[jchiu1106]

Simple. Don't use Safari or any browser that makes the users dumb by making it "friendly" to make them vulnerable to things like this. It's not that EV is broken - it's the bad UX decisions and the mentality behind it.

[Willamin]

Correction: Simple. Go to Safari's preferences > Advanced and check the box next to "Show full website address".

I'm definitely not defending Safari's UX choices for defaulting to hiding the website address. I disagree with Apple's decision. However, when there's a configurable way to solve the issue there's no reason to abandon the software.

[neonhomer]

Mobile Safari seems to lack that option, as least as of iOS 10.

[pfg]

I fail to see how something like "stripe-service.com" with an EV certificate showing "Stripe, Inc [US]" would be less likely to trick users in a phishing campaign.

[jchiu1106]

I don't use Safari but if I did, I think I would fall for it if someone sets up a phishing website with Safari only showing "Stripe, Inc [US]" in the address bar, but I definitely will not if I was presented with the full URL of the site.

[pishpash]

Chrome hides cert in dev tools now, Google patronizing as ever. Google's gonna goog.

[jlgaddis]

Yeah, they hide the link by default in recent versions.

You can re-enable the link if, like me, you'd like it to be quickly available.

  chrome://flags/#show-cert-link

[pishpash]

Not available on 63.0.3239.84

[pfg]

The flag was removed in Chrome 63 because the certificate link is now enabled by default[1].

[1]: https://bugs.chromium.org/p/chromium/issues/detail?id=718553

[pishpash]

Okay, I see, they moved it back.

[jlgaddis]

Okay, apparently they've removed that option then.

It still shows up for me but I'm on 62.0.3202.89 (haven't restarted recently).

[softawre]

Yeah, we're talking about users who don't really understand phishing, and yet you want them to understand it enough to know not to use the browser that came with their macbook/iphone?