Overview
"HTTP Mutual Access Authentication Protocol" is a proposed new protocol for preventing Phishing attacks against Web systems. This protocol provides true mutual authentication between HTTP clients and servers using simple password-based authentication. Unlike Basic and Digest HTTP access authentication protocol, the protocol ensures that the server knows the user's entity (encrypted password) upon successful authentication. This prevents common phishing attacks: phishing attackers cannot convince users that the user has been authenticated to the genuine website. Furthermore, even when user has been authenticated against an illegitimate server, the server can not gain any bit of information about user's passwords.
News
- Latest specification draft-10 uploaded (Oct 31, 2011)
- Experimental Web browser updated: based on Firefox 3.6 and the draft-09 spec (Jan 13, 2011)
- Apache extension module updated (Jan 13, 2011)
- Update history
The Protocol
Software Download
- Trial implementation on Lunascape for Yahoo! auction, tabbed browser with IE component (in Japanese, in Yahoo! JAPAN website)
Trial websites
FAQ is available currently in Japanese.
This project is a part of the "joint research about security enhancement technologies for the Internet (in Japanese: インターネットにおけるセキュリティ強化技術の共同研究)" between RCIS, AIST and Yahoo! Japan, Inc.
- Other resources (in Japanese)