On 12/11/2010 6:22 PM, MFPA wrote: > A question on the subject of SSL/TLS certificates and HTTPS: often > there is no user requirement to "authenticate" the identity of the > server, but rather a simple requirement to prevent snooping; why does > this need a certificate?
Otherwise the snooper could just use a MitM and you'd be none the wiser. When you visit Amazon.com, both you and Amazon need some way to ensure you're talking to the real McCoy. Amazon authenticates you by having you provide a username and password. You authenticate Amazon by checking their SSL cert and seeing that it was issued by a trusted authority. If you didn't check the SSL cert, I could provide a self-signed SSL cert, have you accept it, and then do a MitM on your connection. Next thing you know, you've paid for all my Christmas shopping...
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Gnupg-users mailing list [email protected] http://lists.gnupg.org/mailman/listinfo/gnupg-users
