Another shining example of Microsoft "security".

vertigo vertigo at panix.com
Fri Apr 20 03:38:02 EDT 2001


Not that anyone checks the validity of their certs anyway.
There are a couple of companies with url-rewriting proxies
who are able to pay (or used to pay) their programmers because
of this lack of concern. Actually, this sounds almost like a
feature (i.e. "Accept all certs", "Accept only certs that get
sent back to the originating server", "Do not accept certs")   :)

vert


On Thu, 19 Apr 2001, Enzo Michelangeli wrote:

> I don't know if anybody already noticed, but Outlook Express (at least the
> version 5.5) blindly accepts any server certificate presented by a pop3s
> (POP3 over SSL) server, without trying to validate it against a
> locally-stored parent cert. This implies, for example, that roaming users
> won't be able to detect MiM attacks, very easy to mount for a rogue ISP with
> a NAT-capable unit (like, nowadays, almost any router, or even a Linux box).
>
> Enzo
>
>
>
>
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
>




---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com




More information about the cryptography mailing list