Phishing has become the bain of the financial industry in the past year or so. I remember when the first cases were circulating with e-gold and PayPal a few years back.

This is exactly the kind of thing that the CA based security was supposed to protect against, but never did.

Amir Herzberg
has an interesting proposal for changing the GUI’s. The browser has a new area at the top of the screen called the Trusted Credentials Area. This area contains a visual logo of the sites logo together with one or more CA logos. With this users can immediately see that the site belongs to who it says it belongs to.

While this helps solve the phishing problem from a user interface POV, it doesn’t solve some of the problems regarding CA based PKI, including simplifying the addition of new CA root certs to the browsers. Ian Grig who is famous for his Anti SSL Rants additionally proposed a way to solve this. He proposes to have a root cert mailing list for mozilla, where anyone can submit proposed CA’s with logos. The mailing list would monitor the new CA’s to see that no one is creating fake “VeriSlime” certs. I think this could work very well. In particular if the current backlash against IE keeps going.