>On Fri, 5 Jul 2002, Richard Lynch wrote:
>> But unless you paid the $200 to get it from a CA, surfers will see a nasty
>> (and totally inaccurate/misleading) warning about how insecure it is.
>It is easy to launch a man-the-middle attack against a session being
>initiated between a client and a server with a self-signed certificate.  
>You just send the client a self-signed certificate of your own, and it
>can't tell it apart from the real one - same error message shows up.

"Easy" is relative.

What's more likely to occur:

A slime-ball with $200 makes a web-site to rip people off with a signed
A hard-core hacker intercepts an HTTP connection.

Neither is a desired outcome.

The current Certificate Authority system works okay against the second one,
but doesn't really address the first.

Like Music?  http://l-i-e.com/artists.htm

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to