Status of SRP

James A. Donald jamesd at echeque.com
Thu Jun 1 19:12:21 EDT 2006


     --
Ka-Ping Yee wrote:
 > Passpet's strategy is to customize a button that you
 > click.  We are used to recognizing toolbar buttons by
 > their appearance, so it seems plausible that if the
 > button has a custom per-user icon, users are unlikely
 > to click on a spoofed button with the wrong icon.
 > Unlike other schemes, such as special-looking windows
 > or a custom image shown with the login form, this
 > strategy requires the user to directly interact with
 > the customized UI element.
 >
 > The effectiveness of Passpet's approach is only
 > hypothesized; it has never been formally tested, so i
 > can't claim it works better.
 >
 >> Cannot find a web page that presents passpet.
 >
 > See > http://usablesecurity.com/2006/02/08/how-to-prevent-ph
 > ishing/

This seems like a highly effective cure for phishing,
and one that can be implemented on the individual level
- and unlike my proposed solution, your solution does
not require competent web masters, who tend to be in
short supply.  When do you hope to release an actual
working passpet?

     --digsig
          James A. Donald
      6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
      2XJ1hBQB4Lh88oartvxNB9R47imTGm9ijr/vCQ5S
      4tw2qTJbgf91cRjr3IilUO+alJWC4QViGoIqSUjWI


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list