Another shining example of Microsoft "security"
Enzo Michelangeli
em at who.net
Thu Apr 19 11:41:42 EDT 2001
I don't know if anybody already noticed, but Outlook Express (at least the
version 5.5) blindly accepts any server certificate presented by a pop3s
(POP3 over SSL) server, without trying to validate it against a
locally-stored parent cert. This implies, for example, that roaming users
won't be able to detect MiM attacks, very easy to mount for a rogue ISP with
a NAT-capable unit (like, nowadays, almost any router, or even a Linux box).
Enzo
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list