Re: Status of SRP

2006-06-07 Thread John Brazel
Jeffrey Altman wrote: Solving the phishing problem requires changes on many levels: (1) Some form of secure chrome for browsers must be deployed where the security either comes from a trusted desktop or by per-user customizations that significantly decrease the chances that the

Re: Status of SRP

2006-06-07 Thread Anne Lynn Wheeler
James A. Donald wrote: The concept of trusted computing is an attempt to address this problem - each application has exclusive access to certain data, a trusted path to interact with the user, and the ability to prove to servers what code is being executed on the client. so they aren't

Re: Status of SRP

2006-06-07 Thread Ka-Ping Yee
On Wed, 7 Jun 2006, John Brazel wrote: What we really need is something similar to the built-in remember my password functionality of current web browsers: the browser keeps track of a login/password/certified (ie TLS certificate-backed) DNS name tuple... [...] The downside, of course, is

Re: Status of SRP

2006-06-07 Thread James A. Donald
-- Anne Lynn Wheeler wrote: part of x9.59 retail payment standard requires the transaction to be authenticated. another part of the x9.59 retail payment standard requires that the account number in x9.59 retail payments can't be used in non-authenticated transactions. it as been

Re: Status of SRP

2006-06-06 Thread Florian Weimer
* Anne Lynn Wheeler: Florian Weimer wrote: FINREAD is really interesting. I've finally managed to browse the specs, and it looks as if this platform can be used to build something that is secure against compromised hosts. However, I fear that the support costs are too high, and that's why

Re: Status of SRP

2006-06-06 Thread Anne Lynn Wheeler
Florian Weimer wrote: You mean something like remote attestation? I find it hard to believe that this capability is available today in a relatively open environment, on a platform supporting multiple applications developed by different applications. re:

Re: Status of SRP

2006-06-04 Thread Jeffrey Altman
James A. Donald wrote: -- Jeffrey Altman wrote: Unfortunately, SRP is not the solution to the phishing problem. The phishing problem is made up of many subtle sub-problems involving the ease of spoofing a web site and the challenges involved in securing the enrollment and password

Re: Status of SRP

2006-06-03 Thread James A. Donald
-- Jeffrey Altman wrote: Unfortunately, SRP is not the solution to the phishing problem. The phishing problem is made up of many subtle sub-problems involving the ease of spoofing a web site and the challenges involved in securing the enrollment and password change mechanisms. With SRP,

Re: Status of SRP

2006-06-03 Thread James A. Donald
-- Lance James wrote: Here's where SRP fails: 1) SSL is built into the browser - doesn't stop phishers SSL protects true names, SRP protects true relationships. Protecting true names turned out to be not very useful. Hi, we're having a problem with your account system as our SRP

Re: Status of SRP

2006-06-03 Thread Florian Weimer
* Ka-Ping Yee: Passpet's strategy is to customize a button that you click. We are used to recognizing toolbar buttons by their appearance, so it seems plausible that if the button has a custom per-user icon, users are unlikely to click on a spoofed button with the wrong icon. Unlike other

Re: Status of SRP

2006-06-03 Thread Florian Weimer
* Anne Lynn Wheeler: Florian Weimer wrote: If you've deployed two-factor authentication (like German banks did in the late 80s/early 90s), the relevant attacks do involve compromised customer PCs. 8-( Just because you can't solve it with your technology doesn't mean you can pretend the

Re: Status of SRP

2006-06-03 Thread Ka-Ping Yee
On Thu, 1 Jun 2006, Jeffrey Altman wrote: Solving the phishing problem requires changes on many levels: I agree. (1) Some form of secure chrome for browsers must be deployed where the security either comes from a trusted desktop or by per-user customizations that significantly

Re: Status of SRP

2006-06-03 Thread Anne Lynn Wheeler
Florian Weimer wrote: FINREAD is really interesting. I've finally managed to browse the specs, and it looks as if this platform can be used to build something that is secure against compromised hosts. However, I fear that the support costs are too high, and that's why it hasn't caught on in

Re: Status of SRP

2006-06-03 Thread Anne Lynn Wheeler
Anne Lynn Wheeler wrote: if they can build a $100 PC ... you think that they could build a finread terminal for a couple bucks. sometimes there are issues with volume pricing ... you price high because there isn't a volume and there isn't a volume because you price high. re:

Re: Status of SRP

2006-06-02 Thread Jeffrey Altman
James A. Donald wrote: The obvious solution to the phishing crisis is the widespread deployment of SRP, but this does not seem to happening. SASL-SRP was recently dropped. What is the problem? Unfortunately, SRP is not the solution to the phishing problem. The phishing problem is made up of

Re: Status of SRP

2006-06-02 Thread Lance James
Here's where SRP fails: 1) SSL is built into the browser - doesn't stop phishers 2) Chrome or no chrome good luck getting it in there and having every user understand it. 3) Traditional phishing works, but if you force them to change, the malware propagation will only be higher than it is now,

Re: Status of SRP

2006-06-02 Thread Ka-Ping Yee
On Thu, 1 Jun 2006, Florian Weimer wrote: That is an all purpose argument that is deployed selectively against some measures and not others. If you've deployed two-factor authentication (like German banks did in the late 80s/early 90s), the relevant attacks do involve compromised customer

Re: Status of SRP

2006-06-02 Thread James A. Donald
-- Ka-Ping Yee wrote: Passpet's strategy is to customize a button that you click. We are used to recognizing toolbar buttons by their appearance, so it seems plausible that if the button has a custom per-user icon, users are unlikely to click on a spoofed button with the wrong icon.

