I think the only sites I have sent my credit card to are either ones I typed, or paid links from Google. Both ways of initially establishing trust are good enough for my $50 liability. (Where real money is involved, I tend to be conservative. I use the mail and the telephone.)

Cheers—Bill—Bill

First, asking people to stop clicking on links is infeasible and defeats the whole point of having a Web in the first place. Second, the problem is more complex. Consider these examples:

(a) Assume that i trust you and i have somehow managed to get myself to your website with some assurance. Your web page says "I use Paypal and i recommend it. Get your own account at paypal.com." Instead of clicking the link, i type "paypal.com" in the bar.

But what if you meant to recommend "p\u0430ypal.com"? Because the Cyrillic "a" and Latin "a" are indistinguishable, i have now gone to the wrong site even though i typed in the URL as i saw it.

The point: visibly indistinguishable URLs are inevitably a problem as long as users are allowed to type them in.

(b) Assume i trust the EFF and i have correctly arrived at their website. I want to make a donation. The EFF webpage at

<eff.org>

provides a bunch of links for making donations with Paypal. Here is an the URL for donating $25:

<secure.paypal.com>

That link is important because it establishes the trust relationship between EFF and the account where Paypal will deposit the money. Do you expect the user to type in that entire URL?

(c) Assume that i like the E project and i want to make a donation in e-gold. The page at

<erights.org>

provides e-gold’s donation form. But it’s not a link i can type into the location bar; e-gold needs me to fill out the form. Your rule of always typing in URLs can’t work here.—Ping