TLS/SRP in browsers?

Question

Is there a plan or existing implementation of RFC 5054 in any of the major browsers yet?

If nobody has an implementation yet, then which major browsers have it on their roadmap? Where?

Answer 1

This feature is on Mozilla's radar, and there are a couple of feature enhancement requests on record at bugzilla.mozilla.org (356855,405155), but they've been pretty quiet lately. There maybe a lack of an appreciation of what SRP is good for.

For my two cents, SRP/TLS seems to not mesh well with existing security models in Firefox, so implementation touches many different parts of the browser (from UI to NSS). Could be a similar issue for other browsers as well?

Answer 2

cURL will have TLS-SRP support in the next release. See the Patch for TLS-SRP support (using GnuTLS) thread in curl-library. (I revived a patch by Peter Sylvester.)

And I'm trying to revive Steffen Schulz's bugzilla patches for TLS-SRP in NSS (bugzilla #405155), which is Mozilla's SSL/TLS library. I've updated the patches to work with the latest NSS and will post them in a week or so. Once it's working in NSS, then Firefox is next.

Answer 3

A JavaScript implementation works in Firefox:

http://srp.stanford.edu/demo/demo.html

Answer 4

There is some code for NSS, Chrome and Firefox, nothing merged yet, but it works. Some minor non-technical issues are still to be resolved however. Some code and info can be found on trustedhttp.org, and in Firefox and Chromium bugzillas.