[tialaramex]

> The vast majority of users cannot do the "making sure" bit suggested here. Of those who can, the vast majority (including myself here) don't.

Crucially, the browser is showing you historical information. This was the certificate for a transaction which already happened. Because this is about the past not the future you can't make decisions here, only have regrets.

Whereas for certificate name verification and all the other stuff your browser does, that is done by the browser in real time during the connection setup.

When you type the destination bank account, and amount to send, into a bank's "send money" form, and then decide to "check the certificate" the browser is not showing you a certificate for the HTTPS transaction you're about to perform, it can't. It's showing you the certificate associated with the form page, when you click "Submit" or "Send" or whatever, there may be a totally different certificate for the HTTP POST operation, it may result in a 30x redirect, which can result in yet another different certificate, you aren't shown these certificates before your form data is sent, the browser does all its checks because they're instant, but your dithering would be too slow.

[ryan-c]

I believe the flow allows you to view certificate information prior to accepting, and then only that certificate will be accepted for only that hostname.

[tialaramex]

Which browser do you think that's true for, and, have you tried it?

[ryan-c]

All desktop browsers I've tried. I don't have anything other than Chrome handy at the moment, but it definitely still works.

You just need to click on the "Not Secure" warning that's where the lock symbol would be, then on "Certificate is not valid".