Hide EV certificate badge in url field
-
@mib2berlin or look at https://vivaldi.com/, which was the example I was using
-
Oh, OK, sorry for the noise.
Cheers, mib
-
@terere said in Hide EV certificate badge in url field:
Plenty of people from newbies to more advanced users will know something is wrong if they go to Apple.com and don't see the name on the URL bar
Which name? Both of my main Web browsers on mobile just show "apple.com" and leave it at that.
As for other sites, so many use a random name of the umbrella company that owns the company that runs the site that I think it is unrealistic for a user, who may be totally new to a website, to know which name they expect to see the first time they visit a site.
-
Personally I wouldn't use what Chrome do or want to do as a good example, as they want to hide everything, such as HTTP/HTTPS WWW and the section of the site you are on.
If Google have their way all you will see is the domain name and no extension, eg.
www.vivaldi.com and www.vivaldi.net would just show as vivaldi.
This is the company that decided having a switch to enable/disable certificate revocation was "too confusing" so hid it and removed it from the advanced settings.Yes Malware authors have gameified the system by also buying certificates.
Until an alternative is in use we still need to see the details, or you may as well not bother with certificates at all.
It's not like Chrome will check properly for revocation or validity anyway.
Personally I would rather that the system is fixed instead of ignored. -
Troy Hunt (Owner of Have you been pwnd) said on Twitter:
Twitter friends, please ask a non-tech person and answer honestly: Do they recognise an EV cert and behave differently to DV only?
4% Yes, they look for EV
37% No, just need a padlock
59% Huh, what's a cert?
2,893 votes β’ Final results -
@Pesala said in Hide EV certificate badge in url field:
Troy Hunt (Owner of Have you been pwnd) said on Twitter:
Twitter friends, please ask a non-tech person and answer honestly: Do they recognise an EV cert and behave differently to DV only?
4% Yes, they look for EV
37% No, just need a padlock
59% Huh, what's a cert?
2,893 votes β’ Final resultsPlease ask a non-tech person? I'm pretty sure you can ask non tech people what a browser is and they reply its Google:
https://www.youtube.com/watch?v=o4MwTvtyrUQHow in the world does this have value? If I want to know something about rockets I ask someone working at NASA not a cook. The value and opinion of non tech users have no value in suggestions or recommendations on what works and does not work when it comes to security online. A non tech person does not even know what a URL is, let alone phishing, otherwise they would not fall for it.
Troy Hunt purposely makes things like this in a very deceiving way and calls himself a security expert to promote his name.. He is a blogger and nothing else, certainly not a security expert in my book.
-
@LonM said in Hide EV certificate badge in url field:
@terere said in Hide EV certificate badge in url field:
Plenty of people from newbies to more advanced users will know something is wrong if they go to Apple.com and don't see the name on the URL bar
Which name? Both of my main Web browsers on mobile just show "apple.com" and leave it at that.
As for other sites, so many use a random name of the umbrella company that owns the company that runs the site that I think it is unrealistic for a user, who may be totally new to a website, to know which name they expect to see the first time they visit a site.
A user totally new to a website would not know the difference between the real domain or not, if its using an SSL or not so what is the point here? If I go to my banking site that has used an EV certificate since day one and suddenly I see its gone, it will draw my attention and I will take a second look at the URL to see if I'm in the correct address. Claiming that a security cue that hackers can't fake directly has no in a proper secured browser has no added benefit is like claiming we don't need the URL bar at all or even domains. Let just get rid of domains completely like Google once promoted saying they have no use anymore. Lets just jump start all the Internet surfing from Google directly and not let people type any address manually and problem solved. I'm sure that is not an approach most people would support. Getting rid of things that help identify a website or domain is not positive.
-
@Dr-Flay said in Hide EV certificate badge in url field:
Personally I wouldn't use what Chrome do or want to do as a good example, as they want to hide everything, such as HTTP/HTTPS WWW and the section of the site you are on.
If Google have their way all you will see is the domain name and no extension, eg.
www.vivaldi.com and www.vivaldi.net would just show as vivaldi.
This is the company that decided having a switch to enable/disable certificate revocation was "too confusing" so hid it and removed it from the advanced settings.Yes Malware authors have gameified the system by also buying certificates.
Until an alternative is in use we still need to see the details, or you may as well not bother with certificates at all.
It's not like Chrome will check properly for revocation or validity anyway.
Personally I would rather that the system is fixed instead of ignored.That is the point of EV certificates. You cannot just go and buy some EV certificate online and launch your instant phishing site automatically. The whole process is manual, takes a few days and requires someone to fake multiple legal papers and supplant the ID of an organization. Can it be done? Of course, but its a pain in the ass and this is why I have never saw a phishing site using an EV certificate, EVER since the Internet exists.
Any process that can't be automated is a hackers nightmare because they don't have the time unless its a very specific targeted attack. Those attacks are rare and are usually expensive corporate or government attacks. Just as those malware that steal code signing certificates. The process does help in security. If I download a software from Microsoft and suddenly its signed by another company, I will say no. And the certificate can also be revoked once the existing company finds out. Certificates work and I'm surprised some here claim that a more complex certificate with extended validation has no real value. How many here claiming that have purchased one before? If they did they would know how the work and the process to get them.
