* James A. Donald: > -- > Florian Weimer wrote: >> There is no way to force an end user to enter a >> password only over SRP. > > Phishing relies on the login page looking familiar. If > SRP is in the browser chrome, and looks strikingly > different from any web page, the login page will not > look familiar.
All browsers I've tested permit overriding chrome in the default configuration as a deliberate design decision. 8-( >> Fortunately, it doesn't matter because today, we must >> assume that the client is thoroughly compromised, >> which means that entering passwords over SRP isn't >> safe, either. > > That is an all purpose argument that is deployed > selectively against some measures and not others. If you've deployed two-factor authentication (like German banks did in the late 80s/early 90s), the relevant attacks do involve compromised customer PCs. 8-( Just because you can't solve it with your technology doesn't mean you can pretend the attacks don't happen. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]