"While many vendors tend to use the phrase "SSL/TLS Certificate", it may be more accurate to call them:
"Certificates for use with SSL and TLS",
since the protocols are determined by your server configuration, not the certificates themselves."
(Source:
https://www.globalsign.com/en/blog/ssl-vs-tls-difference/It has become harder now to know what is legit and what is not. Read:
https://www.troyhunt.com/extended-validation-certificates-are-dead/First Apple moved it out, then Google and now Firefox followed.
To still show them: Use the Firefox extension "Certainly Something" by April King (Mozilla staff security engineer).
This is open source (
https://github.com/april/certainly-something) and to be download from here:
https://addons.mozilla.org/en-US/firefox/addon/certainly-something/.
But there is another way to go back (when you do not want to use profiling extensions):
in about:config there is a flag available to show EV certs despite this recent move:
security.identityblock.show_extended_validation ; setting should be changed to true to show EV certs.
But what when a certificate of a scammer is registered to certifying firm in Panama,
who keeps you and I from knowing who is really behind this cert.
What is the real validity of such a certificate? Only that it says, that it is being trusted by the browser.
No more, no less.
Consider here:
https://www.scamadviser.com/check-website/isitascam.orgNow read this threat report:
https://www.zscaler.com/blogs/research/february-2018-zscaler-ssl-threat-reportTroy Hunt also got support from some Belgian researcher:
https://ma.ttias.be/the-end-of-extended-validation-certificates/Where are we going, everyone to use a free Let's Encrypt certificate?
Anyone? What can we really TRUST any longer on the Interwebz, I mean real really?
Not a lot these days, and that's a pity, folks, it is.
polonus
