Another shining example of Microsoft "security".

Enzo Michelangeli em at
Fri Apr 20 04:10:04 EDT 2001

Why? Proxies for HTTPS do not touch the encrypted data, using the "CONNECT"
mechanism described in a draft by A. Luotonen (don't know if it eventually
became an RFC) and therefore are not involved in authentication issues.
Which is the right way to do it, as good crypto should always work

Besides, the fact that many users don't check the validity of the certs
presented by the other side is a disgrace, and should not be encouraged by
distributing broken software.


----- Original Message -----
From: "vertigo" <vertigo at>
To: "Enzo Michelangeli" <em at>
Cc: <cryptography at>; <coderpunks at>
Sent: Friday, April 20, 2001 3:38 PM
Subject: Re: Another shining example of Microsoft "security".

> Not that anyone checks the validity of their certs anyway.
> There are a couple of companies with url-rewriting proxies
> who are able to pay (or used to pay) their programmers because
> of this lack of concern. Actually, this sounds almost like a
> feature (i.e. "Accept all certs", "Accept only certs that get
> sent back to the originating server", "Do not accept certs")   :)
> vert
> On Thu, 19 Apr 2001, Enzo Michelangeli wrote:
> > I don't know if anybody already noticed, but Outlook Express (at least
> > version 5.5) blindly accepts any server certificate presented by a pop3s
> > (POP3 over SSL) server, without trying to validate it against a
> > locally-stored parent cert. This implies, for example, that roaming
> > won't be able to detect MiM attacks, very easy to mount for a rogue ISP
> > a NAT-capable unit (like, nowadays, almost any router, or even a Linux
> >
> > Enzo
> >
> >
> >
> >
> >
> > ---------------------------------------------------------------------
> > The Cryptography Mailing List
> > Unsubscribe by sending "unsubscribe cryptography" to
majordomo at
> >

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list