[Cryptography] Toxic Combination
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Sat Dec 6 22:14:15 EST 2014
<alex at alten.org> writes:
>How would you propose going about doing it for a globally scalable system?
I don't want anyone to design a new globally scalable system, in fact we don't
need any new "system" at all. I just want to see the current browser strategy
of "hand over the password in plaintext to whoever asks for it" replaced with
"perform password-based mutual challenge/response auth", which short-circuits
the whole phishing equation. We already have standard mechanisms defined for
this (TLS-PSK, TLS-SRP), they're just not implemented by any browser.
Peter.
More information about the cryptography
mailing list