Lance James wrote: > James A. Donald wrote: > >> The obvious solution to the phishing crisis is the widespread >> deployment of SRP, but this does not seem to happening. SASL-SRP was >> recently dropped. What is the problem? >> > > I want to clarify, because by typing to fast, i think my variables may be confusing since I was reading the spec of SRP from two diff docs.
u and x in my sentence was username and password not x being typical derived secret. what it should be is u and p. please note corrections. Thanks. > I disagree here, I don't think this will stop phishing for many reasons. > Please explain how it would. It will stop "man-in-the-middle" attacks on > the protocol, but phishers aren't attacking the protocols themselves. > > It's still single-auth and I can still obtain the user password via > phishing. Please correct me if I'm wrong but phishing is before this > protocol will be accessed. > > if Mallory convinces Carol to log into a spoofed site that looks like > Steve not running SRP, then u and x are obtained by Mallory. Mallory > simply logs into Steve with U and X. > > In SRP what is preshared is g^x where x = H(s,p) where s is a salt and p > is the password. > > p would be a weakness here because the user knows it, and in phishing, > if the user knows it, the user is vulnerable. > > My 2 cents. > >> --------------------------------------------------------------------- >> The Cryptography Mailing List >> Unsubscribe by sending "unsubscribe cryptography" to >> [EMAIL PROTECTED] >> >> >> > > > -- Best Regards, Lance James Secure Science Corporation www.securescience.net Author of 'Phishing Exposed' http://securescience.net/home/news/phishingexposed.html ********************************************** * New IntelliFound Service 2 weeks free * * Real-Time Identity Surveillance Service * * http://www.securescience.net/ * ********************************************** --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
