Why for some SSL websites browsers show extra info, while for others dont
The basic distinction is between a certificate verifying control of a domain, and a certificate verifying the real-world entity behind the domain. With a standard SSL certificate, all that's verified is that the entity with the certificate legitimately controls that domain. It doesn't mean that that's the entity I think it is; I could register bankofamerica.co, and I can then legitimately get a domain-validated certificate for it, and that would show up as a green lock in browsers.
What that box indicates is that CAs have done more validation; EV certificates (the green box) generally require actually verifying the existence and name of the business requesting them. I could not get an EV certificate for that site that says "Bank of America" on it, because I don't have a company called Bank of America, and even if I did the actual person reviewing an EV cert application (unlike normal certs, EV certs aren't automated) would likely be somewhat suspicious at someone claiming to be a bank.
So that's the stated role of EV certs: Verifying that the server sending you a webpage is the correct server for that domain doesn't really help unless you also know that the domain is owned by the company you want to interact with. With Google and Facebook, you know already that their websites are google.com and facebook.com, so I know that I want to talk to google.com, and if I'm talking to the real google.com that's enough. With other organizations, it's not necessarily enough to know I'm talking to the real so-and-so.com; I also need to know so-and-so.com is the actual website I want to be talking to.
CAs (Certificate Authorities) charge extra fees for the "shiny green boxes" because they lead website owners/operators to believe that if your site has the best "shiny green box" then your visitors will trust you more. This propaganda tactic has generally been working very well for Certificate Authorities as people really do believe that the bigger the green box is the safer the website is.
This has lead to an alternative initiative that you can read about here: https://www.eff.org/deeplinks/2014/11/certificate-authority-encrypt-entire-web
and here: https://letsencrypt.org/
The security of an SSL with "no green box" vs one with a "small green box" or one with a "shiny green box" or even a "large shiny green box" is all basically the same from an encryption standpoint. The encryption is possibly exactly the same level between any two variants (although some might be different, there is an accepted minimum). So in the end, what type of green box a website has depends on how much paperwork an applicant is able to give the CA (to prove they are who they say they are) as well as how much money they wanted to pay a Certificate Authority (for the shiny) in effort to give visitors the facade of a higher level of security when in fact the encryption is equal and it is effectively a guarantee that money was paid, paperwork was filled out, and limited monetary guarantees were awarded for the website.
Note: Self signed certificates are known to be risky and your browser will give you a very clear warning when attempting to view a website that has one. Because of this warning, self signed certs are generally only used for testing and personal purposes, but your mileage may vary.
When webmasters buy an SSL cert. They have the option to purchase extended validation certificates.
For IE, it would turn the address bar green, in Chrome it would show a green box before the URL of the site.
The main point of showing that green bar is to prove that the website is run by the people they claim to represent. In order to purchase an extended validation SSL certificate, most CA verify the legal, physical, and operational existence of the business. Here is a snippet from Digicert's website.
When validating a website for an EV certificate, DigiCert complies with a process that is strictly defined by the CA/Browser Forum. In fact, DigiCert is a founding member of the CA/Browser Forum.
As part of the process, one of our validation specialists contacts the requesting organization to confirm that they requested the certificate and that the applicant is authorized to receive the certificate on behalf of the organization. By maintaining this human element in the validation process, fraudulent or phishing-related activity is much easier to detect.
Our process includes:
- Verifying the legal, physical, and operational existence of the entity.
- Verifying that the identity of the entity matches official records.
- Verifying that the entity has exclusive right to use the domain specified.
- Verifying that the entity has properly authorized the issuance of the certificate
Source: https://www.digicert.com/ev-ssl-certification.htm