"HTTP Mutual Access Authentication Protocol" is a proposed new protocol for preventing Phishing attacks against Web systems. This protocol provides true mutual authentication between HTTP clients and servers using simple password-based authentication. Unlike Basic and Digest HTTP access authentication protocol, the protocol ensures that the server knows the user's entity (encrypted password) upon successful authentication. This prevents common phishing attacks: phishing attackers cannot convince users that the user has been authenticated to the genuine website. Furthermore, even when user has been authenticated against an illegitimate server, the server can not gain any bit of information about user's passwords.
- Latest specification draft-12 uploaded (June 04, 2012)
- Experimental Web browser updated: based on Firefox 3.6 and the draft-09 spec (Jan 13, 2011)
- Apache extension module updated (Jan 13, 2011)
- Update history
- Trial implementation on Lunascape for Yahoo! auction, tabbed browser with IE component (in Japanese, in Yahoo! JAPAN website)
FAQ is available currently in Japanese.
This project is a result of the "joint research about security enhancement technologies for the Internet (in Japanese: インターネットにおけるセキュリティ強化技術の共同研究)" between RCIS, AIST and Yahoo! Japan, Inc.