Hide EV certificate badge in url field

S_Paternotte

For some websites like https://nos.nl the green padlock icon in the address bar is accompanied by the name of the certificate holder. This is a waste of space.
Please move this surplus information to a Mouse Over info box.

Dr.Flay

@S_Paternotte said in Hide certificate badge in url bar:

nos.nl

This is standard browser behaviour.
That extra info is because they have an extended validation certificate
https://en.wikipedia.org/wiki/Extended_Validation_Certificate

S_Paternotte

@Dr-Flay That may be the case. My suggestion is to move this piece of (superfluous) information to a 'mouse over' popup.

Pesala

@Gwen-Dragon The request is not to remove the information, just to move it to a tooltip to save space in the URL field.

Let's be honest here, the fast majority of users have no clue what it means. Those who do can hover the green padlock to see the details.

S_Paternotte

@Pesala yeah, thank you

LonM

@Gwen-Dragon Often, many users don't actually know what this means. You or me may recognise the significance, but I know plenty of ordinary users who would not even notice the difference between a regular padlock and an EV certificate.

Many browsers are now phasing this technology out as it is security theatre, and some browsers just plain don't support it.

Placing more focus on the domain in the URL will be helpful for spotting phishing.

Dr.Flay

I would happily swap the cert info for DANE validation info which makes more sense to end users.
Certificates can be as secure as possible, but with no validation that the domain you are on matches the correct IP, it is worthless.

madiso

Here are more pro-arguments by security experts:

• https://scotthelme.co.uk/are-ev-certificates-worth-the-paper-theyre-written-on/
• https://www.troyhunt.com/on-the-perceived-value-ev-certs-cas-phishing-lets-encrypt/
• https://www.troyhunt.com/extended-validation-certificates-are-dead/
• https://stripe.ian.sh/

FWIW, Chrome has tested this already (and has a flag for it, which doesn't work in Vivaldi unfortunately) and Brave browser has this feature enabled by default.

terere

You are suggesting a feature so Vivaldi users are more insecure while browsing online? That would make it easier to phish and trick Vivaldi users with fake banking and other payment pages that rely on this security feature so users take a bit more attention while surfing online. Phishing EV certificates is not easy and this is why most banking sites use one.

The purpose of EV certificates is precisely that. To display the full company name and location that was approved for that certificate. You can't just go and buy an EV without actually passing some certification that includes proving the company is real, the process is manual and attackers don't like anything manual because they it costs them time as opposed to automated things.

If you hide that information then Vivaldi would be the only browser that is not in compliance with EV certificates.

terere

@LonM

Security theater? The only persons that hate his are phishing authors and hackers as it makes their job harder. Plenty of people from newbies to more advanced users will know something is wrong if they go to Apple.com and don't see the name on the URL bar. They might not know what or how it works, but they will noticed something is off. Same goes for their banking sites and other major sites. You cannot fake that. Anything phishing authors can't fake unless they already compromised your browser or computer is not a security theather but improves visibility while browsing online.

terere

@Pesala said in Hide EV certificate badge in url field:

@Gwen-Dragon The request is not to remove the information, just to move it to a tooltip to save space in the URL field.

Let's be honest here, the fast majority of users have no clue what it means. Those who do can hover the green padlock to see the details.

That is the same as removing it. If you are saying most users have no clue what it means, how many of them do you think will click on it to see if its displaying the company name? Hiding security elements that make the URL or web address more secure is not a feature but a downgrade. People don't remember things that are not visible all the time when it comes to GUI and interfaces. Forcing users to click on the URL bar in order to check if they are on their major banking site and verify if its the proper website is a disservice and just helps more people being tricked into phishing pages.

madiso

@terere

You are suggesting a feature so Vivaldi users are more insecure while browsing online? That would make it easier to phish and trick Vivaldi users with fake banking and other payment pages that rely on this security feature so users take a bit more attention while surfing online. Phishing EV certificates is not easy and this is why most banking sites use one.

Yet not all payment systems use EV and real people do not stop the payment process if they don't see EV, because they don't always look for it and they still see the lock itself. Some antiviruses prevent the display of any EV, too.

If you hide that information then Vivaldi would be the only browser that is not in compliance with EV certificates.

Brave has it by default, Edge has had it (not sure about the Chromium-based one), Chrome has tested it with real users and every mobile browser currently does not display EV, even Safari removed it.

Please have a look at the articles I linked above, they explain the arguments against EV in detail.

S_Paternotte

@terere I think you're overreacting here.
I'm not asking to remove the green padlock icon. So a clear indicator of the secure connection is still there, isn't it?
My suggestion focusses on the (quite few) websites that use these extended certificates where the certficate holder may not necessarily reflect the URL. The only thing I'm suggesting here is that this "extended" certificate information, which I deem superfluous, is moved to a tooltip.

Practical example:

1. Keep the green padlock icon indicating the secure (not necessarily safe!) connection,
2. Hide the extended information "Vivaldi Technologies AS (NO)"
3. Introduce a mouse over tooltip showing the Extended Certificate Information, i.e. "Vivaldi Technologies AS (NO)"

No harm done, less clutter and more spave available for the vigilant user to keep a close watch on nasty long URL's in the address bar.

mib2berlin

@S_Paternotte
Hi, you can hide it or it is hide for me.
Address bar settings seams not influence it.
Is it may different in Windows?

Opensuse Tumbleweed x86_64
CPU i7-3520M 8 GB
GPU Intel HD4000
xf86-video-intel 2.99.917-6.1
KDE Plasma 5.59.0-1.1
Vivaldi: 2.7.1594.4 (Official Build) snapshot (64-bit)

Cheers, mib

Pesala

@mib2berlin See here: https://nos.nl/

S_Paternotte

@mib2berlin or look at https://vivaldi.com/, which was the example I was using

mib2berlin

Oh, OK, sorry for the noise.

Cheers, mib

LonM

@terere said in Hide EV certificate badge in url field:

Plenty of people from newbies to more advanced users will know something is wrong if they go to Apple.com and don't see the name on the URL bar

Which name? Both of my main Web browsers on mobile just show "apple.com" and leave it at that.

As for other sites, so many use a random name of the umbrella company that owns the company that runs the site that I think it is unrealistic for a user, who may be totally new to a website, to know which name they expect to see the first time they visit a site.

Dr.Flay

Personally I wouldn't use what Chrome do or want to do as a good example, as they want to hide everything, such as HTTP/HTTPS WWW and the section of the site you are on.
If Google have their way all you will see is the domain name and no extension, eg.
www.vivaldi.com and www.vivaldi.net would just show as vivaldi.
This is the company that decided having a switch to enable/disable certificate revocation was "too confusing" so hid it and removed it from the advanced settings.

Yes Malware authors have gameified the system by also buying certificates.
Until an alternative is in use we still need to see the details, or you may as well not bother with certificates at all.
It's not like Chrome will check properly for revocation or validity anyway.
Personally I would rather that the system is fixed instead of ignored.

Pesala

Troy Hunt (Owner of Have you been pwnd) said on Twitter:

Twitter friends, please ask a non-tech person and answer honestly: Do they recognise an EV cert and behave differently to DV only?

4% Yes, they look for EV
37% No, just need a padlock
59% Huh, what's a cert?
2,893 votes • Final results