Ka-Ping Yee wrote:
> "Phishing" can mean a few different things.  If by
> "phishing" you mean the stealing of passwords, then
> yes, SRP would help to eliminate that problem, but
> users could still be fooled into giving away their SRP
> passwords if the user interface for entering the
> password is convincingly imitated.

SRP necessarily runs in the chrome, in the client
software, not in the web page, therefore the chrome,
should put up an image that cannot be convincingly
imitated by html - for example, on windows, a non
rectangular login page, as with paradox's keygen, or as
with the infocard software, taking over the entire
screen, including covering the taskbar, which an html
page cannot do.

In order to imitate that, the attacker would need
control of the client machine

> I'm working on Passpet, a password management tool
> that tries to address several of the big
> phishing-related problems including password capture
> and dictionary attack, and for the authentication part
> i chose SRP.  So that's one place it's getting used,
> anyway.

Cannot find a web page that presents passpet.

         James A. Donald

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to