I am working on a large patch that adds TLS-SRP (RFC 5054)[1] support
to Chrome. This lets Chrome mutually authenticate and establish TLS
sessions with Web sites using only a username and password; no
certificate is required. It is working now; of course, much, much more
needs to be done, but you can try it out now.
Patch[2], instructions, and Linux binary at: http://trustedhttp.org/wiki/TLS-SRP_in_Chrome
The patch includes additions to Chrome net/ and chrome/ as well as
OpenSSL, NSS, and TLS Lite. It updates the URLRequest, HTTP
transaction, and NSS SSL client socket code in net/ and exposes
SetTLSLogin and ContinueWithTLSLogin (etc.) methods in URLRequest. The
UI code presents a login dialog when users browse to TLS-SRP-enabled
servers and displays the logged-in username in the location bar. It
also displays the TLS-SRP security information in the page info
display.
There are lots of tests, but more are needed. Other issues are listed
on the wiki page, notably: (1) it only works on Linux right now, and
(2) the login form needs to be in the browser chrome so that it's
harder to spoof.
This is a fairly significant addition, so I want to start getting
feedback early on. I am specifically interested in hearing any
thoughts regarding (1) making a login form that's tough to spoof; (2)
where/how to display the logged-in username in the location bar (right
now, it's on the right in a blue EV-like bubble); and (3) how/whether
to offer log in (from HTTP or cert HTTPS to SRP HTTPS) and log out
functionality. Also, are there any committers who have advice on how
to move this patch forward?
[1] TLS-SRP (RFC 5054): http://tools.ietf.org/html/rfc5054
[2] http://trustedhttp.org/chromium+tls-srp-20110406.patch -- also
requires other patches listed on the wiki page
-Quinn
