[27002] in cryptography@c2.net mail archive
Re: Status of SRP
daemon@ATHENA.MIT.EDU (Florian Weimer)
Thu Jun 1 10:14:06 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
From: Florian Weimer <fw@deneb.enyo.de>
To: "James A. Donald" <jamesd@echeque.com>
Cc: cryptography@metzdowd.com
Date: Thu, 01 Jun 2006 09:23:01 +0200
In-Reply-To: <447E82D5.4040100@echeque.com> (James A. Donald's message of
"Thu, 01 Jun 2006 16:01:57 +1000")
* James A. Donald:
> --
> Florian Weimer wrote:
>> There is no way to force an end user to enter a
>> password only over SRP.
>
> Phishing relies on the login page looking familiar. If
> SRP is in the browser chrome, and looks strikingly
> different from any web page, the login page will not
> look familiar.
All browsers I've tested permit overriding chrome in the default
configuration as a deliberate design decision. 8-(
>> Fortunately, it doesn't matter because today, we must
>> assume that the client is thoroughly compromised,
>> which means that entering passwords over SRP isn't
>> safe, either.
>
> That is an all purpose argument that is deployed
> selectively against some measures and not others.
If you've deployed two-factor authentication (like German banks did in
the late 80s/early 90s), the relevant attacks do involve compromised
customer PCs. 8-( Just because you can't solve it with your technology
doesn't mean you can pretend the attacks don't happen.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
