Another shining example of Microsoft "security".
Enzo Michelangeli
em at who.net
Fri Apr 20 04:10:04 EDT 2001
Why? Proxies for HTTPS do not touch the encrypted data, using the "CONNECT"
mechanism described in a draft by A. Luotonen (don't know if it eventually
became an RFC) and therefore are not involved in authentication issues.
Which is the right way to do it, as good crypto should always work
end-to-end.
Besides, the fact that many users don't check the validity of the certs
presented by the other side is a disgrace, and should not be encouraged by
distributing broken software.
Enzo
----- Original Message -----
From: "vertigo" <vertigo at panix.com>
To: "Enzo Michelangeli" <em at who.net>
Cc: <cryptography at wasabisystems.com>; <coderpunks at toad.com>
Sent: Friday, April 20, 2001 3:38 PM
Subject: Re: Another shining example of Microsoft "security".
> Not that anyone checks the validity of their certs anyway.
> There are a couple of companies with url-rewriting proxies
> who are able to pay (or used to pay) their programmers because
> of this lack of concern. Actually, this sounds almost like a
> feature (i.e. "Accept all certs", "Accept only certs that get
> sent back to the originating server", "Do not accept certs") :)
>
> vert
>
>
> On Thu, 19 Apr 2001, Enzo Michelangeli wrote:
>
> > I don't know if anybody already noticed, but Outlook Express (at least
the
> > version 5.5) blindly accepts any server certificate presented by a pop3s
> > (POP3 over SSL) server, without trying to validate it against a
> > locally-stored parent cert. This implies, for example, that roaming
users
> > won't be able to detect MiM attacks, very easy to mount for a rogue ISP
with
> > a NAT-capable unit (like, nowadays, almost any router, or even a Linux
box).
> >
> > Enzo
> >
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > The Cryptography Mailing List
> > Unsubscribe by sending "unsubscribe cryptography" to
majordomo at wasabisystems.com
> >
>
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list