Recently, the Shmoo Group discovered that Firefox is vulnerable to precisely the exploit that i predicted in my 2002 paper—Ping

So how, in this system, does the user come to trust Paypal (as opposed to someone pretending to be Paypal)? —Ben

If I’m understanding the discussion so far, I think the answer is that the issue of trust is separate from the issue of identity. When the Petname is set up, the name "Paypal" is bound to an identity. Any trust is independent of that identity. In an effort to pretend to be Paypal, "someone" would have to establish another identity. Of course the identity Paypal is already taken. Whatever identity the user set up for this someone, it would be different from "Paypal". This seems to make "trying to pretend" inherently difficult. What would induce a user to use a Petname like Paypa1 that could be easily confused with Paypal?

How much the user chooses to trust either the Paypal identity/Petname or this other non-Paypal identity/Petname is of course up to the user with input from others such as friends, authorities, etc.

I hope I’m close to the base issue.—Jed

What do you mean "of course"? By what mechanism did the user identify the "real" Paypal? How do you know they’ve ever even come across Paypal before?—Ben

A website that says "this is the Paypal website" all over it, perhaps? —Ben

That wouldn’t induce me (at least) to use a name like Paypa1 (note the digit one = 1 vs. the letter "l"). Doing so could only result in confusion. It might induce me to establish a trust relationship with whatever identity I choose to give the site (e.g. NewPaypal or perhaps it’s the first "Paypal" that I’ve assigned an identity for and I choose "Paypal" as the Petname for this site. However, assigning any trust to such a site based on it’s saying "this is the Paypal website" would be foolish.—Jed

Indeed, but I am no closer to understanding how the user ever gets to a state where they can do anything useful. Try this for a thought experiment. I have a brand new laptop. I have no petnames for anything, obviously. What do I do now? Describe the process by which I end up with a petname for Paypal that actually links to the real Paypal.—Ben
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Before getting into the mechanics of introduction, it is important to realize that introduction has nothing to do with phishing. In a phishing attack, a spoof site impersonates a trusted site so as to intercept the high value communications between the user and the trusted site. The introduction and creation of a trust relationship has already occurred, and the phisher is trying to subvert this existing relationship. To defend against phishing, we need only prevent subversion of existing trust relationships. The current PKI solution fails to provide this protection.

For example, people with Paypal accounts already have a connection and trust relationship with the Paypal website. The phisher wants to get the password for this existing Paypal account. We can defeat the phisher by preventing impersonation of the Paypal website. As the shmoo examples demonstrate, the PKI fails to prevent this impersonation.

Do you agree that the petname toolbar prevents phishing attacks, as they are defined in this email?

Defending the integrity of introductions is also important, but it is a separate problem from phishing. I am happy to explain how YURLs are used to ensure the integrity of introductions, but let’s progress in steps.—Tyler

The Shmoo example does not demonstrate anything about PKI (though it is true that the particular CA chosen doesn’t tell you much about who bought the certificate, which would strike me as a fairly effective prevention of the attack—the CA was, however, chosen for cheapness, not usefulness).—Ben

So you view the Shmoo example [1] as a showcase of the PKI providing effective prevention against a phishing attack? My interpretation of the Shmoo example, and I suspect their intent, is exactly the opposite. If we disagree on this point, we must have wildly different understandings of the use model the WWW presents to users.

[1] <shmoo.com>—Tyler
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

I agree that petnames will prevent spoofing an existing URL, indeed. —Ben
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

I can figure that one out. I still want to know how I get my first introduction. BTW, I saw a domain spoofing attack today that did not attempt to subvert an existing trust relationship. It was trying to get people to post their pictures to a spoofed HotOrNot site. Frivolous, I’ll admit, but nevertheless, an example of an attackable transaction with value that does not rely on an existing trust relationship and so cannot be prevented by petnames (at least, not in the way described).—Ben
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

I believe I’m trying to say the same thing. —Jed