The "practical example" in the article is the exact opposite of that, it searches for the hash of a known favicon and filters to sites that shouldn't match it but do. It would require a particularly incompetent attacker (or a very contrived case) to not match the favicon of a public website.

No - the point is to quickly detect random websites that simply duplicate known favicons! Matching hashes can only occur in these cases:

- the site is a careless impostor

- the site is the real deal

- a hash collision

We agree here. The point is to detect imposters via favicon. Case 1 is easy, simple, and a legitimate concern. Case 2 is the inverse of case 1. A host is misconfigured or something. Much harder to detect, but no more important. Case 3 should not exist.

> Case 3 should not exist.

Case 3 must exist by the pigeonhole principle given that the hashes are smaller than most favicons. Otoh, if it does show up, you can exclude it by doing a full comparison.

If it does show up you go play the lottery where the odds are far less long.

If that was true, we could finally abandon PKI and just use favicons...

Marry the favicon sha256 hash with a list of hostnames and put the values into trusted database..