Certificates: What decides if "padlock" shows full cert name or not?
-
I've noticed some sites show only the green padlock icon on the address bar, while some sites show the full name, like below:
I'm curious, what part of the certificate decides whether Vivaldi should display the full name or not?
While probably useful to make sure the cert is issued to the correct site, on some sites like the one above, the subject name takes up almost half the address bar, which is quite distracting.
Is there a way to make Vivaldi always display just the basic padlock?
-
@Pathduck
Rumors say that will come in a Chromium 77 version.
//edit: Already removed in Chrome 77.0.3865.35 and 78...
The long certificate bar will be removed, changed to a green lock, the padlock popup will contain more on certificate information.
https://groups.google.com/a/chromium.org/forum/m/#!msg/security-dev/h1bTcoTpfeI/jUTk1z7VAAAJ
https://chromium.googlesource.com/chromium/src/+/HEAD/docs/security/ev-to-page-info.md
-
The full name is displayed when the site uses an Extended Validation Certificate.
-
@isak I guess the devs will remove the EV bar in a 2.7 Stable?
-
@Gwen-Dragon @isak Thanks a lot for the clarifications
I like having the padlock there, just not the sometimes very long org. name. I read that Google are also considering removing the padlock altogether, since the web "should be secure by default" but I think this is a Bad Idea, hopefully Vivaldi will keep the padlock.
-
@Pathduck I think the padlock is useless as most users do not look at this text. And on some sites it covers half of the address field.
EV display does not bring users more safety! It is a selling strategy for expensive certificates, not more.
-
@Pathduck said in Certificates: What decides if "padlock" shows full cert name or not?:
that Google are also considering removing the padlock altogether
And Mozilla, too. https://groups.google.com/forum/m/?fromgroups&hl=en#!topic/firefox-dev/6wAg_PpnlY4
More on EV certificates "usefulness":
https://www.troyhunt.com/extended-validation-certificates-are-dead/
https://www.troyhunt.com/extended-validation-certificates-are-really-really-dead/
-
@Gwen-Dragon Maybe you misunderstand my post; I said the full EV certificate with organisation name was distracting and not needed, but not the padlock itself.
The green padlock is IMO still very much useful and I wouldn't like Chromium to remove it. But the full EV display will be gone in C.77 and for that I'm happy
-
@Pathduck I guess i wrote too fast or did create a crazy sentence less readable (OMG, i am a ol gal
) .I want the green padlock, but not the text.
-
@Gwen-Dragon said in Certificates: What decides if "padlock" shows full cert name or not?:
I want the green padlock, but not the text.
Then we are in agreement
-
@Pathduck Fine
-
It is kinda dumb. That info can easily be something you see if you want by putting it in the box that pops up when you click on the padlock.
The evidence that EV is pointless to users is regularly demonstrated by the amount of times people ask about the inconsistency of the padlock.
Personally I get better use of having the SSL Labs extension which shows the actual quality of the cert plus its configuration.
You may be looking an an expensive EV cert, but has the server admin actually configured their site to use it securely ?Chromium has an almost useless system for validating certs, so is disabled anyway.
You can enable it but it fails regularly as it actually relies on IE or Edge having already checked it.
Maybe they should hire some Mozilla devs to come and make a working system like FF has.And as I bring up often, without DANE validation, you can't tell if the IP is the correct and expected IP the domain and cert should actually be hosted on.
You could well be looking at the correct web address and a good cert, but actually have been redirected to a bogus site by DNS poisoning or a MiTM attack.
Perspectives and the DANE validation extensions were the only way to spot that the cert you are seeing may be misleading, but both are now abandoned due to the way extensions now work.
