[27183] in cryptography@c2.net mail archive
Re: Status of SRP
daemon@ATHENA.MIT.EDU (James A. Donald)
Sat Jun 3 16:43:14 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Sat, 03 Jun 2006 14:33:48 +1000
From: "James A. Donald" <jamesd@echeque.com>
To: Lance James <lancej@securescience.net>
Cc: cryptography@metzdowd.com
In-Reply-To: <447F1E24.9080607@securescience.net>
--
Lance James wrote:
> Here's where SRP fails:
>
> 1) SSL is built into the browser - doesn't stop
> phishers
SSL protects true names, SRP protects true
relationships. Protecting true names turned out to be
not very useful.
> "Hi, we're having a problem with your account system
> as our SRP database was corrupted, please login
> through the webpage to verify your information and
> reset your SRP account to working order".
They set up their SRP account through the chrome, not
through a webpage. This attack fails to mimic what is
routine. Phishing relies on mimicry and habit. The
poorer the mimicry, the less people are likely to fall
for it. Certainly some people will fall for it, there
is a sucker born every minute, but right now we are
seeing phishing attacks that quite sophisticated people
fall for.
--digsig
James A. Donald
6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
7hBodKZ++GbmAsbf7YHZGQsErgEpvrEN+jMzkRVJ
4jFzcd0zA2X0mdrrP52Wb9NZEOfARFgb0RMwwJCL7
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
