[8662] in cryptography@c2.net mail archive
Re: Another shining example of Microsoft "security".
daemon@ATHENA.MIT.EDU (vertigo)
Fri Apr 20 12:20:55 2001
Date: Fri, 20 Apr 2001 03:38:02 -0400 (EDT)
From: vertigo <vertigo@panix.com>
To: Enzo Michelangeli <em@who.net>
Cc: <cryptography@wasabisystems.com>, <coderpunks@toad.com>
In-Reply-To: <013901c0c8e7$7b3befa0$0200000a@emnb>
Message-ID: <Pine.NEB.4.33.0104200326090.2107-100000@panix2.panix.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Not that anyone checks the validity of their certs anyway.
There are a couple of companies with url-rewriting proxies
who are able to pay (or used to pay) their programmers because
of this lack of concern. Actually, this sounds almost like a
feature (i.e. "Accept all certs", "Accept only certs that get
sent back to the originating server", "Do not accept certs") :)
vert
On Thu, 19 Apr 2001, Enzo Michelangeli wrote:
> I don't know if anybody already noticed, but Outlook Express (at least the
> version 5.5) blindly accepts any server certificate presented by a pop3s
> (POP3 over SSL) server, without trying to validate it against a
> locally-stored parent cert. This implies, for example, that roaming users
> won't be able to detect MiM attacks, very easy to mount for a rogue ISP with
> a NAT-capable unit (like, nowadays, almost any router, or even a Linux box).
>
> Enzo
>
>
>
>
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
>
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
