James A. Donald wrote: > The obvious solution to the phishing crisis is the widespread deployment > of SRP, but this does not seem to happening. SASL-SRP was recently > dropped. What is the problem?
Unfortunately, SRP is not the solution to the phishing problem. The phishing problem is made up of many subtle sub-problems involving the ease of spoofing a web site and the challenges involved in securing the enrollment and password change mechanisms. SRP would allow a client to know that a service is in fact the correct service when the authentication succeeds. However, it would not help in the situation when the authentication fails. This could be because the user is not sure of what the password is or even sure which account name was being used. Solving the phishing problem requires changes on many levels: (1) Some form of secure chrome for browsers must be deployed where the security either comes from a "trusted desktop" or by per-user customizations that significantly decrease the chances that the attacker can fake the web site experience. (Prevent the attacker from replicating the browser frame, toolbars, lock icons, certificate dialogs, etc.) (2) Reducing the number of accounts and passwords (or other identifiers) that end users need to remember. With a separate identifier for each and every web site it is no surprise that my extended family can never remember what was used at each site. Therefore, it is not much of a surprise when a site says that the authentication failed. (3) Secure mechanisms must be developed for handling enrollment and password changing. Only then can we truly address the phishing problem. Jeffrey Altman
Description: S/MIME Cryptographic Signature