Hi,
I would enjoy hearing some opinions on the following
potential scenario :
The SSL-Client does no client-auth. and has to transmit
one string, that contains security-sensitive data.
Let's think of a man-in-the-middle you leaves through
the handshake-packets, but blocks the data-packets.
He then performs a brute-force-attack on the sent data,
and opens a completely new SSL-Connection with the server,
transmitting the data, that the server expects to receive
from the one real client.
I know, with client-auth. you could avoid this, but some
customers of our solution might not be able to configure
their server for client-auth. So how realistic do
you think this to be ?
Thanks,
Stephan
--------------------------
Tel : +49 89 92699114
Fax : +49 89 92699226
mail: [EMAIL PROTECTED]
www : http://www.ecrc.de
Cable & Wireless ECRC GmbH
--------------------------
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
