I've tried to understand the SSL v3 protocol spec to answer this but wasn't quite up to it. In version 2, the client supplied the random number, so a virtually undetectable malicious attack would be for someone, perhaps even a government, to supply this really cool browser that chose predictable "random" numbers. (One could speculate forever on variations of this attack, including use of viruses, etcetera, but I'll stop here). Has this problem somehow been fixed in v3? It looks like there's a structure entry for a server-generated random number, but I couldn't tell if this was only for when the client has a personal certificate. If both sides threw their numbers into the mix, I would think that would solve the problem. Of course, I can't imagine how a random number would be passed back from the server to the client in a secure fashion that was independent of the initial client-supplied random number... So, has this been solved? Thanks. dorian +-------------------------------------------------------------------------+ | Administrative requests should be sent to [EMAIL PROTECTED] | | List service provided by Open Software Associates, http://www.osa.com/ | +-------------------------------------------------------------------------+
