Status of SRP
John Brazel
john at tellurian.com.au
Wed Jun 7 02:49:43 EDT 2006
Jeffrey Altman wrote:
> Solving the phishing problem requires changes on many levels:
>
> (1) Some form of secure chrome for browsers must be deployed where
> the security either comes from a "trusted desktop" or by per-user
> customizations that significantly decrease the chances that the
> attacker can fake the web site experience. (Prevent the attacker
> from replicating the browser frame, toolbars, lock icons,
> certificate dialogs, etc.)
>
> (2) Reducing the number of accounts and passwords (or other identifiers)
> that end users need to remember. With a separate identifier for
> each and every web site it is no surprise that my extended family
> can never remember what was used at each site. Therefore, it is
> not much of a surprise when a site says that the authentication
> failed.
>
> (3) Secure mechanisms must be developed for handling enrollment and
> password changing.
>
What we really need is something similar to the built-in "remember
my password" functionality of current web browsers: the browser keeps
track of a login/password/certified (ie TLS certificate-backed) DNS name
tuple, and if it ever spots the user entering said login/password into a
different website, brings up some form of dialog alerting the user to a
potential phishing attack.
The downside, of course, is that:
a) It wouldn't handle password changing,
b) Some people use the same login and password *everywhere*,
c) Once you change browsers or computers, all bets are off (because the
new browser doesn't know anything about which passwords you use where).
J.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list