James A. Donald wrote: > -- > Jeffrey Altman wrote: >> Unfortunately, SRP is not the solution to the phishing >> problem. The phishing problem is made up of many >> subtle sub-problems involving the ease of spoofing a >> web site and the challenges involved in securing the >> enrollment and password change mechanisms. > > With SRP, the web site cannot be spoofed, for it must > prove it knows the user's secret passphrase.
James, SRP can only prevent spoof's of successful authentications and it can only prevent spoof's when it is actually used. It cannot prevent spoof's of unsuccessful authentications and that is where a huge part of the problem lies. Consider the reaction of many individuals when they receive a page that indicates that their username and/or password are incorrect? Sites that offer the common secret question(s) can be spoofed. The attacker spoof's sits in the middle, captures the question from the real site, the answer from the user, and if the real site says that the new password is being sent, puts up a new page indicating that the password should be changed online along with prompts for private information that the attacker wants. Stopping phishing with successful authentication is not even half the problem. Jeffrey Altman
Description: S/MIME Cryptographic Signature