Status of SRP

[Ka-Ping Yee]

On Thu, 1 Jun 2006, James A. Donald wrote:
> SRP necessarily runs in the chrome, in the client
> software, not in the web page, therefore the chrome,
> should put up an image that cannot be convincingly
> imitated by html

Sure, i agree.  I only brought this up to point out that SRP
alone doesn't solve the problem; it remains an open question how
to best design a password entry field that defeats spoofing.  You
mentioned several techniques, and there are others, and so far we
don't know what works best for most users.

Passpet's strategy is to customize a button that you click.  We
are used to recognizing toolbar buttons by their appearance, so
it seems plausible that if the button has a custom per-user icon,
users are unlikely to click on a spoofed button with the wrong
icon.  Unlike other schemes, such as special-looking windows or
a custom image shown with the login form, this strategy requires
the user to directly interact with the customized UI element.

The effectiveness of Passpet's approach is only hypothesized; it
has never been formally tested, so i can't claim it works better.

> Cannot find a web page that presents passpet.

See http://usablesecurity.com/2006/02/08/how-to-prevent-phishing/
for the original description of the ideas.  The design of Passpet
is a bit more refined now and will be published at SOUPS 2006.


-- ?!ng

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com