[Date Prev] [Date Index] [Date Next] [Thread Prev] [Thread Index] [Thread Next]
Thor Simon tls@coyotepoint.com
Tue, 2 Nov 2010 15:12:40 GMT
On Tue, Nov 02, 2010 at 02:41:40AM +0000, Bryan Stansell wrote: > On Mon, Nov 01, 2010 at 09:25:41PM -0400, Thor Simon wrote: > > On Mon, Nov 01, 2010 at 11:41:26PM +0000, Bryan Stansell wrote: > > > > > > Well, if you provide the certificate, it needs to succeed it's > > > authenticity check. If you don't provide one at all, it falls back to > > > an anonymous cipher (so, it's encrypted, but not authenticated and > > > subject to man-in-the-middle). > > > > But anyone can man-in-the-middle the client by pretending to be a server > > with no certificate, no? > > Isn't that what I said? ;-) Well, not exactly. I can provide a certificate on the server side and still be subject to a man-in-the-middle attack by an adversary who has no certificate at all! That's not how I read what you wrote before, at least. Thor