Recently, the Shmoo Group discovered that Firefox is vulnerable to precisely the exploit that i predicted in my 2002 paper—Ping

What cert? If we’re talking about a Verisign-like cert, then we’ve already lost. In any case, YURLs + Pet Names need no certs.—Mark

I don’t know that there is any general technical solution to the problem of confusing names and assuming the trust one has for one of the names applies to the other. (I think about my aging in laws, who get confused rather easily.)

One technical "fix" that might be useful would be for the browse to keep a list of all sites previously visited with https. Anytime a similar, but different site is visited, issue a warning about the similarity.

The details of how similar is determined need to be developed heuristicly, so the code and tables involved need to be easily replaced as a separate upgrade from that of the browser. I would start by treating all characters that can be confused (e.g. 0O 1l $S) as the same character. (It would greatly help to have native readers for each language group in the Unicode standard help with this process.) Also flag sites which differ only by one or two characters (perhaps 10% or 20% of the characters?). Note that www.paypal.com vs. www.paypa1.com would match twice under this algorithm.

When the user has visited sites that match under the similarity algorithm, use a pet name or a logo/icon scheme to clearly separate them during later visits.

Cheers—Bill—Bill