We will be doing maintenance work on Vivaldi Translate on the 11th of May starting at 03:00 (UTC) (see the time in your time zone).
Some downtime and service disruptions may be experienced.
Thanks in advance for your patience.
Hide EV certificate badge in url field
-
@Gwen-Dragon Often, many users don't actually know what this means. You or me may recognise the significance, but I know plenty of ordinary users who would not even notice the difference between a regular padlock and an EV certificate.
Many browsers are now phasing this technology out as it is security theatre, and some browsers just plain don't support it.
Placing more focus on the domain in the URL will be helpful for spotting phishing.
-
I would happily swap the cert info for DANE validation info which makes more sense to end users.
Certificates can be as secure as possible, but with no validation that the domain you are on matches the correct IP, it is worthless. -
Here are more pro-arguments by security experts:
- https://scotthelme.co.uk/are-ev-certificates-worth-the-paper-theyre-written-on/
- https://www.troyhunt.com/on-the-perceived-value-ev-certs-cas-phishing-lets-encrypt/
- https://www.troyhunt.com/extended-validation-certificates-are-dead/
- https://stripe.ian.sh/
FWIW, Chrome has tested this already (and has a flag for it, which doesn't work in Vivaldi unfortunately) and Brave browser has this feature enabled by default.
-
You are suggesting a feature so Vivaldi users are more insecure while browsing online? That would make it easier to phish and trick Vivaldi users with fake banking and other payment pages that rely on this security feature so users take a bit more attention while surfing online. Phishing EV certificates is not easy and this is why most banking sites use one.
The purpose of EV certificates is precisely that. To display the full company name and location that was approved for that certificate. You can't just go and buy an EV without actually passing some certification that includes proving the company is real, the process is manual and attackers don't like anything manual because they it costs them time as opposed to automated things.
If you hide that information then Vivaldi would be the only browser that is not in compliance with EV certificates.
-
Security theater? The only persons that hate his are phishing authors and hackers as it makes their job harder. Plenty of people from newbies to more advanced users will know something is wrong if they go to Apple.com and don't see the name on the URL bar. They might not know what or how it works, but they will noticed something is off. Same goes for their banking sites and other major sites. You cannot fake that. Anything phishing authors can't fake unless they already compromised your browser or computer is not a security theather but improves visibility while browsing online.
-
@Pesala said in Hide EV certificate badge in url field:
@Gwen-Dragon The request is not to remove the information, just to move it to a tooltip to save space in the URL field.
Let's be honest here, the fast majority of users have no clue what it means. Those who do can hover the green padlock to see the details.
That is the same as removing it. If you are saying most users have no clue what it means, how many of them do you think will click on it to see if its displaying the company name? Hiding security elements that make the URL or web address more secure is not a feature but a downgrade. People don't remember things that are not visible all the time when it comes to GUI and interfaces. Forcing users to click on the URL bar in order to check if they are on their major banking site and verify if its the proper website is a disservice and just helps more people being tricked into phishing pages.
-
You are suggesting a feature so Vivaldi users are more insecure while browsing online? That would make it easier to phish and trick Vivaldi users with fake banking and other payment pages that rely on this security feature so users take a bit more attention while surfing online. Phishing EV certificates is not easy and this is why most banking sites use one.
Yet not all payment systems use EV and real people do not stop the payment process if they don't see EV, because they don't always look for it and they still see the lock itself. Some antiviruses prevent the display of any EV, too.
If you hide that information then Vivaldi would be the only browser that is not in compliance with EV certificates.
Brave has it by default, Edge has had it (not sure about the Chromium-based one), Chrome has tested it with real users and every mobile browser currently does not display EV, even Safari removed it.
Please have a look at the articles I linked above, they explain the arguments against EV in detail.
-
@terere I think you're overreacting here.
I'm not asking to remove the green padlock icon. So a clear indicator of the secure connection is still there, isn't it?
My suggestion focusses on the (quite few) websites that use these extended certificates where the certficate holder may not necessarily reflect the URL. The only thing I'm suggesting here is that this "extended" certificate information, which I deem superfluous, is moved to a tooltip.Practical example:
- Keep the green padlock icon indicating the secure (not necessarily safe!) connection,
- Hide the extended information "Vivaldi Technologies AS (NO)"
- Introduce a mouse over tooltip showing the Extended Certificate Information, i.e. "Vivaldi Technologies AS (NO)"
No harm done, less clutter and more spave available for the vigilant user to keep a close watch on nasty long URL's in the address bar.
