[cryptography] ssh-keys only and EKE for web too (Re: preventing protocol failings)

Peter Gutmann pgut001 at cs.auckland.ac.nz
Wed Jul 13 07:10:21 EDT 2011

Adam Back <adam at cypherspace.org> writes:

>EKE for web login is decades overdue and if implemented and deployed properly
>in the browser and server could pretty much wipe out phishing attacks on
>We have source code for apache, mozilla, maybe could persuade google; and
>perhaps microsoft and apple could be shamed into following if that was done.

Mozilla has said they won't be supporting it, for a reason so astonishingly
boneheaded that I'll quote the original message to make sure that it's
straight from the horse's mouth ("PSK cipher suites" = non-patent-encumbered
EKE in TLS-talk):

-- Snip --

Subject: Re: NSS implementation of TLS-PSK/ RFC 4279
Date: Tue, 14 Oct 2008 14:01:10 -0700
From: Nelson B Bolyard <nelson at bolyard.me>
Reply-To: mozilla's crypto code discussion list
<dev-tech-crypto at lists.mozilla.org>

jengler at berkeley.edu wrote, On 2008-10-14 13:52 PDT:
> I was wondering if implementation of TLS-PSK (RFC 4279) is currently in
> development. I do not see it in the current NSS source or roadmap. Thank
> you for any help.
> -John Engler

No.  There are no plans to include any PSK cipher suites in NSS.
Because of the enormous potential for PSK cipher suites to be
misused by application developers, there is strong resistance to
incorporating them into NSS.

-- Snip --

As for Microsoft, Opera, etc who knows?  (If you work on, or have worked on,
any of these browsers, I'd like to hear more about why it hasn't been
considered).  I think it'll be a combination of two factors:

1. Everyone knows that passwords are insecure so it's not worth trying to do
   anything with them.

2. If you add failsafe mutual authentication via EKE to browsers, CAs become
   entirely redundant.

So the browser vendors' approach is to ignore EKE and keep on waiting for PKI
to start working, forever if necessary.


More information about the cryptography mailing list