I can think of 3 other ways that the above page is "not true."
1. paypal's CA issues a false cert 2. any other CA issues a false cert
These things have happened a handful of times in the history of the web, and no-one has lost any money to my knowledge. It's not comparable.
3. any CA issues a cert to paypa1.com,
or anything that looks the same in the font,
like wwwpaypal.com
paypa1.com doesn't look the same in the font we use as paypal.com. That said, we should be open to font improvements. But in non-shmoo cases, there is a distinction if you look. In the shmoo case, there isn't.
4. user doesn't notice the change
That page I described is a spec, as in "this is the minimum work a user needs to do to be safe". That minimum work is checking that indicator is correct. Suggestions to further reduce the work are welcome. :-)
Gerv _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
