HTTPS but NOT encrypted?
Edit for the pcap: my theory does not hold; the other points are still valid.
I will keep my original, speculational, answer, but TL;DR: if resources are loaded via http, such a warning is warranted.
As the comments go, this seems to be a warning about non-https resources used on the website. This might trigger warnings of that kind and for a good reason:
If scripts are loaded in such a way, a man in the middle can inject scripts that compromise every interaction with such a website (and even more, in case of an exploit being available to the attacker for your browser). Additionally, even other resources could lead to code being executed that was not intended to run in that context.
Now my original answer: This might be a downgrade attack that is allowed by Microsoft.
First off: TLS has two different purposes:
- to authenticate the server (and optionally the client) via a public key infrastructure.
- to evaluate which encryption capabilities server and client share and choose one of them over an insecure connection.
While the server has been authenticated, it seems that the server and you have established a plain text „encryption“.
Secondly: this might be useful if the client (or server) has very limited computational capabilities. As a mean to allowing access (availability) over secrecy, this can be useful.
Thirdly, my speculation: In this case, it is possible that bing is only allowed operation in China as long as the great firewall can look inside the traffic. Thus, Microsoft might have chosen availability over secrecy, making use of the plain text option to allow for deep packet inspection by the GFC.
It's not only in Edge, but also IE and Chrome. The reason is now clear: MS does serve content over insecure connections, at least in China. As the Mixed content
warnings at the bottom right of the screen shot below indicate, the page requests images over HTTP, making it insecure:
How could this happen? HTTPS but not encrypted, and with SSL certificate?
There are three ways I can think of that this could happen.
The server is purposefully configured with a null protocol, which is technically allowed under HTTPS, although highly discouraged.
The server is configured with a proper encryption protocol, but has a weakness that allows a hacker to launch a downgrade attack. Such a weakness was found a year or two ago in OpenSSL (see this article) which is a very popular code base on which many web servers are based. There are other attacks as well.
You are in a network environment (which might be all of China) where connections to Bing are intercepted and you are served content with a certificate that is not the original certificate. This sort of setup is common in corporate environments (see this question for details). It would require that your laptop contain a root certificate that is controlled by the party that is performing the interception, e.g. a Chinese CA, which could then issue a certificate that looks exactly like it is owned by Bing.