Another shining example of Microsoft "security"

Enzo Michelangeli em at
Thu Apr 19 11:41:42 EDT 2001

I don't know if anybody already noticed, but Outlook Express (at least the
version 5.5) blindly accepts any server certificate presented by a pop3s
(POP3 over SSL) server, without trying to validate it against a
locally-stored parent cert. This implies, for example, that roaming users
won't be able to detect MiM attacks, very easy to mount for a rogue ISP with
a NAT-capable unit (like, nowadays, almost any router, or even a Linux box).


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list