TLS/SRP in browsers?
Is there a plan or existing implementation of RFC 5054 in any of the major browsers yet?
If nobody has an implementation yet, then which major browsers have it on t开发者_高级运维heir roadmap? Where?
This feature is on Mozilla's radar, and there are a couple of feature enhancement requests on record at bugzilla.mozilla.org (356855,405155), but they've been pretty quiet lately. There maybe a lack of an appreciation of what SRP is good for.
For my two cents, SRP/TLS seems to not mesh well with existing security models in Firefox, so implementation touches many different parts of the browser (from UI to NSS). Could be a similar issue for other browsers as well?
cURL will have TLS-SRP support in the next release. See the Patch for TLS-SRP support (using GnuTLS) thread in curl-library. (I revived a patch by Peter Sylvester.)
And I'm trying to revive Steffen Schulz's bugzilla patches for TLS-SRP in NSS (bugzilla #405155), which is Mozilla's SSL/TLS library. I've updated the patches to work with the latest NSS and will post them in a week or so. Once it's working in NSS, then Firefox is next.
There is some code for NSS, Chrome and Firefox, nothing merged yet, but it works. Some minor non-technical issues are still to be resolved however. Some code and info can be found on trustedhttp.org, and in Firefox and Chromium bugzillas.
A JavaScript implementation works in Firefox:
http://srp.stanford.edu/demo/demo.html
精彩评论