[cryptography] ssh-keys only and EKE for web too (Re: preventing protocol failings)
James A. Donald
jamesd at echeque.com
Wed Jul 13 14:17:49 EDT 2011
On 2011-07-13 9:10 PM, Peter Gutmann wrote:
> As for Microsoft, Opera, etc who knows? (If you work on, or have worked on,
> any of these browsers, I'd like to hear more about why it hasn't been
> considered). I think it'll be a combination of two factors:
> 1. Everyone knows that passwords are insecure so it's not worth trying to do
> anything with them.
> 2. If you add failsafe mutual authentication via EKE to browsers, CAs become
> entirely redundant.
Indeed, if EKE is implemented in the most straightforward way, any page
or data that can only be accessed while logged in, is securely encrypted
even if accessed over http.
Free browsers are supported by CAs. EKE enabled browsers would only be
supported by people needing secure logins, which form a less
concentrated interest, therefore an interest less capable of providing
More information about the cryptography