On Sat, Dec 02, 2000 at 01:28:02AM +0800, Ng Pheng Siong wrote:
> On Thu, Nov 30, 2000 at 01:16:31PM -0800, Eric Murray wrote:
> > Either don't connect from a non-SSL client, or connect and negotiate
> > when to start SSL. The former is prefered.
>
> Eh? I'd imagine "the latter is preferred"?
My reasoning is that an active attacker could change the bytes in
the insecure protocol to silently prevent it from negotiating to SSL.
If your protocol only works under SSL, then that's not possible.
--
Eric Murray Consulting Security Architect SecureDesign LLC
http://www.securedesignllc.com PGP keyid:E03F65E5
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