-
@S_Paternotte
Hi, you can hide it or it is hide for me.
Address bar settings seams not influence it.
Is it may different in Windows?
Opensuse Tumbleweed x86_64
CPU i7-3520M 8 GB
GPU Intel HD4000
xf86-video-intel 2.99.917-6.1
KDE Plasma 5.59.0-1.1
Vivaldi: 2.7.1594.4 (Official Build) snapshot (64-bit)Cheers, mib
Opensuse Tumbleweed x86_64 KDE 6.2 X11, Windows 11 Pro, Vivaldi latest
HP Probook Intel(R) i5-8350U 16 GB, GPU UHD 620, SSD 256 GB
Miniforum-B550 AMD Ryzen 7 4700G 16 GB, Radeon Graphics
Redmi Note 14, HyperOS Android 14 -
@mib2berlin See here: https://nos.nl/
-
@mib2berlin or look at https://vivaldi.com/, which was the example I was using
-
Oh, OK, sorry for the noise.
Cheers, mib
-
@terere said in Hide EV certificate badge in url field:
Plenty of people from newbies to more advanced users will know something is wrong if they go to Apple.com and don't see the name on the URL bar
Which name? Both of my main Web browsers on mobile just show "apple.com" and leave it at that.
As for other sites, so many use a random name of the umbrella company that owns the company that runs the site that I think it is unrealistic for a user, who may be totally new to a website, to know which name they expect to see the first time they visit a site.
-
Personally I wouldn't use what Chrome do or want to do as a good example, as they want to hide everything, such as HTTP/HTTPS WWW and the section of the site you are on.
If Google have their way all you will see is the domain name and no extension, eg.
www.vivaldi.com and www.vivaldi.net would just show as vivaldi.
This is the company that decided having a switch to enable/disable certificate revocation was "too confusing" so hid it and removed it from the advanced settings.Yes Malware authors have gameified the system by also buying certificates.
Until an alternative is in use we still need to see the details, or you may as well not bother with certificates at all.
It's not like Chrome will check properly for revocation or validity anyway.
Personally I would rather that the system is fixed instead of ignored. -
Troy Hunt (Owner of Have you been pwnd) said on Twitter:
Twitter friends, please ask a non-tech person and answer honestly: Do they recognise an EV cert and behave differently to DV only?
4% Yes, they look for EV
37% No, just need a padlock
59% Huh, what's a cert?
2,893 votes β’ Final results -
@Pesala said in Hide EV certificate badge in url field:
Troy Hunt (Owner of Have you been pwnd) said on Twitter:
Twitter friends, please ask a non-tech person and answer honestly: Do they recognise an EV cert and behave differently to DV only?
4% Yes, they look for EV
37% No, just need a padlock
59% Huh, what's a cert?
2,893 votes β’ Final resultsPlease ask a non-tech person? I'm pretty sure you can ask non tech people what a browser is and they reply its Google:
https://www.youtube.com/watch?v=o4MwTvtyrUQHow in the world does this have value? If I want to know something about rockets I ask someone working at NASA not a cook. The value and opinion of non tech users have no value in suggestions or recommendations on what works and does not work when it comes to security online. A non tech person does not even know what a URL is, let alone phishing, otherwise they would not fall for it.
Troy Hunt purposely makes things like this in a very deceiving way and calls himself a security expert to promote his name.. He is a blogger and nothing else, certainly not a security expert in my book.
-
@LonM said in Hide EV certificate badge in url field:
@terere said in Hide EV certificate badge in url field:
Plenty of people from newbies to more advanced users will know something is wrong if they go to Apple.com and don't see the name on the URL bar
Which name? Both of my main Web browsers on mobile just show "apple.com" and leave it at that.
As for other sites, so many use a random name of the umbrella company that owns the company that runs the site that I think it is unrealistic for a user, who may be totally new to a website, to know which name they expect to see the first time they visit a site.
