Recently, the Shmoo Group discovered that Firefox is vulnerable to precisely the exploit that i predicted in my 2002 paper—Ping

➡

How is it that Pet Names don’t solve this problem?—Mark

➡

Pet names only solve the problem as long as users are not allowed to type URLs into the location bar.—Ping

➡

Not at all. They can type any URL they like into the URL-location field. The issue is then, what is displayed in the Pet Name location field?—Mark

➡

Suppose the user sees "paypal.com" in the URL field while establishing a trust relationship with the site. Users reasonably expect that if they then type "paypal.com" back into that URL field, they will get back to the same site.

If the URL field initially contained "p\u0430ypal.com" instead of "paypal.com", identifiability is violated because typing in "paypal.com" takes the user to a different site than the original site where the trust relationship was established.

It seems to me that, for a Petname field to truly solve the IDN problem, the URL field would have to be removed. In that case, we’d have to come up with a new way of bootstrapping trust in websites (e.g. getting from a URL printed on a business card to the intended website).—Ping

If you always type the URLs of sites you want to trust, this problem does not occur. —Ben

I think the only sites I have sent my credit card to are either ones I typed, or paid links from Google. Both ways of initially establishing trust are good enough for my $50 liability. (Where real money is involved, I tend to be conservative. I use the mail and the telephone.)

Cheers—Bill—Bill

First, asking people to stop clicking on links is infeasible and defeats the whole point of having a Web in the first place. Second, the problem is more complex. Consider these examples:

(a) Assume that i trust you and i have somehow managed to get myself to your website with some assurance. Your web page says "I use Paypal and i recommend it. Get your own account at paypal.com." Instead of clicking the link, i type "paypal.com" in the bar.

But what if you meant to recommend "p\u0430ypal.com"? Because the Cyrillic "a" and Latin "a" are indistinguishable, i have now gone to the wrong site even though i typed in the URL as i saw it.

The point: visibly indistinguishable URLs are inevitably a problem as long as users are allowed to type them in.

(b) Assume i trust the EFF and i have correctly arrived at their website. I want to make a donation. The EFF webpage at

<eff.org>

provides a bunch of links for making donations with Paypal. Here is an the URL for donating $25:

<secure.paypal.com>

That link is important because it establishes the trust relationship between EFF and the account where Paypal will deposit the money. Do you expect the user to type in that entire URL?

<erights.org>

provides e-gold’s donation form. But it’s not a link i can type into the location bar; e-gold needs me to fill out the form. Your rule of always typing in URLs can’t work here.—Ping

Amen to that brother! —Jed

Let’s be realistic. kuro5hin.org, maybe; p\u0430ypal.com, no. —David

and it’s easily defeated by making the link 4 lines of gobbledygook. —Karp