Status of SRP

[Jeffrey Altman]

James A. Donald wrote:
>     --
> Jeffrey Altman wrote:
>> Unfortunately, SRP is not the solution to the phishing
>> problem. The phishing problem is made up of many
>> subtle sub-problems involving the ease of spoofing a
>> web site and the challenges involved in securing the
>> enrollment and password change mechanisms.
> 
> With SRP, the web site cannot be spoofed, for it must
> prove it knows the  user's secret passphrase.

James, SRP can only prevent spoof's of successful authentications
and it can only prevent spoof's when it is actually used.

It cannot prevent spoof's of unsuccessful authentications and that
is where a huge part of the problem lies.  Consider the reaction
of many individuals when they receive a page that indicates that
their username and/or password are incorrect?

Sites that offer the common secret question(s) can be spoofed.
The attacker spoof's sits in the middle, captures the question from
the real site, the answer from the user, and if the real site says
that the new password is being sent, puts up a new page indicating
that the password should be changed online along with prompts for
private information that the attacker wants.

Stopping phishing with successful authentication is not even half
the problem.

Jeffrey Altman
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3323 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20060604/1e8c07a8/attachment.bin>