> That kinda sucks, doesn't it?
>
> > Once again, using anonymous DH is a really terrible idea.
> > It leaves you completely open to active attack.
>
> That might be the case, but it's far better than no crypt at all.
> I could imagine the effect of using ADH is similar to using SSH without RSA.
> Or is it even worse?
Actually, using Anonymous DH is about as bad as using SSH (with or
without public authentication). Both leave you open to man in the
middle attacks in which you believe you are talking to the host you
desire, but really you are talking to the man in the middle who has
then established as connection to the host you want to chat with.
The attacker just sits there in the middle decrypting, storing, and
re-encrypting all of the data.
Jeffrey Altman * Sr.Software Designer * Kermit-95 for Win32 and OS/2
The Kermit Project * Columbia University
612 West 115th St #716 * New York, NY * 10025
http://www.kermit-project.org/k95.html * [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
