Re: Status of SRP

2006-06-07 Thread Ka-Ping Yee
On Wed, 7 Jun 2006, John Brazel wrote: What we really need is something similar to the built-in remember my password functionality of current web browsers: the browser keeps track of a login/password/certified (ie TLS certificate-backed) DNS name tuple... [...] The downside, of course, is

Re: Status of SRP

2006-06-03 Thread Ka-Ping Yee
On Thu, 1 Jun 2006, Jeffrey Altman wrote: Solving the phishing problem requires changes on many levels: I agree. (1) Some form of secure chrome for browsers must be deployed where the security either comes from a trusted desktop or by per-user customizations that significantly

Trusted path (was: status of SRP)

2006-06-02 Thread Ka-Ping Yee
On Thu, 1 Jun 2006, James A. Donald wrote: Florian Weimer wrote: There is no way to force an end user to enter a password only over SRP. Phishing relies on the login page looking familiar. If SRP is in the browser chrome, and looks strikingly different from any web page, the login page

Re: Status of SRP

2006-06-02 Thread Ka-Ping Yee
On Thu, 1 Jun 2006, Florian Weimer wrote: That is an all purpose argument that is deployed selectively against some measures and not others. If you've deployed two-factor authentication (like German banks did in the late 80s/early 90s), the relevant attacks do involve compromised customer

Re: Status of SRP

2006-06-01 Thread Ka-Ping Yee
On Wed, 31 May 2006, James A. Donald wrote: The obvious solution to the phishing crisis is the widespread deployment of SRP, but this does not seem to happening. SASL-SRP was recently dropped. What is the problem? Phishing can mean a few different things. If by phishing you mean the

Re: Status of SRP

2006-06-01 Thread Ka-Ping Yee
On Thu, 1 Jun 2006, James A. Donald wrote: SRP necessarily runs in the chrome, in the client software, not in the web page, therefore the chrome, should put up an image that cannot be convincingly imitated by html Sure, i agree. I only brought this up to point out that SRP alone doesn't

Re: [Anti-fraud] Re: the limits of crypto and authentication

2005-07-11 Thread Ka-Ping Yee
On Sun, 10 Jul 2005, Amir Herzberg wrote: But... crypto and authentication, imho, are the best tools to prevent such malware from being installed. I disagree. Limited authority is the best way to prevent such malware from being installed (and, if installed, from causing harm). The premise

Re: massive data theft at MasterCard processor

2005-06-20 Thread Ka-Ping Yee
On Fri, 17 Jun 2005, Steven M. Bellovin wrote: Designing a system that deflects this sort of attack is challenging. The right answer is smart cards that can digitally sign transactions, but that would require rolling out new readers to all the merchants. I was amazed to hear of the UK's fast