James A. Donald wrote:
> --
> Jeffrey Altman wrote:
>> Unfortunately, SRP is not the solution to the
phishing
>> problem. The phishing problem is made up of many
>> subtle sub-problems involving the ease of spoofing
a
>> web site and the challenges involved in securing
the
>> enrollment and password change mechanisms.
>
> With SRP, the web site cannot be spoofed, for it must
> prove it knows the user's secret passphrase.
James, SRP can only prevent spoof's of successful
authentications
and it can only prevent spoof's when it is actually used.
It cannot prevent spoof's of unsuccessful authentications
and that
is where a huge part of the problem lies. Consider the
reaction
of many individuals when they receive a page that indicates
that
their username and/or password are incorrect?
Sites that offer the common secret question(s) can be
spoofed.
The attacker spoof's sits in the middle, captures the
question from
the real site, the answer from the user, and if the real
site says
that the new password is being sent, puts up a new page
indicating
that the password should be changed online along with
prompts for
private information that the attacker wants.
Stopping phishing with successful authentication is not even
half
the problem.
Jeffrey Altman
|