[cryptography] ssh-keys only and EKE for web too (Re: preventing protocol failings)
James A. Donald
jamesd at echeque.com
Wed Jul 13 14:12:22 EDT 2011
On 2011-07-13 8:49 PM, Adam Back wrote:
> EKE for web login is decades
> overdue and if implemented and deployed properly in the browser and server
> could pretty much wipe out phishing attacks on passwords.
EKE requires a change in the browser, in the server, and in the login page.
> We have source code for apache, mozilla, maybe could persuade google; and
> perhaps microsoft and apple could be shamed into following if that was
> Of course one would have to disable somethings (basic auth?) and do some
> education - never enter passwords outside of the browsers verifiably local
> authentication dialog - but how else are we going to get progress, this is
> 2011, and the solution has been known for nearly 20 years - its about time
> eh? Maybe you could even tell the browser your passwords so it could detect
> and prevent users typing that into other contexts.
I was unaware that source code for these tools existed. When you say it
exists, can I today set up an apache server on one machine I control, a
login web page in PHP to a mysql database, a mozilla browser on another
machine, and today login to that database using EKE
Gutman's code came a fair bit short of that level of functionality.
If code to do this actually exists, where is it?
More information about the cryptography