Status of SRP
James A. Donald
jamesd at echeque.com
Thu Jun 1 02:01:57 EDT 2006
--
Florian Weimer wrote:
> There is no way to force an end user to enter a
> password only over SRP.
Phishing relies on the login page looking familiar. If
SRP is in the browser chrome, and looks strikingly
different from any web page, the login page will not
look familiar.
> Fortunately, it doesn't matter because today, we must
> assume that the client is thoroughly compromised,
> which means that entering passwords over SRP isn't
> safe, either.
That is an all purpose argument that is deployed
selectively against some measures and not others.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
FngUFki/IKrJQzXmzcNmvTTH5ZAwHCQkTSIXkWVI
4wPX3iZ25iE0SC3Pk6sdr5enUTiKLhPd829ew/9kX
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list