James A. Donald wrote:
The obvious solution to the phishing crisis is the widespread deployment
of SRP, but this does not seem to happening. SASL-SRP was recently
dropped. What is the problem?
Unfortunately, SRP is not the solution to the phishing problem.
The phishing problem is made up of
On Thu, Jun 01, 2006 at 01:47:06PM +1200, Peter Gutmann wrote:
Grab OpenVPN (which is what OpenSWAN should be), install, point it at the
target system, and you have opportunistic encryption.
Forgive my doltishness, but could you expand on that just a bit, please (or
point at the right place in
Here's where SRP fails:
1) SSL is built into the browser - doesn't stop phishers
2) Chrome or no chrome good luck getting it in there and having every
user understand it.
3) Traditional phishing works, but if you force them to change, the
malware propagation will only be higher than it is now,
On Thu, 1 Jun 2006, James A. Donald wrote:
Florian Weimer wrote:
There is no way to force an end user to enter a
password only over SRP.
Phishing relies on the login page looking familiar. If
SRP is in the browser chrome, and looks strikingly
different from any web page, the login page
On Thu, 1 Jun 2006, Florian Weimer wrote:
That is an all purpose argument that is deployed
selectively against some measures and not others.
If you've deployed two-factor authentication (like German banks did in
the late 80s/early 90s), the relevant attacks do involve compromised
customer
--
Ka-Ping Yee wrote:
Passpet's strategy is to customize a button that you
click. We are used to recognizing toolbar buttons by
their appearance, so it seems plausible that if the
button has a custom per-user icon, users are unlikely
to click on a spoofed button with the wrong icon.
--
Ka-Ping Yee wrote:
Passpet's strategy is to customize a button that you
click. We are used to recognizing toolbar buttons by
their appearance, so it seems plausible that if the
button has a custom per-user icon, users are unlikely
to click on a spoofed button with the wrong icon.
Florian Weimer wrote:
If you've deployed two-factor authentication (like German banks did in
the late 80s/early 90s), the relevant attacks do involve compromised
customer PCs. 8-( Just because you can't solve it with your technology
doesn't mean you can pretend the attacks don't happen.
EU
