On 2011-07-13 8:49 PM, Adam Back wrote:
EKE for web login is decades overdue and if implemented and deployed properly in the browser and server could pretty much wipe out phishing attacks on passwords.
EKE requires a change in the browser, in the server, and in the login page.
We have source code for apache, mozilla, maybe could persuade google; and perhaps microsoft and apple could be shamed into following if that was done. Of course one would have to disable somethings (basic auth?) and do some education - never enter passwords outside of the browsers verifiably local authentication dialog - but how else are we going to get progress, this is 2011, and the solution has been known for nearly 20 years - its about time eh? Maybe you could even tell the browser your passwords so it could detect and prevent users typing that into other contexts.
I was unaware that source code for these tools existed. When you say it exists, can I today set up an apache server on one machine I control, a login web page in PHP to a mysql database, a mozilla browser on another machine, and today login to that database using EKE
Gutman's code came a fair bit short of that level of functionality. If code to do this actually exists, where is it? _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
