[8661] in cryptography@c2.net mail archive
Another shining example of Microsoft "security"
daemon@ATHENA.MIT.EDU (Enzo Michelangeli)
Thu Apr 19 20:10:20 2001
Message-ID: <013901c0c8e7$7b3befa0$0200000a@emnb>
From: "Enzo Michelangeli" <em@who.net>
To: <cryptography@wasabisystems.com>, <coderpunks@toad.com>
Date: Thu, 19 Apr 2001 23:41:42 +0800
MIME-Version: 1.0
Content-Type: text/plain;
charset="Windows-1252"
Content-Transfer-Encoding: 7bit
I don't know if anybody already noticed, but Outlook Express (at least the
version 5.5) blindly accepts any server certificate presented by a pop3s
(POP3 over SSL) server, without trying to validate it against a
locally-stored parent cert. This implies, for example, that roaming users
won't be able to detect MiM attacks, very easy to mount for a rogue ISP with
a NAT-capable unit (like, nowadays, almost any router, or even a Linux box).
Enzo
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
