[26996] in cryptography@c2.net mail archive
Re: Status of SRP
daemon@ATHENA.MIT.EDU (Florian Weimer)
Thu Jun 1 10:11:27 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: Florian Weimer <fw@deneb.enyo.de>
To: "James A. Donald" <jamesd@echeque.com>
Cc: cryptography@metzdowd.com
Date: Wed, 31 May 2006 07:32:43 +0200
In-Reply-To: <447CD845.7000906@echeque.com> (James A. Donald's message of
"Wed, 31 May 2006 09:41:57 +1000")
* James A. Donald:
> The obvious solution to the phishing crisis is the widespread
> deployment of SRP, but this does not seem to happening. SASL-SRP was
> recently dropped. What is the problem?
There is no way to force an end user to enter a password only over
SRP. That's why SRP is not effective against phishing (even the
mimicry variant). In that regard, the password input field was a huge
mistake. Fortunately, it doesn't matter because today, we must assume
that the client is thoroughly compromised, which means that entering
passwords over SRP isn't safe, either.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
