[smt88]

Trademarks are useful. They let you know that you're buying from the person you intend to buy from.

Imagine a world without trademarks. The US would be flooded with iPhone knockoffs, and all of them would be identical to iPhones. They'd have god-knows-what inside them, but they'd bear the Apple logo.

Or, imagine you want to pay your American Express bill. Unfortunately, someone has bought AmericanExpress.card, and you get confused. You end up inputting your AmEx login info into a phishing site and give a hacker your personal data.

In a world without trademarks, Apple and American Express wouldn't have the legal authority to pursue people that are imitating them.

[jessaustin]

A) Of course trademark is valuable (to important parties!), that is the premise of the grandparent comment. (So the "...firms would make do without trademark..." clause is a deliberate absurdity.)

B) This anti-phishing idea is security theater. If you teach cardholders that a URL will save them from getting phished, they'll get phished. This is analogous to, though quite a bit worse than, the idea that a logo guarantees authenticity, even in our current regime. (E.g., some of those who thought they had purchased FTDI components were discovered recently to have not done.)

[smt88]

Re: A) You said either trademarks should go away or apple.gripe should become acceptable. Definitely a false dichotomy, but my comment was targeted at either/both of those possibilities.

Re: B) I completely disagree. I frequently visit mail.google.com, and I trust that I'm not getting phished. I'm going purely on the basis of the URL there. I wouldn't feel the same way going to, say, mail.google.me.

In order to trust a URL, you must be sure that your client system isn't compromised (and nothing in between). If it is, you're vulnerable to much worse than phishing. Phishing is likely unnecessary at that point.

It has nothing to do with the URL being secure or insecure. Using web-enabled computers on a daily basis means that we're trusting our systems not to be infected by unknown/undetected malware. We don't have any alternative, so we take the risk.

There are many ways to be slightly more certain that our DNS records haven't been tampered with nowadays, but we're still basically trusting hackable systems all the time.

[13]

In a way short .com domains display some level of financial cost involved in obtaining them. If I saw a website hosted on hexagon.com I'd assume it's probably legitimate just due to the probable expensive of obtaining it being higher than a phisher might be willing to pay.