Recently, the Shmoo Group discovered that Firefox is vulnerable to precisely the exploit that i predicted in my 2002 paper—Ping

➡

The central point of my essay on the petname toolbar is that phishing is the result of name conflation. Under the PKI, a domain name is used to identify both the target site of a hyperlink, and the trust relationship between the user and the target site. It is just broken to allow the potential attacker to provide the name used to recognize a trust relationship. That’s the problem.

Petnames solve this problem by eliminating the name conflation. A separate namespace is used to identify trust relationships. This namespace is managed solely by the user’s browser, thus eliminating the potential attacker from the name recognition process. That’s how the petname toolbar solves the phishing problem, both in theory and in practice.

See:

<waterken.com>—Tyler

So how, in this system, does the user come to trust Paypal (as opposed to someone pretending to be Paypal)? —Ben

If I’m understanding the discussion so far, I think the answer is that the issue of trust is separate from the issue of identity. When the Petname is set up, the name "Paypal" is bound to an identity. Any trust is independent of that identity. In an effort to pretend to be Paypal, "someone" would have to establish another identity. Of course the identity Paypal is already taken. Whatever identity the user set up for this someone, it would be different from "Paypal". This seems to make "trying to pretend" inherently difficult. What would induce a user to use a Petname like Paypa1 that could be easily confused with Paypal?

How much the user chooses to trust either the Paypal identity/Petname or this other non-Paypal identity/Petname is of course up to the user with input from others such as friends, authorities, etc.

I hope I’m close to the base issue.—Jed

Before getting into the mechanics of introduction, it is important to realize that introduction has nothing to do with phishing. In a phishing attack, a spoof site impersonates a trusted site so as to intercept the high value communications between the user and the trusted site. The introduction and creation of a trust relationship has already occurred, and the phisher is trying to subvert this existing relationship. To defend against phishing, we need only prevent subversion of existing trust relationships. The current PKI solution fails to provide this protection.

For example, people with Paypal accounts already have a connection and trust relationship with the Paypal website. The phisher wants to get the password for this existing Paypal account. We can defeat the phisher by preventing impersonation of the Paypal website. As the shmoo examples demonstrate, the PKI fails to prevent this impersonation.

Do you agree that the petname toolbar prevents phishing attacks, as they are defined in this email?

Defending the integrity of introductions is also important, but it is a separate problem from phishing. I am happy to explain how YURLs are used to ensure the integrity of introductions, but let’s progress in steps.—Tyler

The only way I go to my bank’s page is by clicking on a link in a page on my machine. Its sort of like a pet name. I wish it were a YURL. That is the only site with which I exchange important data. Most people have at most a very few important links.—Norman

:) So do I. —Tyler

Creating a WWW in which it is unsafe to follow hyperlinks is a considerable design failure. In my opinion, such a system is no longer deserving of the term "web". I am trying to design a WWW in which following hyperlinks is safe.—Tyler