Status of SRP

Florian Weimer fw at deneb.enyo.de
Thu Jun 1 03:23:01 EDT 2006


* James A. Donald:

>     --
> Florian Weimer wrote:
>> There is no way to force an end user to enter a
>> password only over SRP.
>
> Phishing relies on the login page looking familiar.  If
> SRP is in the browser chrome, and looks strikingly
> different from any web page, the login page will not
> look familiar.

All browsers I've tested permit overriding chrome in the default
configuration as a deliberate design decision. 8-(

>> Fortunately, it doesn't matter because today, we must
>> assume that the client is thoroughly compromised,
>> which means that entering passwords over SRP isn't
>> safe, either.
>
> That is an all purpose argument that is deployed
> selectively against some measures and not others.

If you've deployed two-factor authentication (like German banks did in
the late 80s/early 90s), the relevant attacks do involve compromised
customer PCs. 8-( Just because you can't solve it with your technology
doesn't mean you can pretend the attacks don't happen.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list