-- Ka-Ping Yee wrote: > "Phishing" can mean a few different things. If by > "phishing" you mean the stealing of passwords, then > yes, SRP would help to eliminate that problem, but > users could still be fooled into giving away their SRP > passwords if the user interface for entering the > password is convincingly imitated.
SRP necessarily runs in the chrome, in the client software, not in the web page, therefore the chrome, should put up an image that cannot be convincingly imitated by html - for example, on windows, a non rectangular login page, as with paradox's keygen, or as with the infocard software, taking over the entire screen, including covering the taskbar, which an html page cannot do. In order to imitate that, the attacker would need control of the client machine > I'm working on Passpet, a password management tool > that tries to address several of the big > phishing-related problems including password capture > and dictionary attack, and for the authentication part > i chose SRP. So that's one place it's getting used, > anyway. Cannot find a web page that presents passpet. --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG ybM860Mr+CSlXrrR8xph9v0B91GQWJBI8SAGwuFs 4B8M3YBCebHr5lGeEDBz+TIrbMLygWsXUEGxXWNj5 --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]