checkout page. The page claims to be secure, but...whoa! Where's the little lock that used to be to the right of the address? Why isn't the entire address yellow, signifying a secure site? Because, in the words of the immortal Dr. John, "Somebody changed the lock."

Oh, it's still around. It just moved to the status bar down in the lower-right corner of the window. You can almost see the justification for the change: Showing the lock there has a long history, particularly with Internet Explorer. You could argue that a lock in that spot is the de facto indicator of a secure page, and that it's simpler to tell users to look there for the icon. But putting the lock beside the address makes so much sense that Microsoft moved it to that spot in Internet Explorer 7. Smart move. Firefox should have stuck to its guns.

But no. In what's meant to be an improvement, the new browser dumps the yellow address bar for clickable color-coded "Instant Web Site ID" indicators that appear at the left of the URL. They're supposed to improve security reporting, but in reality they're hopelessly geeky and confusing. How geeky? A green background for a site's icon signifies that the page supplies identity information and is encrypted. Blue means the site is encrypted but doesn't supply identity info. Gray is for sites that don't report much of anything at all.

Unfortunately, the identity info Firefox looks for is something called an Extended Validation Certificate, which most sites simply don't supply. Good-to-go green icon background? You won't see it at Amazon, Bank of America, Google, and Wells Fargo--or even Mozilla.org itself. Click, and you discover that 'This web site does not supply identity information.'

Things can get even weirder. Buy.com's home page is no-info-supplied gray. Hit the sign-in page, and you're in the secure-and-identified green.

Gmail? Blue, at least to start. The sign-in is encrypted, but it's 'run by (unknown)'--uh, hardly. If you log in the standard way, the icon's background turns gray, giving you a clue that your session has no encryption, a bad idea if you happen to be on an insecure Wi-Fi network. (You can make sure that your connection to Gmail is true-blue secure by starting at https://mail.google.com, or go into the settings and choose a secure connection by default.) That switch from a blue background to a gray one offers useful information, but the effect is a lot easier to miss than the yellow-to-white transformation of the entire address box, as in Firefox 2. Like Vista's in-your-face User Account Control, this is the kind of hopeless user "protection" that's so confusing it will largely be ignored.

It's also the kind of change that seems a lot better in developers' PowerPoint slides than in their code. Microsoft remains the undisputed leader in this sort of feckless alteration, from the "personalized" (more like disappearing) menus of Windows and older Office versions to Office 2007's dictatorial "Menus are bad for you" design, which has undoubtedly prompted a steep rise in the world's usage of foul language. And virtually every time anybody's browser undergoes an update, the designers insist on changing the look of the icons and buttons, and moving them around in ways that are always far more annoying than helpful.

Firefox 3 has many real improvements, including a far better method of handling passwords and a "smart location bar" that remembers sites you've visited the instant you start typing. I just wish its designers had quit when they were ahead.