James A. Donald wrote: > The obvious solution to the phishing crisis is the widespread > deployment of SRP, but this does not seem to happening. SASL-SRP was > recently dropped. What is the problem?
I disagree here, I don't think this will stop phishing for many reasons. Please explain how it would. It will stop "man-in-the-middle" attacks on the protocol, but phishers aren't attacking the protocols themselves. It's still single-auth and I can still obtain the user password via phishing. Please correct me if I'm wrong but phishing is before this protocol will be accessed. if Mallory convinces Carol to log into a spoofed site that looks like Steve not running SRP, then u and x are obtained by Mallory. Mallory simply logs into Steve with U and X. In SRP what is preshared is g^x where x = H(s,p) where s is a salt and p is the password. p would be a weakness here because the user knows it, and in phishing, if the user knows it, the user is vulnerable. My 2 cents. > > --------------------------------------------------------------------- > The Cryptography Mailing List > Unsubscribe by sending "unsubscribe cryptography" to > [EMAIL PROTECTED] > > -- Best Regards, Lance James Secure Science Corporation www.securescience.net Author of 'Phishing Exposed' http://securescience.net/home/news/phishingexposed.html ********************************************** * New IntelliFound Service 2 weeks free * * Real-Time Identity Surveillance Service * * http://www.securescience.net/ * ********************************************** --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
