Hiding the EV Owner in Vivaldi

Vivaldi showing the DuckDuckGo EV Certificate

Install the mod in this blog post to get rid of the EV site owner name in Vivaldi. It’s not quite as useful as you might initially think.

Vivaldi showing the DuckDuckGo EV Certificate

What is an (EV) Certificate?

Certificates are a method of verifying that the HTTPS connection you have made between yourself and a third party is secure. It contains some extra data about what kind of encryption should be used, or how long the certificate should last (It has an expiry date). If you see a green padlock in the Vivaldi address bar, it means that the certificate is valid and your connection is secure.

An EV Certificate goes a step further and also contains some information about the company that owns the website. It doesn’t actually make the connection any more secure, but lets you know who supposedly owns that site.

To illustrate this with an example, here is a screenshot showing how Vivaldi displays sites with Bad security, A regular DV Cert (HTTPS) and an EV Cert (HTTPS):

Screencap showing different certification icons in vivaldi

As I will go on to mention, it’s that bottom address, the EV certificate and it’s owner name, that is causing me concern.

Why would you want to hide it?

Many other people have written articles questioning the usefulness of EV certificates. I don’t want to re-iterate that too much, and you can read more Here (by Scott Helme), or Here (by Troy Hunt). Some of the arguments raised include:

  • A lot of regular users don’t recognise an EV cert when they see one – and if they did, they might not know what it means
  • The first time you visit a site, and you don’t see an EV cert – you have no way of knowing if there should be one, which makes them kind of useless for first time visitors of a website
  • EV Certs can often have confusing names that are different to that of the domain (They rely on the owning company, not the domain – you can’t expect users to know this information beforehand)

Recently, an example proving just how dangerous an EV Certificate can be (if it is read incorrectly by a user) came up (found by Ian Carroll):

Screencap of two different sites, both of which apparently have the same EV

You see that? Two completely different domains, yet they both display themselves in vivaldi as “Stripe, Inc [US]”. That’s not a defect, it’s by the design of EV. Now, I like to consider myself pretty savvy and able to spot phishing, but when something like this crops up it would be FAR easier to spot a phish by focusing on the domain, not the EV information.

The green padlock indicating a certificate is used to secure traffic over HTTPS means your connection to the end party is secure from eavesdroppers and wiretappers. It doesn’t imply anything about the safety of the domain at the far end. EV certificates are supposed to solve this, by letting you know that the domains are associated with a proper legal entity, but the above example shows that is simply not the case.

It is a misconception that I believe might confuse users who don’t fully understand what the green padlock represents – a secure connection, not a guarantee of safety.

Hide it with CSS

The easiest way to achieve hiding the EV cert information would be through the use of a custom.css mod for vivaldi, instructions for installing these can be found on the forums.

Inside custom.css:

/* Use the following to hide the site info text*/
button.button-addressfield.addressfield-siteinfo.certified .siteinfo-text{
display: none
}
/* Include the following to display the full name on hovering */
button.button-addressfield.addressfield-siteinfo.certified:hover .siteinfo-text
{
display: block
}

The great thing about this solution is:

  • It prevents you from being misled by the EV information
  • You can still access the name quickly by hovering if you really want to check
  • This is a superficial change, so all of the back-end security offered by EV (which is nearly the exact same as regular DV) is not affected – you will still get your forced revocation checking.

Once installed, when you come across a site with an EV certificate and an owner name, you see this:

Screencap of vivaldi with the anti-EV mod installed

Suddenly, the only indicator of a potential phish is the domain. And we can clearly see the domain is in fact “ian.sh”. If I were looking for the real stripe website, I would immediately recognise that although my connection is secure, the server at the other end clearly isn’t the one i’m looking for.

Last Thoughts

If you’re still not convinced that EV certs don’t add much real value, consider the fact that the web’s biggest sites such as amazon and google don’t bother with it.

Google Chrome (which vivaldi is built upon) in particular has far more effective methods of preventing phishing, such as the Safe Browsing Blacklist that blocks malware sites – Vivaldi Employee @yngve explains how that works to protect you here.

Some other steps and useful info you might like to use to secure yourself:

  • Disable the setting “Address Bar > Show full address”. If you don’t need it on a daily basis, disabling this option will make it far easier to read domain names and spot potential phishes.
  • Go to the url “vivaldi://flags/#mark-non-secure-as” and set it to “Always mark HTTP as dangerous”. I find this makes it far easier to spot when your connection is not secured to the end point – which could let eavesdroppers (or even your ISP) hijack your connection.
  • Go to the url “vivaldi://flags/#show-cert-link” and enable “Show Certificate Link”. Now, when you click on the green padlock, there is quick link to view the certificate, so you can read the full details if you are so inclined.
  • I mention that the address displayed in the address bar is a good indicator of the true domain though it is possible to spoof that as well (More info here). Good news on this front: I’ve tried, and it seems Vivaldi is safe against this. You can see for yourself by visiting this link: http://wikipediа.org, and you’ll notice Vivaldi fixes the link so it can’t hide itself.
  • The best way to avoid phishing sites is to type out the URL directly, or use a bookmark. Assuming the site itself hasn’t been hacked, that will ensure you always go to the right place. Clicking links from random emails and internet ads are a sure way to fall victim to phishing.

I hope reading this post has helped you learn about security in some way, and how to enhance your vivaldi experience. Browse Safely.

Join the Conversation

  1. Hey Vivaldi Team I’m new to your Awesome browser but i’m in love with it. Previously i’m using chrome and UC Browser but they use lot’s of power heat up my old pc but this browser is so light weight and full of features and specially that side bar with all bookmark, download, history and specially ToDo and Window option is just very useful i love it i have no problem opening 10, 15 or even 20 tabs in it all previous browsers used to heat up my pc after 2 or 4 tabs. Thanks Guys Keep Adding Useful Features Like this 🙂

    1. I’m not part of the vivaldi team, but its good to know you’re a fan of the vivaldi browser.

  2. Can’t get vivaldi://flags/#show-cert-link to work, there is no such an option in 1.14.1072.3 (Official Build) (64-bit)

    1. I believe as of 1.14.1072.3 this is enabled by default and is no-longer an “experimental” flag.

Comment

Vivaldi