Re: Status of opportunistic encryption

2006-06-01 Thread Victor Duchovni
On Wed, May 31, 2006 at 08:56:53AM +1000, James A. Donald wrote: Active attacks are rare, possibly nonexistent except for Wifi. If NSA and the other TLAs were doing active attacks, they would be detected some of the time. They don't like being detected. Active attacks at the network layer

Re: Status of SRP

2006-06-01 Thread Victor Duchovni
On Wed, May 31, 2006 at 09:41:57AM +1000, James A. Donald wrote: The obvious solution to the phishing crisis is the widespread deployment of SRP, but this does not seem to happening. SASL-SRP was recently dropped. What is the problem? The obvious solution is perhaps more difficult to

Re: Status of SRP

2006-06-01 Thread Ka-Ping Yee
On Wed, 31 May 2006, James A. Donald wrote: The obvious solution to the phishing crisis is the widespread deployment of SRP, but this does not seem to happening. SASL-SRP was recently dropped. What is the problem? Phishing can mean a few different things. If by phishing you mean the

Elizabethan traffic analysis

2006-06-01 Thread Steven M. Bellovin
We tend to think of traffic analysis as a modern technique, but it's actually quite old. Here is a message from a spy, observing the activities of two of (English Queen) Elizabeth I's courtiers, whom he suspected of trying to manipulate her successor: many secret meetings are made

Re: Status of SRP

2006-06-01 Thread Lance James
James A. Donald wrote: The obvious solution to the phishing crisis is the widespread deployment of SRP, but this does not seem to happening. SASL-SRP was recently dropped. What is the problem? I disagree here, I don't think this will stop phishing for many reasons. Please explain how it

Re: Status of SRP

2006-06-01 Thread Lance James
Lance James wrote: James A. Donald wrote: The obvious solution to the phishing crisis is the widespread deployment of SRP, but this does not seem to happening. SASL-SRP was recently dropped. What is the problem? I want to clarify, because by typing to fast, i think my

Re: Status of SRP

2006-06-01 Thread Derek Atkins
Quoting James A. Donald [EMAIL PROTECTED]: The obvious solution to the phishing crisis is the widespread deployment of SRP, but this does not seem to happening. SASL-SRP was recently dropped. What is the problem? Patents. -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media

Re: Status of SRP

2006-06-01 Thread Joseph Ashwood
- Original Message - From: James A. Donald [EMAIL PROTECTED] Subject: Status of SRP The obvious solution to the phishing crisis is the widespread deployment of SRP, but this does not seem to happening. SASL-SRP was recently dropped. What is the problem? The problem is that you're

Re: Status of SRP

2006-06-01 Thread Florian Weimer
* James A. Donald: The obvious solution to the phishing crisis is the widespread deployment of SRP, but this does not seem to happening. SASL-SRP was recently dropped. What is the problem? There is no way to force an end user to enter a password only over SRP. That's why SRP is not

Re: Status of opportunistic encryption

2006-06-01 Thread Peter Gutmann
[EMAIL PROTECTED] writes: I am also interested in Opportunistic Encryption. Even if it is not as secure as a manually configured VPN, I am willing to trade that for what it does provide. I have looked at setting up OpenSWAN in OE mode, but frankly it is daunting even for the reasonably geeky

Re: Status of SRP

2006-06-01 Thread James A. Donald
-- Ka-Ping Yee wrote: Phishing can mean a few different things. If by phishing you mean the stealing of passwords, then yes, SRP would help to eliminate that problem, but users could still be fooled into giving away their SRP passwords if the user interface for entering the password is

Re: Status of SRP

2006-06-01 Thread James A. Donald
-- James A. Donald wrote: The obvious solution to the phishing crisis is the widespread deployment of SRP Lance James I disagree here, I don't think this will stop phishing for many reasons. Please explain how it would. It will stop man-in-the-middle attacks on the protocol, but

Re: Status of SRP

2006-06-01 Thread James A. Donald
-- Florian Weimer wrote: There is no way to force an end user to enter a password only over SRP. Phishing relies on the login page looking familiar. If SRP is in the browser chrome, and looks strikingly different from any web page, the login page will not look familiar. Fortunately, it

Re: Status of SRP

2006-06-01 Thread Ka-Ping Yee
On Thu, 1 Jun 2006, James A. Donald wrote: SRP necessarily runs in the chrome, in the client software, not in the web page, therefore the chrome, should put up an image that cannot be convincingly imitated by html Sure, i agree. I only brought this up to point out that SRP alone doesn't