-
@madiso said in Hide EV certificate badge in url field:
You are suggesting a feature so Vivaldi users are more insecure while browsing online? That would make it easier to phish and trick Vivaldi users with fake banking and other payment pages that rely on this security feature so users take a bit more attention while surfing online. Phishing EV certificates is not easy and this is why most banking sites use one.
Yet not all payment systems use EV and real people do not stop the payment process if they don't see EV, because they don't always look for it and they still see the lock itself. Some antiviruses prevent the display of any EV, too.
If you hide that information then Vivaldi would be the only browser that is not in compliance with EV certificates.
Brave has it by default, Edge has had it (not sure about the Chromium-based one), Chrome has tested it with real users and every mobile browser currently does not display EV, even Safari removed it.
Please have a look at the articles I linked above, they explain the arguments against EV in detail.
Precisely. Are you aware how most phishing attacks happen today? Do you how the Clintons and the democrats had their system compromised? Mobile phones !!! Every single high profile hack received a phishing mail first on their phone.
The reason why phishing specific targets is easy today is because people use their mobile phones to check most of their emails. Most email clients on phones are horrible in security, you can completely fake HTML emails coming from Google or Microsoft asking the user to reset their password while in reality you are just sending them to a phishing site to get the real one. They don't display the things they should, like the links from the site it pulls the content or the headers.
The % per year that phishing is raising has increased at same rate over the years as people started to use smartphones. Phishing is raising and the way browsers are designed on phones are to blame. Mobile browsers completely hide the URL and give almost no relevant to the domain name, the most important to identify the location you are on the Internet. This is why its easy to phish people on mobile phones because Chrome basically decided to make the most important part of browsing online invisible on phones to save some screen real state. Every other browser copied Chrome, that includes the bad things ! Not having the full domain visible at all times while browsing or opening links in your phone is what makes it so easy to hack and trick people into phishing sites. Its far more complex to phish people on desktops.
-
@terere said in Hide EV certificate badge in url field:
A non tech person does not even know what a URL is, let alone phishing, otherwise they would not fall for it.
Well, that's the point of this feature request. Since most users are not security experts showing the EV badge in the URL serves no purpose for them β it is just clutter.
If the details are available in badge popup, the experts can see the information with one click.
As soon as you resorted to character assassination, you already lost the argument in my book.
-
@madiso said in Hide EV certificate badge in url field:
Here are more pro-arguments by security experts:
- https://scotthelme.co.uk/are-ev-certificates-worth-the-paper-theyre-written-on/
- https://www.troyhunt.com/on-the-perceived-value-ev-certs-cas-phishing-lets-encrypt/
- https://www.troyhunt.com/extended-validation-certificates-are-dead/
- https://stripe.ian.sh/
FWIW, Chrome has tested this already (and has a flag for it, which doesn't work in Vivaldi unfortunately) and Brave browser has this feature enabled by default.
None of those persons are security experts, they are bloggers and nothing else. All they do is attack EV certificates because of the value, not because of the security. That is fine, they are entitled to an opinion, but its just that, a personal article on something they dislike and nothing else.
-
@Pesala said in Hide EV certificate badge in url field:
@terere said in Hide EV certificate badge in url field:
A non tech person does not even know what a URL is, let alone phishing, otherwise they would not fall for it.
Well, that's the point of this feature request. Since most users are not security experts showing the EV badge in the URL serves no purpose for them β it is just clutter.
If the details are available in badge popup, the experts can see the information with one click.
As soon as you resorted to character assassination, you already lost the argument in my book.
So only newbie users are entitled to have security online? And more heavy Internet users not? So you want me and other people to have to make an extra click to see the URL the proper way every time I go to a website on which I expect to see the extended validation? Putting an extra burden on the users is the opposite of security.
I understand how EV certificates work and I expect to seem them for many banking and others sites I use online.
What character assassination are you referring to?
-
-
@madiso A sensible move.
We will add additional EV information to the identity panel instead, effectively reducing the exposure of EV information to users while keeping it easily accessible.
-
Despite of several Loud Throats here I completely agree with the subj and with thouse who named present state as "security theater", as with who pointed that Google isn't Idol in the UI.
If the fact of this EV presence is such important just move detailed info into tooltip or "Site info" popup and use a different padlock icon with a big fat checkmark over it.
-
Another solution would be fold the EV text into icon after user interacted with the tab for 3 seconds.
So it will still have the on your face "PLEASE-LOOK-AT-ME!" moment when user access a new tab, then shrink it to show the URL when it have served it's purpose.
-
A mod still exist considering is a wontfix
-
Wait, I'm confused. I don't see the green text, I only see a padlock. What am I doing differently? Here's what I see on the OP's link, and every other site I've ever gone to:
-
@Aelius I think the text doesn't show anymore on browsers. So padlock only is correct.
-
LLonM moved this topic from Archive on
