Recently, the Shmoo Group discovered that Firefox is vulnerable to precisely the exploit that i predicted in my 2002 paper—Ping

How do you determine that the ’site’ is the same? Do you do a URL or DNS or IP match? It seems to me you leave yourself vulnerable to IP or DNS spoofing or even just being on another network. You also have the possibility of missing the identity of one URL you receive uses a DNS and another an IP or a DNS alias or ...

It seems to me what you want to do the identity match on is something like a key fingerprint. If you treat the address portion of the URL as really just a hint of how to reach the intended destination but demand a public key fingerprint match to determine the identity then it seems to me you have a pretty strong system.

One interesting aspect of this thinking for me is that in most of my past capability thinking I’ve focused on the concerns of assuring the server that a client is presenting a valid capability. I haven’t focused on the concern of the client that it’s communicating with the appropriate server—also a valid concern.—Jed