RE: Timo's proposal for protecting the refund address:

Seems to me there are two risks:

1) The risk that the merchant's web server will be compromised and the attacker will redirect refunds
2) The risk that the merchant will miss payments because they miss a POST to the payment_url (maybe the customer's machine crashes during the HTTPS handshake)

If payments are a lot more common than refunds, then (2) will outweigh (1).

I also think an attacker who compromises the front-end web server would probably just have it start generating plain-old pay-to-bitcoin-address payment requests, and hope that lots of customers pay them directly before the attack is discovered.

--
--
Gavin Andresen