>On Fri, 5 Jul 2002, Richard Lynch wrote:
>> But unless you paid the $200 to get it from a CA, surfers will see a nasty
>> (and totally inaccurate/misleading) warning about how insecure it is.
>It is easy to launch a man-the-middle attack against a session being
>initiated between a client and a server with a self-signed certificate.
>You just send the client a self-signed certificate of your own, and it
>can't tell it apart from the real one - same error message shows up.
"Easy" is relative.
What's more likely to occur:
A slime-ball with $200 makes a web-site to rip people off with a signed
A hard-core hacker intercepts an HTTP connection.
Neither is a desired outcome.
The current Certificate Authority system works okay against the second one,
but doesn't really address the first.
Like Music? http://l-i-e.com/artists.htm
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php