On Mon, 05 Jan 2009 11:25:58 PST, Tim said: > Uh, no, actually CAs provide some weak assurance that the certificate is > the real one and associated with that server. A self-signed one > provides none. If you can't, in some way, authenticate the certificate > then SSL is not any better than sending data plain text. It's *slightly* better, in that it guards against passive sniffing attacks on the data in transit. You're right that it doesn't guard against an active MITM attack.
Attachment:
pgpbq8X85lx8B.pgp
Description: PGP signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/