On Thu, 1 Jun 2006, James A. Donald wrote: > SRP necessarily runs in the chrome, in the client > software, not in the web page, therefore the chrome, > should put up an image that cannot be convincingly > imitated by html
Sure, i agree. I only brought this up to point out that SRP alone doesn't solve the problem; it remains an open question how to best design a password entry field that defeats spoofing. You mentioned several techniques, and there are others, and so far we don't know what works best for most users. Passpet's strategy is to customize a button that you click. We are used to recognizing toolbar buttons by their appearance, so it seems plausible that if the button has a custom per-user icon, users are unlikely to click on a spoofed button with the wrong icon. Unlike other schemes, such as special-looking windows or a custom image shown with the login form, this strategy requires the user to directly interact with the customized UI element. The effectiveness of Passpet's approach is only hypothesized; it has never been formally tested, so i can't claim it works better. > Cannot find a web page that presents passpet. See http://usablesecurity.com/2006/02/08/how-to-prevent-phishing/ for the original description of the ideas. The design of Passpet is a bit more refined now and will be published at SOUPS 2006. -- ?!ng --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]