开发者

TLS/SRP in browsers?

Is there a plan or existing implementation of RFC 5054 in any of the major browsers yet?

If nobody has an implementation yet, then which major browsers have it on t开发者_高级运维heir roadmap? Where?


This feature is on Mozilla's radar, and there are a couple of feature enhancement requests on record at bugzilla.mozilla.org (356855,405155), but they've been pretty quiet lately. There maybe a lack of an appreciation of what SRP is good for.

For my two cents, SRP/TLS seems to not mesh well with existing security models in Firefox, so implementation touches many different parts of the browser (from UI to NSS). Could be a similar issue for other browsers as well?


cURL will have TLS-SRP support in the next release. See the Patch for TLS-SRP support (using GnuTLS) thread in curl-library. (I revived a patch by Peter Sylvester.)

And I'm trying to revive Steffen Schulz's bugzilla patches for TLS-SRP in NSS (bugzilla #405155), which is Mozilla's SSL/TLS library. I've updated the patches to work with the latest NSS and will post them in a week or so. Once it's working in NSS, then Firefox is next.


There is some code for NSS, Chrome and Firefox, nothing merged yet, but it works. Some minor non-technical issues are still to be resolved however. Some code and info can be found on trustedhttp.org, and in Firefox and Chromium bugzillas.


A JavaScript implementation works in Firefox:

http://srp.stanford.edu/demo/demo.html

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