[Cryptography] Toxic Combination

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sat Dec 6 22:14:15 EST 2014

<alex at alten.org> writes:

>How would you propose going about doing it for a globally scalable system?

I don't want anyone to design a new globally scalable system, in fact we don't
need any new "system" at all.  I just want to see the current browser strategy
of "hand over the password in plaintext to whoever asks for it" replaced with
"perform password-based mutual challenge/response auth", which short-circuits
the whole phishing equation.  We already have standard mechanisms defined for
this (TLS-PSK, TLS-SRP), they're just not implemented by any browser.


More information about the cryptography mailing list