On Thu, Jul 25, 2002 at 01:31:27PM -0400, Charlie Brady <[EMAIL PROTECTED]> wrote: > > I don't see why "use SSL if it is available, but fall back to cleartext > if that's all there is" isn't a reasonable option. I don't see how it is > any worse than just using cleartext.
It makes for a trivial MITM attack -- make the client unable to successfully negotiate SSL, and you're rewarded with a cleartext password. (Imagine ssh falling back to telnet if host key negotiation failed, but without telling you that it did so.) -Rich -- ------------------------------ Rich Lafferty --------------------------- Systems Administrator/Support Engineer, Network Server Solutions Group Mitel Networks, Ottawa, ON +1 613 592 2122 (x2513) ---------------------------- [EMAIL PROTECTED] ------------------------ -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org