-- James A. Donald wrote: > > The obvious solution to the phishing crisis is the > > widespread deployment of SRP
Lance James > I disagree here, I don't think this will stop phishing > for many reasons. Please explain how it would. It will > stop "man-in-the-middle" attacks on the protocol, but > phishers aren't attacking the protocols themselves. To be useful, SRP has to be in the browser chrome. Consider a typical e-gold phish : : You have just made a request to transfer all : : the funds in your account. Please click here : : <www.e-golb.com/cancel> and login to cancel : : this request if it was made by someone other : : than yourself Assume e-gold was using SRP login. The user would attempt to login to www.e-golb.com through SRP, and the login would fail. > It's still single-auth and I can still obtain the user > password via phishing. How? SRP never reveals the login. It is zero knowledge. Instead, both parties prove to each other than they know the secret, without revealing the secret. The only way you can phish the user is to get him to not use SRP. But if he is attempting to use SRP he is not typing the password into a web page, but into client software running on his own machine, which is going to look visibly different from any web page. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG bhZzlPU6DtnwH9s5+PxwPlwhgvD/8iFEI9LcuRXA 4x54cCglld16xbMxUa/22CBHVIxtb7yqM78rQ9Ul1 --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]