Correct me if I'm wrong, but isn't the mozilla codebase purged of the bug that allowed this kind of phishing? If so, why use SpoofStick? If not, WHY THE HECK NOT?! I guess the point may be that it is easier to notice a phishing attempt if there's that bright green announcement up there, taking up 10% of your screen realestate...

Jake, we've got good fixes that take care of _some_ _common_ phishing and spoof-like scams (when I say spoof, I don't mean an actual spoof where an evil site can actually take over the URLbar and replace it with arbitrary content. I mean spoof the user, as in confuse the user with an odd-looking URL that might look similar to some other URL). But no fixes can solve every problem. What do you do about the website with the URL evilsite.com/good-site-really-i-promise. Most users will say "Evilsite! I'm not giving you my credit card" but you can count on a few users to say "Evilsite, hrm. All the good domains must be taken. I'm sure glad you clarified with that "good site" bit. Here's my credit card." I honestly don't believe that there is a technical solution to _every_ "trick the stupid user" attack. The common-sense measures, like warn the user when a link contains auth that's not required by the server, are a good first step to combatting the biggest avenue for these spoofs. You can see this fix in action by visiting this very trustworthy, super-friendly, great offer from mozilla.org link with a current Mozilla or Firefox build.

That "very trustworthy..." link gives me a 404 in Firefox 0.8 on Linux...I seem to remember that this is a winders only issue. Am I correct?

The widely-discussed issues (that are now fixed) were cross platform (the IE variant of the URL-hiding issue was, of course, Windows-only, because IE is now). Asa's link is 404 because it takes you to example.com, not mozilla.org as it may suggest, which was his point.

The point of this, as you said initially, is simply to make it easier to notice a phishing attempt by having that bright green announcement taking 10% of your screen. The question then is whether people will actually know what domain they are supposed to be looking at in the big green text, and if the big green text isn't there, whether they will know that is a Bad Thing.

Don't get me wrong guys, I'm not trying to bash Mozilla or SpoofStick. I'm just a bit concerned about the need for an extension like this. But I think you guys have filled me in well enough.

From the articles I've read about Phishing (here's an excellent one http://news.netcraft.com/archives/2004/05/04/the_phisher_kings.html), it will probably become a new facett of the security industry, with various companies making money on products that protect against it. I'd hope mozilla can stay ahead of the curve by keeping those phishing holes plugged.