On Mon, Sep 30, 2013 at 10:35 AM, Igor Bukanov <i...@mir2.org> wrote: > To fight with this issue a help from the browser is essential. One > possibility is to replace HTTPS with SRP (srp.stanford.edu) or J-PAKE > like protocol that allows for the user and the server *mutually* > verify each other without leaking a password. However, this is very > drastic as it require to switch the whole site to the new protocol. > What is essential is to allow a gradual switch where a site can > quickly protect few important pages without significant changes in the > current setup.
http://tools.ietf.org/html/draft-oiwa-http-mutualauth-12 See http://tools.ietf.org/html/draft-balfanz-tls-channelid-01 for a different approach. I also posted a message about ChannelID on this list recently. Cheers, Brian -- Mozilla Networking/Crypto/Security (Necko/NSS/PSM) _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security