TLS-SRP & TLS-PSK support in browsers (Re: Dutch Transport Card Broken)
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Wed Feb 6 23:39:39 EST 2008
Frank Siebenlist <franks at mcs.anl.gov> writes:
>With the big browser war still going strong, wouldn't that provide fantastic
>marketing opportunities for Firefox?
There's always the problem of politics. You'd think that support for a free
CA like CAcert would also provide fantastic marketing opportunities for free
browser like Firefox, but this seems to be stalled pretty much idefinitely
because since CAcert doesn't charge for certificates, including it in Firefox
would upset the commercial CAs that do (there's actually a lot more to it than
this, see the interminable flamewars on this topic on blogs and whatnot for
more information).
>If Firefox would support these secure password protocols, and the banks would
>openly recommend their customers to use Firefox because its safer and
>protects them better from phishing, that would be great publicity for
>Firefox, draw more users, and force M$ to support it too in the long run...
Here's a suggestion to list members:
- If you know a Firefox developer, go to them and tell them that TLS-PSK and
TLS-SRP support would be a fantastic selling point and would allow Firefox
to trump IE in terms of resisting phishing, which might encourage banks to
recommend it to users in place of IE.
- If you know anyone with some clout at Microsoft, tell them that your
organisation is thinking of mandating a switch to Firefox because IE doesn't
support phish-resistant authentication like TLS-PSK/TLS-SRP, and since you
have x million paying customers this won't look good for MS.
- If you work for any banking regulators (for example the FFIEC), require
failsafe authentication (in which the remote site doesn't get a copy of your
credentials if the authentication fails) rather than the current two-factor
auth (which has lead to farcical "two-factor" mechanisms like SiteKey).
Oh, and don't tell them I put you up to this :-).
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list