[Cryptography] SRP for mutual authentication - as an alternative / addition to certificates?
Ron Garret
ron at flownet.com
Wed Aug 5 13:09:18 EDT 2015
On Aug 5, 2015, at 7:39 AM, Carlo Contavalli <ccontavalli at gmail.com> wrote:
> On Wed, Aug 5, 2015 at 3:07 AM, Ben Laurie <ben at links.org> wrote:
>> On Wed, 5 Aug 2015 at 03:24 Carlo Contavalli <ccontavalli at gmail.com> wrote:
>>>
>>> The cost on the user is in making sure he is entering the username and
>>> password only in "secure boxes", rather than random ones on the web
>>> site.
>>
>>
>> This is the core problem - if we could get users to only type their
>> passwords into the one true password box, then there are many viable
>> solutions to "the password problem". But all attempts to do this so far have
>> been dismal failures.
>
> Out of curiosity, do you have more details about previous attempts?
And in particular, has there ever been an attempt that was integrated into the browser so that the user could actually have a hope of knowing whether or not they were dealing with the One True Password Box? (No, browser certificates don’t count. Certs got the underlying auth right but dropped the ball in a big way on the UX.)
rg
More information about the cryptography
mailing list