[Security] About the Firefox 3 Security Dialog & others

Eric Rescorla ekr at rtfm.com
Fri Aug 22 17:18:12 CDT 2008


On Fri, Aug 22, 2008 at 1:53 PM, Jonathan Schleifer
<js-xmpp-security at webkeks.org> wrote:
> Am 22.08.2008 um 22:35 schrieb Dirk Meyer:
>
>> Advantages SRP:
>>  users can select a password they can remember
>>  users could use the same link to exchange the password if they talk
>>   in a riddle an attacker may not know (name of the person I talked
>>   to you about yesterday that wants to buy a new TV)
>
> Woudln't that mean an attacker could chose the question and chose one to
> which he knows the answer because it's not so secret? If an attacker does
> that with both ends, he has won, because he selected the question. Correct
> me if I'm wrong. I'm more for SAS anyway :). Most users will chose to easy
> questions.

I don't  know what you're suggesting here. The protocol simply takes
a password as an input. You need to establish the context for it out
of band in a secure way, just as you need a secure channel for the
SAS.

-Ekr


More information about the Security mailing list