Re: SSL/TLS - am I doing it right?
- From: Sybren Stuvel <sybrenUSE@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 13 Mar 2006 12:07:41 +0100
Frank Millman enlightened us with:
The point of the exercise for me is encryption. I am not too worried
about authentication.
Encryption can't function fully without authenication.
The next step in my app is for the client to enter a user id and
password, and the server will not proceed without verifying this.
But the client is willing to give that username and password to
anybody that's listening. It doesn't authenticate the server, so it
can be very easily tricked into talking to someone else. Your system
is open to Man in the Middle attacks.
However, I realise that security is not something to be trivialised,
so if your recommendation is that I do complete the validation
steps, I will try to understand that part of the documentation and
apply that as well.
That is indeed my recommendation indeed :)
Sybren
--
The problem with the world is stupidity. Not saying there should be a
capital punishment for stupidity, but why don't we just take the
safety labels off of everything and let the problem solve itself?
Frank Zappa
.
- Follow-Ups:
- Re: SSL/TLS - am I doing it right?
- From: Frank Millman
- Re: SSL/TLS - am I doing it right?
- References:
- SSL/TLS - am I doing it right?
- From: Frank Millman
- Re: SSL/TLS - am I doing it right?
- From: Sybren Stuvel
- Re: SSL/TLS - am I doing it right?
- From: Frank Millman
- SSL/TLS - am I doing it right?
- Prev by Date: Re: Environmental Variables
- Next by Date: Re: Anomalous behaviour when compiling regular expressions?
- Previous by thread: Re: SSL/TLS - am I doing it right?
- Next by thread: Re: SSL/TLS - am I doing it right?
- Index(es):
Relevant Pages
|
