Status of SRP

[Jeffrey Altman]

James A. Donald wrote:
> The obvious solution to the phishing crisis is the widespread deployment
> of SRP, but this does not seem to happening.  SASL-SRP was recently
> dropped.  What is the problem?

Unfortunately, SRP is not the solution to the phishing problem.
The phishing problem is made up of many subtle sub-problems involving
the ease of spoofing a web site and the challenges involved in securing
the enrollment and password change mechanisms.  SRP would allow a client
to know that a service is in fact the correct service when the
authentication succeeds.  However, it would not help in the situation
when the authentication fails.  This could be because the user is not
sure of what the password is or even sure which account name was being
used.

Solving the phishing problem requires changes on many levels:

(1) Some form of secure chrome for browsers must be deployed where
    the security either comes from a "trusted desktop" or by per-user
    customizations that significantly decrease the chances that the
    attacker can fake the web site experience.  (Prevent the attacker
    from replicating the browser frame, toolbars, lock icons,
    certificate dialogs, etc.)

(2) Reducing the number of accounts and passwords (or other identifiers)
    that end users need to remember.  With a separate identifier for
    each and every web site it is no surprise that my extended family
    can never remember what was used at each site.   Therefore, it is
    not much of a surprise when a site says that the authentication
    failed.

(3) Secure mechanisms must be developed for handling enrollment and
    password changing.

Only then can we truly address the phishing problem.

Jeffrey Altman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3323 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20060601/2edd7524/attachment.bin>