The protocol self seems to be pretty save. But with webapplications you have the problem that the algorithm using that protcol is written in javascript. Therefore, you must guard this JS via SSL or it can be manipulated (e.g. send de password in plaintext to mallory).
In my opinion the performance of SSL is not worse then SRP implemented in JS. But tests are needed to validate that. If you already have the algorithm on both endpoints SRP could be a good choice. On Dec 27, 5:15 pm, UseTheFork <[email protected]> wrote: > I just came across the Secure Remote Password protocol (http:// > srp.stanford.edu/). To reduce the TLS/SSL load on the server, one > could create accounts/pwd (and perform commercial transactions) using > HTTPS, and carry on with SRP later. It would make encryption over RCP > possible and lighter, while remaining pretty safe... -- You received this message because you are subscribed to the Google Groups "Google Web Toolkit" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-web-toolkit?hl=en.
