Status of SRP
Florian Weimer
fw at deneb.enyo.de
Wed May 31 01:32:43 EDT 2006
* James A. Donald:
> The obvious solution to the phishing crisis is the widespread
> deployment of SRP, but this does not seem to happening. SASL-SRP was
> recently dropped. What is the problem?
There is no way to force an end user to enter a password only over
SRP. That's why SRP is not effective against phishing (even the
mimicry variant). In that regard, the password input field was a huge
mistake. Fortunately, it doesn't matter because today, we must assume
that the client is thoroughly compromised, which means that entering
passwords over SRP isn't safe, either.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list