Status of SRP

[Florian Weimer]

* Ka-Ping Yee:

> Passpet's strategy is to customize a button that you click.  We
> are used to recognizing toolbar buttons by their appearance, so
> it seems plausible that if the button has a custom per-user icon,
> users are unlikely to click on a spoofed button with the wrong
> icon.  Unlike other schemes, such as special-looking windows or
> a custom image shown with the login form, this strategy requires
> the user to directly interact with the customized UI element.

I'm not sure if this can't be defeated by something like a "Choose a
new funny icon for your security button!" offer. 8-( However, this
points to a more general problem: We have no real-world studies how
users make their day-to-day trust decisions when using the Internet.

For example, if I need to judge the trustworthyness of a web page, a
large factor is the way I got there.  If it was a link from an email
message that looks like spam, or something that was returned by a
search engine, I'm rather sceptical.  This is why those "80% can't
tell a phishing page apart from the real one" web-base studies are
quite worthless.  They simply do not present enough context.

| The field for entering your master password isn't labelled "Enter
| your password:" - instead, it's labelled "Enter Betty's secret:".
| Since the persona differs from user to user, it's hard to even ask
| for the password because the spoofer doesn't know what to call it.

I suppose this can be circumvented if you you use email to lure the
victim to the fake web page and have obtained names matching the email
addresses.  Even if you want to present the full address to the
victim, you can buy this data from direct marketing companies, I
think.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com