[5864] in cryptography@c2.net mail archive
Re: Is SSL dead?
daemon@ATHENA.MIT.EDU (EKR)
Fri Oct 8 19:54:37 1999
To: Bill Stewart <bill.stewart@pobox.com>
Cc: Greg Broiles <gbroiles@netbox.com>,
"Phillip Hallam-Baker" <hallam@ai.mit.edu>,
"Robert Hettinga" <rah@shipwright.com>, <dcsb@ai.mit.edu>,
<cypherpunks@cyberpass.net>, <cryptography@c2.net>
From: EKR <ekr@rtfm.com>
Mime-Version: 1.0 (generated by tm-edit 7.108)
Content-Type: text/plain; charset=US-ASCII
Date: 08 Oct 1999 15:05:21 -0700
In-Reply-To: Bill Stewart's message of "Thu, 07 Oct 1999 09:57:28 -0700"
Message-ID: <kjhfk1y0da.fsf@romeo.rtfm.com>
Bill Stewart <bill.stewart@pobox.com> writes:
> At 04:35 PM 10/6/99 , Phillip Hallam-Baker wrote:
> >>This is a problem with SSL 2.0 first discovered by Simon Spero then at EIT.
> >>It was fixed in SSL 3.0, that must be almost three years ago.
> >>The server certificate now binds the public key to a specific Web server
> >>address.
>
> That means that you can only succeed against web-users whose browsers
> still accept SSL2.0, which is most Netscape users by default;
Actually, this really isn't an SSL version issue. Rather it's
an issue about how the browser checks the cert chain. I don't
know for certain, but I believe that Netscape and IE both check
the chain correctly both for SSLv2 and v3.
--
[Eric Rescorla ekr@rtfm.com]
PureTLS - free SSLv3/TLS software for Java
http://www.rtfm.com/puretls/
