On Fri, 22 Sep 1995, David J. Bianco wrote:
Has anyone given much thought to the feasability of a man-in-the-middle attack against an SSL (or other similar) transaction? To me, the possibility seems obvious, so I figure it must have been discussed before, though I haven't seen it. .... Since neither the browser nor the server perform any authentication checks, neither Bob nor Alice know they are really speaking to Mallet. The best Alice can do is check the IP address of the client she's speaking to, but
Ah, err, the infamious problem of Netscape Navigator refusing to talk to SSL httpd's because they don't have a certificate issued by Verisign is caused by the client authentication the Server certificate. To get a Verisign signed x509 certificate requires quite a bit of proof that your company is who they claim they are. So server authentication is used. eric -- Eric Young | Signature removed since it was generating AARNet: eay@mincom.oz.au | more followups than the message contents :-)