[cryptography] Why anon-DH is less damaging than current browser PKI (a rant in five paragraphs)

Ben Laurie ben at links.org
Mon Jan 7 07:50:51 EST 2013


On Mon, Jan 7, 2013 at 11:33 AM, ianG <iang at iang.org> wrote:
> OK, I agree that Peter is impatient and frustrated.  So am I.  Dealing with
> responsible parties that say "phishing isn't our problem" is pretty tiring
> when $100m a year goes down the tubes because of it.

To be clear, I am not saying phishing is not our problem, I am saying
that binding keys to sites, regardless of how you do it, is not the
answer to phishing (regardless of early PKI marketing history).

IMO, the answer to phishing is to solve the password problem, and the
solution to the password problem is really good password managers. But
I haven't had much luck selling that solution. Probably because,
rather like Peter's solution, it has a largish element of fluff.



More information about the cryptography mailing list