diff --git a/security/manager/ssl/nsISecretDecoderRing.idl b/security/manager/ssl/nsISecretDecoderRing.idl
index 90f0e5b3ff75..e9f67cbeeb9c 100644
--- a/security/manager/ssl/nsISecretDecoderRing.idl
+++ b/security/manager/ssl/nsISecretDecoderRing.idl
@@ -9,19 +9,27 @@
 interface nsISecretDecoderRing: nsISupports {
   /**
    * Encrypt to Base64 output.
+   * Note that the input must basically be a byte array (i.e. the code points
+   * must be within the range [0, 255]). Hence, using this method directly to
+   * encrypt passwords (or any text, really) won't work as expected.
+   * Instead, use something like nsIScriptableUnicodeConverter to first convert
+   * the desired password or text to UTF-8, then encrypt that. Remember to
+   * convert back when calling decryptString().
    *
    * @param text The text to encrypt.
    * @return The encrypted text, encoded as Base64.
    */
-  ACString encryptString(in AUTF8String text);
+  ACString encryptString(in ACString text);
 
   /**
    * Decrypt Base64 input.
+   * See the encryptString() documentation - this method has basically the same
+   * limitations.
    *
    * @param encryptedBase64Text Encrypted input text, encoded as Base64.
    * @return The decoded text.
    */
-  AUTF8String decryptString(in ACString encryptedBase64Text);
+  ACString decryptString(in ACString encryptedBase64Text);
 
   /**
    * Prompt the user to change the password on the SDR key.