pwdHash can address two problems: a. theft of the passwords from one website and using the same at other websites b. theft of passwords for the target website by phishing But techniques like pwdHash cannot prevent phishing attacks where the phishing sites do not even validate the password from the user, but goes on to prompt and capture long-term credentials from the user like credit cards etc. As Eliot pointed out, in such cases it is the server which needs to be authenticated in a phish-proof way.
Thanks and Regards, Haripriya >>> Eric Rescorla <[EMAIL PROTECTED]> 07/04/06 2:11 AM >>> Eliot Lear <[EMAIL PROTECTED]> writes: > Eric Rescorla wrote: >> That's *one* way to attack phishing (at least the current form). >> There are others (cf. PwdHash) >> > > I'm sorry, but PwdHash is not enough of a reference for me to > understand, http://crypto.stanford.edu/PwdHash/ It's the first hit in Google, FWIW. > but I claim that the most *effective* way to prevent > phishing is to demand that the server prove its identity enough to know > the right question to ask of the client. If PwdHash covers this ground, > then we agree. It doesn't. It uses an entirely different technique. I don't think it's profitable to argue about what "most effective" is, but I don't agree that the mechanism you describe is the only one. - Ekr _______________________________________________ dix mailing list [email protected] https://www1.ietf.org/mailman/listinfo/dix _______________________________________________ dix mailing list [email protected] https://www1.ietf.org/mailman/listinfo/dix
