[Cryptography] SRP for mutual authentication - as an alternative / addition to certificates?
Ben Laurie
ben at links.org
Fri Aug 7 07:39:44 EDT 2015
On Wed, 5 Aug 2015 at 15:39 Carlo Contavalli <ccontavalli at gmail.com> wrote:
> On Wed, Aug 5, 2015 at 3:07 AM, Ben Laurie <ben at links.org> wrote:
> > On Wed, 5 Aug 2015 at 03:24 Carlo Contavalli <ccontavalli at gmail.com>
> wrote:
> >>
> >> The cost on the user is in making sure he is entering the username and
> >> password only in "secure boxes", rather than random ones on the web
> >> site.
> >
> >
> > This is the core problem - if we could get users to only type their
> > passwords into the one true password box, then there are many viable
> > solutions to "the password problem". But all attempts to do this so far
> have
> > been dismal failures.
>
> Out of curiosity, do you have more details about previous attempts?
>
Here's a paper that gives a pretty fair overview of the problem:
https://cups.cs.cmu.edu/soups/2005/2005proceedings/p77-dhamija.pdf
Unfortunately I can't find the study they claim they're going to do in that
paper, but I do remember seeing it: it didn't work very well. Which is
probably why I can't find it anymore.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150807/644d58ea/attachment.html>
More information about the cryptography
mailing list