Another shining example of Microsoft "security"

Enzo Michelangeli em at who.net
Thu Apr 19 11:41:42 EDT 2001


I don't know if anybody already noticed, but Outlook Express (at least the
version 5.5) blindly accepts any server certificate presented by a pop3s
(POP3 over SSL) server, without trying to validate it against a
locally-stored parent cert. This implies, for example, that roaming users
won't be able to detect MiM attacks, very easy to mount for a rogue ISP with
a NAT-capable unit (like, nowadays, almost any router, or even a Linux box).

Enzo





---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com




More information about the cryptography mailing list