Certificates: What decides if "padlock" shows full cert name or not?
-
I've noticed some sites show only the green padlock icon on the address bar, while some sites show the full name, like below:
I'm curious, what part of the certificate decides whether Vivaldi should display the full name or not?
While probably useful to make sure the cert is issued to the correct site, on some sites like the one above, the subject name takes up almost half the address bar, which is quite distracting.
Is there a way to make Vivaldi always display just the basic padlock?
-
The full name is displayed when the site uses an Extended Validation Certificate.
-
@Gwen-Dragon @isak Thanks a lot for the clarifications
I like having the padlock there, just not the sometimes very long org. name. I read that Google are also considering removing the padlock altogether, since the web "should be secure by default" but I think this is a Bad Idea, hopefully Vivaldi will keep the padlock.
-
@Gwen-Dragon Maybe you misunderstand my post; I said the full EV certificate with organisation name was distracting and not needed, but not the padlock itself.
The green padlock is IMO still very much useful and I wouldn't like Chromium to remove it. But the full EV display will be gone in C.77 and for that I'm happy
-
@Gwen-Dragon said in Certificates: What decides if "padlock" shows full cert name or not?:
I want the green padlock, but not the text.
Then we are in agreement
-
It is kinda dumb. That info can easily be something you see if you want by putting it in the box that pops up when you click on the padlock.
The evidence that EV is pointless to users is regularly demonstrated by the amount of times people ask about the inconsistency of the padlock.
Personally I get better use of having the SSL Labs extension which shows the actual quality of the cert plus its configuration.
You may be looking an an expensive EV cert, but has the server admin actually configured their site to use it securely ?Chromium has an almost useless system for validating certs, so is disabled anyway.
You can enable it but it fails regularly as it actually relies on IE or Edge having already checked it.
Maybe they should hire some Mozilla devs to come and make a working system like FF has.And as I bring up often, without DANE validation, you can't tell if the IP is the correct and expected IP the domain and cert should actually be hosted on.
You could well be looking at the correct web address and a good cert, but actually have been redirected to a bogus site by DNS poisoning or a MiTM attack.
Perspectives and the DANE validation extensions were the only way to spot that the cert you are seeing may be misleading, but both are now abandoned due to the way extensions now work. -