I am quite interested in seeing Firefox, Thunderbird, and our other products implement effective anti-phishing strategies. I just don't think that the SSL protocol and the CA infrastructure can bear all or even most of the burden of protecting users from phishing. I think basic SSL checks related to domain name have to be supplemented and coordinated with other measures, which might include site blacklists, automated comparisons of site names with a whitelist of common phishing targets, and other heuristics designed to present the user with a qualified determination that "yes, this site is likely legitimate" or "no, it's no legitimate".
Just in case anyone was wondering, I'd endorse all of those principles and most of those practices (except perhaps the "common phishing" whitelist; I think we can do better).
Gerv _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
