James A. Donald wrote:
> The obvious solution to the phishing crisis is the widespread
> deployment of SRP, but this does not seem to happening.  SASL-SRP was
> recently dropped.  What is the problem?

I disagree here, I don't think this will stop phishing for many reasons.
Please explain how it would. It will stop "man-in-the-middle" attacks on
the protocol, but phishers aren't attacking the protocols themselves.

It's still single-auth and I can still obtain the user password via
phishing. Please correct me if I'm wrong but phishing is before this
protocol will be accessed.

if Mallory convinces Carol to log into a spoofed site that looks like
Steve not running SRP, then u and x are obtained by Mallory. Mallory
simply logs into Steve with U and X.

In SRP what is preshared is g^x where x = H(s,p) where s is a salt and p
is the password.

p would be a weakness here because the user knows it, and in phishing,
if the user knows it, the user is vulnerable.

My 2 cents.
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to

Best Regards,
Lance James
Secure Science Corporation
Author of 'Phishing Exposed'
* New IntelliFound Service 2 weeks free      *
* Real-Time Identity Surveillance Service    *
* http://www.securescience.net/              *

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to