>On Fri, 5 Jul 2002, Richard Lynch wrote: >> But unless you paid the $200 to get it from a CA, surfers will see a nasty >> (and totally inaccurate/misleading) warning about how insecure it is. > >It is easy to launch a man-the-middle attack against a session being >initiated between a client and a server with a self-signed certificate. >You just send the client a self-signed certificate of your own, and it >can't tell it apart from the real one - same error message shows up.
"Easy" is relative. What's more likely to occur: A slime-ball with $200 makes a web-site to rip people off with a signed certificate. A hard-core hacker intercepts an HTTP connection. Neither is a desired outcome. The current Certificate Authority system works okay against the second one, but doesn't really address the first. -- Like Music? http://l-i-e.com/artists.htm -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
