James A. Donald wrote:
> > The obvious solution to the phishing crisis is the
> > widespread deployment of SRP

Lance James
> I disagree here, I don't think this will stop phishing
> for many reasons. Please explain how it would. It will
> stop "man-in-the-middle" attacks on the protocol, but
> phishers aren't attacking the protocols themselves.

To be useful, SRP has to be in the browser chrome.

Consider a typical e-gold phish
: :     You have just made a request to transfer all
: :     the funds in your account.  Please click here
: :     <www.e-golb.com/cancel> and login to cancel
: :     this request if it was made by someone other
: :     than yourself

Assume e-gold was using SRP login.  The user would
attempt to login to www.e-golb.com through SRP, and the
login would fail.

> It's still single-auth and I can still obtain the user
> password via phishing.


SRP never reveals the login.  It is zero knowledge.
Instead, both parties prove to each other than they know
the secret, without revealing the secret.

The only way you can phish the user is to get him to not
use SRP.  But if he is attempting to use SRP he is not
typing the password into a web page, but into client
software running on his own machine, which is going to
look visibly different from any web page.

         James A. Donald

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to