Status of SRP
Florian Weimer
fw at deneb.enyo.de
Thu Jun 1 03:23:01 EDT 2006
* James A. Donald:
> --
> Florian Weimer wrote:
>> There is no way to force an end user to enter a
>> password only over SRP.
>
> Phishing relies on the login page looking familiar. If
> SRP is in the browser chrome, and looks strikingly
> different from any web page, the login page will not
> look familiar.
All browsers I've tested permit overriding chrome in the default
configuration as a deliberate design decision. 8-(
>> Fortunately, it doesn't matter because today, we must
>> assume that the client is thoroughly compromised,
>> which means that entering passwords over SRP isn't
>> safe, either.
>
> That is an all purpose argument that is deployed
> selectively against some measures and not others.
If you've deployed two-factor authentication (like German banks did in
the late 80s/early 90s), the relevant attacks do involve compromised
customer PCs. 8-( Just because you can't solve it with your technology
doesn't mean you can pretend the attacks don't happen.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list