A user totally new to a website would not know the difference between the real domain or not, if its using an SSL or not so what is the point here? If I go to my banking site that has used an EV certificate since day one and suddenly I see its gone, it will draw my attention and I will take a second look at the URL to see if I'm in the correct address. Claiming that a security cue that hackers can't fake directly has no in a proper secured browser has no added benefit is like claiming we don't need the URL bar at all or even domains. Let just get rid of domains completely like Google once promoted saying they have no use anymore. Lets just jump start all the Internet surfing from Google directly and not let people type any address manually and problem solved. I'm sure that is not an approach most people would support. Getting rid of things that help identify a website or domain is not positive.
-
@Dr-Flay said in Hide EV certificate badge in url field:
Personally I wouldn't use what Chrome do or want to do as a good example, as they want to hide everything, such as HTTP/HTTPS WWW and the section of the site you are on.
If Google have their way all you will see is the domain name and no extension, eg.
www.vivaldi.com and www.vivaldi.net would just show as vivaldi.
This is the company that decided having a switch to enable/disable certificate revocation was "too confusing" so hid it and removed it from the advanced settings.Yes Malware authors have gameified the system by also buying certificates.
Until an alternative is in use we still need to see the details, or you may as well not bother with certificates at all.
It's not like Chrome will check properly for revocation or validity anyway.
Personally I would rather that the system is fixed instead of ignored.That is the point of EV certificates. You cannot just go and buy some EV certificate online and launch your instant phishing site automatically. The whole process is manual, takes a few days and requires someone to fake multiple legal papers and supplant the ID of an organization. Can it be done? Of course, but its a pain in the ass and this is why I have never saw a phishing site using an EV certificate, EVER since the Internet exists.
Any process that can't be automated is a hackers nightmare because they don't have the time unless its a very specific targeted attack. Those attacks are rare and are usually expensive corporate or government attacks. Just as those malware that steal code signing certificates. The process does help in security. If I download a software from Microsoft and suddenly its signed by another company, I will say no. And the certificate can also be revoked once the existing company finds out. Certificates work and I'm surprised some here claim that a more complex certificate with extended validation has no real value. How many here claiming that have purchased one before? If they did they would know how the work and the process to get them.
-
@madiso said in Hide EV certificate badge in url field:
You are suggesting a feature so Vivaldi users are more insecure while browsing online? That would make it easier to phish and trick Vivaldi users with fake banking and other payment pages that rely on this security feature so users take a bit more attention while surfing online. Phishing EV certificates is not easy and this is why most banking sites use one.
Yet not all payment systems use EV and real people do not stop the payment process if they don't see EV, because they don't always look for it and they still see the lock itself. Some antiviruses prevent the display of any EV, too.
If you hide that information then Vivaldi would be the only browser that is not in compliance with EV certificates.
Brave has it by default, Edge has had it (not sure about the Chromium-based one), Chrome has tested it with real users and every mobile browser currently does not display EV, even Safari removed it.
Please have a look at the articles I linked above, they explain the arguments against EV in detail.
Precisely. Are you aware how most phishing attacks happen today? Do you how the Clintons and the democrats had their system compromised? Mobile phones !!! Every single high profile hack received a phishing mail first on their phone.
The reason why phishing specific targets is easy today is because people use their mobile phones to check most of their emails. Most email clients on phones are horrible in security, you can completely fake HTML emails coming from Google or Microsoft asking the user to reset their password while in reality you are just sending them to a phishing site to get the real one. They don't display the things they should, like the links from the site it pulls the content or the headers.
The % per year that phishing is raising has increased at same rate over the years as people started to use smartphones. Phishing is raising and the way browsers are designed on phones are to blame. Mobile browsers completely hide the URL and give almost no relevant to the domain name, the most important to identify the location you are on the Internet. This is why its easy to phish people on mobile phones because Chrome basically decided to make the most important part of browsing online invisible on phones to save some screen real state. Every other browser copied Chrome, that includes the bad things ! Not having the full domain visible at all times while browsing or opening links in your phone is what makes it so easy to hack and trick people into phishing sites. Its far more complex to phish people on desktops.
-
@terere said in Hide EV certificate badge in url field:
A non tech person does not even know what a URL is, let alone phishing, otherwise they would not fall for it.
Well, that's the point of this feature request. Since most users are not security experts showing the EV badge in the URL serves no purpose for them β it is just clutter.
If the details are available in badge popup, the experts can see the information with one click.
As soon as you resorted to character assassination, you already lost the argument in my book.
