Yes, it's pretty close. However where SSH warns you whenever you encounter a new server, the SSL in your browser only warns you when you encounter a new CA (Certificate Authority).
For the browser to behave more like SSH, it would have to maintain a list of individual sites which you have accepted as genuine. Then if you get a phishing email asking you to click a fake link such as https://lo0m.cc, you will get a warning even if the lo0m.cc site has a certificate "verified by Equifax" or whomever. This is a good example of where the current SSL protocol utterly fails.
When you visit the real loom.cc site which you originally trusted, you should see a happy warm reassurance in the browser bar, maybe including a pet name or avatar. But when you visit lo0m.cc, you should see the entire browser framed in red with a warning that this is the first time you have ever visited this site and you could be the victim of a phishing expedition. Something like that. I'm hand-waving a bit now. And it may get annoying for people at first, as they establish trust in their first 20 banking, gaming, or social networking sites. Kind of like installing a new CA root 20 times right? You don't want it to be too easy or people might just "click through" unconsciously. But personally I don't find this to be a great difficulty with SSH.
Indeed the building blocks are all there in SSL, namely (1) the verification of digital signatures, and (2) the negotiation of a symmetric encryption key. Some may carp about the protocol or the code being a mess, but as a black box it works just fine.
I think browser writers could phight phishing more effectively by thinking outside the box of implicit trust in central authority.
That is precisely why I criticize SSL. One of the primary goals of SSL is to authenticate a site so that Grandma can rest assured she is not being scammed. "Phishing" represents a catastrophically expensive failure to achieve that goal.
Trusted root CAs have "verified" millions of SSL certificates to one degree or another, from simple checks for ___domain control all the way up to brick and mortar audits. The problem is, any one of those millions of certificates can be used to phish customers of building-and-loan.com and steal massive amounts of their money.
A scammer simply sends Grandma an official looking email saying "We have recently received a request to wire money out of your Building and Loan account. Please log in here to confirm or deny this request. This extra level of precaution is for your safety. Sincerely, [insert signature of CEO here]."
Now when Grandma clicks the link, she is taken to an SSL-protected site called "building-and-loan-confirmation.com", which to Grandma's delight and comfort is "verified by Equifax". This misplaced trust costs Grandma $25,700.
I am thinking the very least browser writers can do is give Grandma a simple way to "confirm" a site which she has visited. Once she has confirmed it, and maybe given it a "pet name", her browser will display an especially reassuring theme any time she visits that site again (e.g. green border, friendly picture, familiar name, whatever).
Grandma still needs to know that she should only log in when she sees that reassuring theme. Any time she visits a non-confirmed site, she will only see a plain looking neutral theme. (Note: NOT alarming red, because then she'd be see red constantly as she browses around. Just neutral.)
Note that the suggestion I just made actually has nothing to do with SSL. Keep in mind that a phisher could easily send Grandma an unsecured link in an email -- no HTTPs at all. If Grandma clicks that link, she will only see a neutral theme, and if she remembers her lesson, she will NOT log in because she does not see the reassuring theme.
Of course, you could also say that Grandma should remember this lesson: don't click links in emails. Only visit sites by (1) typing in the name yourself or (2) using a bookmark. But I'm just trying to suggest a way to help Grandma after she has forgotten that primary lesson.
Here's another idea. You know how Firefox remembers passphrases for you, protected by a master security passphrase. That could help here. If Grandma visits the real building-and-loan.com site, her user name and password will be filled out for her automatically. If she visits a phishing site, it won't. That is another "hook" where browser writers might do something to help dear Grandma protect her property from predators. Something along the lines of: "This site is asking you to log in, but you have never logged into this site before. Are you sure you want to do this?"
Yeah, but you can't remove all the CA certs from your users' browsers, which is the issue. www.bank-of-america.ru will not display anything out of the ordinary to real users.
