[27115] in cryptography@c2.net mail archive
Re: Status of SRP
daemon@ATHENA.MIT.EDU (James A. Donald)
Fri Jun 2 20:44:12 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Fri, 02 Jun 2006 09:12:21 +1000
From: "James A. Donald" <jamesd@echeque.com>
To: cryptography@metzdowd.com
In-Reply-To: <Pine.LNX.4.58.0606010213310.5223@server1.LFW.org>
--
Ka-Ping Yee wrote:
> Passpet's strategy is to customize a button that you
> click. We are used to recognizing toolbar buttons by
> their appearance, so it seems plausible that if the
> button has a custom per-user icon, users are unlikely
> to click on a spoofed button with the wrong icon.
> Unlike other schemes, such as special-looking windows
> or a custom image shown with the login form, this
> strategy requires the user to directly interact with
> the customized UI element.
>
> The effectiveness of Passpet's approach is only
> hypothesized; it has never been formally tested, so i
> can't claim it works better.
>
>> Cannot find a web page that presents passpet.
>
> See > http://usablesecurity.com/2006/02/08/how-to-prevent-ph
> ishing/
This seems like a highly effective cure for phishing,
and one that can be implemented on the individual level
- and unlike my proposed solution, your solution does
not require competent web masters, who tend to be in
short supply. When do you hope to release an actual
working passpet?
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
2XJ1hBQB4Lh88oartvxNB9R47imTGm9ijr/vCQ5S
4tw2qTJbgf91cRjr3IilUO+alJWC4QViGoIqSUjWI
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
