On Wed, 7 Jun 2006, John Brazel wrote:
What we really need is something similar to the built-in remember
my password functionality of current web browsers: the browser keeps
track of a login/password/certified (ie TLS certificate-backed) DNS name
tuple...
[...]
The downside, of course, is
On Thu, 1 Jun 2006, Jeffrey Altman wrote:
Solving the phishing problem requires changes on many levels:
I agree.
(1) Some form of secure chrome for browsers must be deployed where
the security either comes from a trusted desktop or by per-user
customizations that significantly
On Thu, 1 Jun 2006, James A. Donald wrote:
Florian Weimer wrote:
There is no way to force an end user to enter a
password only over SRP.
Phishing relies on the login page looking familiar. If
SRP is in the browser chrome, and looks strikingly
different from any web page, the login page
On Thu, 1 Jun 2006, Florian Weimer wrote:
That is an all purpose argument that is deployed
selectively against some measures and not others.
If you've deployed two-factor authentication (like German banks did in
the late 80s/early 90s), the relevant attacks do involve compromised
customer
On Wed, 31 May 2006, James A. Donald wrote:
The obvious solution to the phishing crisis is the widespread deployment
of SRP, but this does not seem to happening. SASL-SRP was recently
dropped. What is the problem?
Phishing can mean a few different things. If by phishing you
mean the
On Thu, 1 Jun 2006, James A. Donald wrote:
SRP necessarily runs in the chrome, in the client
software, not in the web page, therefore the chrome,
should put up an image that cannot be convincingly
imitated by html
Sure, i agree. I only brought this up to point out that SRP
alone doesn't
On Sun, 10 Jul 2005, Amir Herzberg wrote:
But... crypto and authentication, imho, are the best tools to prevent
such malware from being installed.
I disagree. Limited authority is the best way to prevent such malware
from being installed (and, if installed, from causing harm).
The premise
On Fri, 17 Jun 2005, Steven M. Bellovin wrote:
Designing a system that deflects this sort of attack is challenging.
The right answer is smart cards that can digitally sign transactions,
but that would require rolling out new readers to all the merchants.
I was amazed to hear of the UK's fast