Re: Status of SRP

2006-06-02 Thread James A. Donald
-- Ka-Ping Yee wrote: Passpet's strategy is to customize a button that you click. We are used to recognizing toolbar buttons by their appearance, so it seems plausible that if the button has a custom per-user icon, users are unlikely to click on a spoofed button with the wrong icon.

Re: Status of SRP

2006-06-02 Thread Travis H.
On 5/30/06, Derek Atkins [EMAIL PROTECTED] wrote: Quoting James A. Donald [EMAIL PROTECTED]: The obvious solution to the phishing crisis is the widespread deployment of SRP, but this does not seem to happening. SASL-SRP was recently dropped. What is the problem? Patents. Seconded. When

Re: Status of SRP

2006-06-02 Thread Anne Lynn Wheeler
Florian Weimer wrote: If you've deployed two-factor authentication (like German banks did in the late 80s/early 90s), the relevant attacks do involve compromised customer PCs. 8-( Just because you can't solve it with your technology doesn't mean you can pretend the attacks don't happen. EU

Re: Status of SRP

2006-06-01 Thread Victor Duchovni
On Wed, May 31, 2006 at 09:41:57AM +1000, James A. Donald wrote: The obvious solution to the phishing crisis is the widespread deployment of SRP, but this does not seem to happening. SASL-SRP was recently dropped. What is the problem? The obvious solution is perhaps more difficult to

Re: Status of SRP

2006-06-01 Thread Ka-Ping Yee
On Wed, 31 May 2006, James A. Donald wrote: The obvious solution to the phishing crisis is the widespread deployment of SRP, but this does not seem to happening. SASL-SRP was recently dropped. What is the problem? Phishing can mean a few different things. If by phishing you mean the

Re: Status of SRP

2006-06-01 Thread Lance James
James A. Donald wrote: The obvious solution to the phishing crisis is the widespread deployment of SRP, but this does not seem to happening. SASL-SRP was recently dropped. What is the problem? I disagree here, I don't think this will stop phishing for many reasons. Please explain how it

Re: Status of SRP

2006-06-01 Thread Lance James
Lance James wrote: James A. Donald wrote: The obvious solution to the phishing crisis is the widespread deployment of SRP, but this does not seem to happening. SASL-SRP was recently dropped. What is the problem? I want to clarify, because by typing to fast, i think my

Re: Status of SRP

2006-06-01 Thread Derek Atkins
Quoting James A. Donald [EMAIL PROTECTED]: The obvious solution to the phishing crisis is the widespread deployment of SRP, but this does not seem to happening. SASL-SRP was recently dropped. What is the problem? Patents. -derek -- Derek Atkins, SB '93 MIT EE, SM '95 MIT Media

Re: Status of SRP

2006-06-01 Thread Joseph Ashwood
- Original Message - From: James A. Donald [EMAIL PROTECTED] Subject: Status of SRP The obvious solution to the phishing crisis is the widespread deployment of SRP, but this does not seem to happening. SASL-SRP was recently dropped. What is the problem? The problem is that you're

Re: Status of SRP

2006-06-01 Thread Florian Weimer
* James A. Donald: The obvious solution to the phishing crisis is the widespread deployment of SRP, but this does not seem to happening. SASL-SRP was recently dropped. What is the problem? There is no way to force an end user to enter a password only over SRP. That's why SRP is not

Re: Status of SRP

2006-06-01 Thread James A. Donald
-- Ka-Ping Yee wrote: Phishing can mean a few different things. If by phishing you mean the stealing of passwords, then yes, SRP would help to eliminate that problem, but users could still be fooled into giving away their SRP passwords if the user interface for entering the password is

Re: Status of SRP

2006-06-01 Thread James A. Donald
-- James A. Donald wrote: The obvious solution to the phishing crisis is the widespread deployment of SRP Lance James I disagree here, I don't think this will stop phishing for many reasons. Please explain how it would. It will stop man-in-the-middle attacks on the protocol, but

Re: Status of SRP

2006-06-01 Thread James A. Donald
-- Florian Weimer wrote: There is no way to force an end user to enter a password only over SRP. Phishing relies on the login page looking familiar. If SRP is in the browser chrome, and looks strikingly different from any web page, the login page will not look familiar. Fortunately, it

Re: Status of SRP

2006-06-01 Thread Ka-Ping Yee
On Thu, 1 Jun 2006, James A. Donald wrote: SRP necessarily runs in the chrome, in the client software, not in the web page, therefore the chrome, should put up an image that cannot be convincingly imitated by html Sure, i agree. I only brought this up to point out that SRP alone doesn't