This was the second SSL problem documented; it was fixed in netscape 2.0. The fix is to include the hostnames used for the server in the certificate as multi-values for the CommonName (CN). The fix is relatively simple; The client must then check the certificate to make sure the hostname matches, and the CA must not check ownership of domain names before issuing certs. Simon (the first, and silliest was the original SSL's habit of using RC4 on (essentially) known plain-text with no checksum. Doh!) --- Cause maybe (maybe) | In my mind I'm going to Carolina you're gonna be the one that saves me | - back in Chapel Hill May 16th. And after all | Email address remains unchanged You're my firewall - | ........First in Usenet.........