Author Topic: Firefox 70 starts moving the EV indicator out of the URL Bar  (Read 967 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 32624
  • malware fighter
Firefox 70 starts moving the EV indicator out of the URL Bar
« on: October 17, 2019, 11:00:08 PM »
"While many vendors tend to use the phrase "SSL/TLS Certificate", it may be more accurate to call them:
"Certificates for use with SSL and TLS",

since the protocols are determined by your server configuration, not the certificates themselves."
(Source: https://www.globalsign.com/en/blog/ssl-vs-tls-difference/

It has become harder now to know what is legit and what is not.

Read: https://www.troyhunt.com/extended-validation-certificates-are-dead/
First Apple moved it out, then Google and now Firefox followed.

To still show them: Use the Firefox extension "Certainly Something" by April King (Mozilla staff security engineer).
This is open source (https://github.com/april/certainly-something) and to be download from here: https://addons.mozilla.org/en-US/firefox/addon/certainly-something/.

But there is another way to go back (when you do not want to use profiling extensions):
in about:config there is a flag available to show EV certs despite this recent move:
security.identityblock.show_extended_validation ; setting should be changed to true to show EV certs.

But what when a certificate of a scammer is registered to certifying firm in Panama,
who keeps you and I from knowing who is really behind this cert.
What is the real validity of such a certificate? Only that it says, that it is being trusted by the browser.
No more, no less.

Consider here: https://www.scamadviser.com/check-website/isitascam.org

Now read this threat report: https://www.zscaler.com/blogs/research/february-2018-zscaler-ssl-threat-report

Troy Hunt also got support from some Belgian researcher:
https://ma.ttias.be/the-end-of-extended-validation-certificates/

Where are we going, everyone to use a free Let's Encrypt certificate?
Anyone? What can we really TRUST any longer on the Interwebz, I mean real really?
Not a lot these days, and that's a pity, folks, it is.

polonus


Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Asyn

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 66135
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Firefox 70 starts moving the EV indicator out of the URL Bar
« Reply #1 on: October 28, 2019, 09:37:32 AM »
Hi Pol, just as a side note, it's still available/shown in Firefox ESR. Groetjes
Win 8.1 [x64] - Avast PremSec 20.7.2422.B#2 [UI.547] - CC 5.70 - EEK - FF ESR 68.11 [NS/AOS/uBO/PB] - TB 68.11 - SB/CP/SL/DU.BC
Deutschsprachiger Bereich -> Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0