>>>>Eric Rescorla says ..... <<<<<
> Anyway, I suspect what he's referring to is the well-known observation
> that people are stupid enough to click through the browser provided
> warnings. If so, this isn't a flaw in SSL. [0]
>
Perhaps that's it. He alludes to a similar warning in SSH.
> Aside from that attack, there aren't any known good man-in-the-middle
> attacks against SSL [0]. However, note that it's possible to undetectably
> tamper with the HTTP-fetched page containing the HTTPS URL and
> thus totally compromise SSL connections derived from that page.
>
This must be what he was referring to in his Sep. 99 article, although
you've managed
to communicate both points much more clearly in seven lines.
Greg Stark, [EMAIL PROTECTED]
Chief Security Architect
Ethentica, Inc.
www.ethentica.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
