On Thu, 25 Jul 2002, Rich Lafferty wrote:
> On Thu, Jul 25, 2002 at 01:31:27PM -0400, Charlie Brady <[EMAIL PROTECTED]> wrote: > > > > I don't see why "use SSL if it is available, but fall back to cleartext > > if that's all there is" isn't a reasonable option. I don't see how it is > > any worse than just using cleartext. > > It makes for a trivial MITM attack -- make the client unable to > successfully negotiate SSL, and you're rewarded with a cleartext > password. How is that worse than just using cleartext? > (Imagine ssh falling back to telnet if host key negotiation failed, > but without telling you that it did so.) How is that worse than just using telnet? -- Charlie Brady [EMAIL PROTECTED] Lead Product Developer Network Server Solutions Group http://www.e-smith.com/ Mitel Networks Corporation http://www.mitel.com/ Phone: +1 (613) 592 5660 or 592 2122 Fax: +1 (613) 592 1175 -- Please report bugs to [EMAIL PROTECTED] Please mail [EMAIL PROTECTED] (only) to discuss security issues Support for registered customers and partners to [EMAIL PROTECTED] To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
