On Thu, Jul 25, 2002 at 01:31:27PM -0400, Charlie Brady <[EMAIL PROTECTED]> wrote:
>
> I don't see why "use SSL if it is available, but fall back to cleartext
> if that's all there is" isn't a reasonable option. I don't see how it is
> any worse than just using cleartext.
It makes for a trivial MITM attack -- make the client unable to
successfully negotiate SSL, and you're rewarded with a cleartext
password.
(Imagine ssh falling back to telnet if host key negotiation failed,
but without telling you that it did so.)
-Rich
--
------------------------------ Rich Lafferty ---------------------------
Systems Administrator/Support Engineer, Network Server Solutions Group
Mitel Networks, Ottawa, ON +1 613 592 2122 (x2513)
---------------------------- [EMAIL PROTECTED] ------------------------
--
Please report bugs to [EMAIL PROTECTED]
Please mail [EMAIL PROTECTED] (only) to discuss security issues
Support for registered customers and partners to [EMAIL PROTECTED]
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
