I've written up an attack on SSL server authentication at http://www.iol.ie/~fod/sslpaper/sslpaper.htm As far as I am aware, this attack hasn't been written about before. It does not attack the SSL protocol or low-level cryptography, but works at a higher level in order to persuade users to connect to fake servers, with the browser nonetheless giving all the usual appearances of a secure session. Not much technical sophistication is required to carry off the attack, and the impact is that a user may be persuaded to reveal information such as credit card numbers, PINs, insurance or bank details, or other private information to the fake server. Another risk is that the user may download and run trojan Java applets or executables (e.g. banking or database clients) from the fake server, believing them to be from the real server and therefore safe. I am posting this announcement on comp.security.misc, ssl-talk and on cypherpunks. If you know of any other individuals who may be concerned about this attack, but who do not read this group or those lists, please forward this message to them. Cheers, Frank O'Dwyer fod@brd.ie