[cryptography] ssh-keys only and EKE for web too (Re: preventing protocol failings)

James A. Donald jamesd at echeque.com
Wed Jul 13 14:12:22 EDT 2011


On 2011-07-13 8:49 PM, Adam Back wrote:
> EKE for web login is decades
> overdue and if implemented and deployed properly in the browser and server
> could pretty much wipe out phishing attacks on passwords.

EKE requires a change in the browser, in the server, and in the login page.

> We have source code for apache, mozilla, maybe could persuade google; and
> perhaps microsoft and apple could be shamed into following if that was
> done.
>
> Of course one would have to disable somethings (basic auth?) and do some
> education - never enter passwords outside of the browsers verifiably local
> authentication dialog - but how else are we going to get progress, this is
> 2011, and the solution has been known for nearly 20 years - its about time
> eh? Maybe you could even tell the browser your passwords so it could detect
> and prevent users typing that into other contexts.

I was unaware that source code for these tools existed.  When you say it 
exists, can I today set up an apache server on one machine I control, a 
login web page in PHP to a mysql database, a mozilla browser on another 
machine, and today login to that database using EKE

Gutman's code came a fair bit short of that level of functionality.

If code to do this actually exists, where is it?





More information about the cryptography mailing list