>(for example, the merchant opens the PayPal site in a frame or pop-up, so you can't verify that it's really PayPal) //
You can right-click the page in Firefox and choose "view page info", then on the security tab you can see if it's paypal, see the certificate, etc.. Someone could hijack right-click, it's going to be a bit of effort though. I think in FF shift+rightMouseClick overrides normal right-click to give you the browser menu, but probably that's capturable by the site too.
Ctrl+I is the shortcut, but I don't think it handles frames.
You can right-click the page in Firefox and choose "view page info", then on the security tab you can see if it's paypal, see the certificate, etc.. Someone could hijack right-click, it's going to be a bit of effort though. I think in FF shift+rightMouseClick overrides normal right-click to give you the browser menu, but probably that's capturable by the site too.
Ctrl+I is the shortcut, but I don't think it handles frames.