In Web browsers showing whether something is secure is the browser's job, because the Web site could fake it (or be mistaken more easily than the browser). I think the same principle should apply here: security should be shown in the chrome, not in the SSO page.
An ideal fix will need to wait until bug 618817 is fixed, but a simple fix now would be to stick a padlock icon in the status bar of the payment window.
In Web browsers showing whether something is secure is the browser's job, because the Web site could fake it (or be mistaken more easily than the browser). I think the same principle should apply here: security should be shown in the chrome, not in the SSO page.
An ideal fix will need to wait until bug 618817 is fixed, but a simple fix now would be to stick a padlock icon in the status bar of the payment window.