> Thank you, David and Steve. > Yes, it will be a big problem if someone spoof DNS, > but it can prevent man-in-the-middle to some extent.
No, it cannot. > If the DNS is sabotaged, what can we do? > What should I believe? :-) You should ignore the DNS entirely. If you receive a certificate signed by a trusted authority, you can believe that you are talking to the entity whose name appears in that certificate. All a man-in-the-middle can do in that case is break the connection. I don't understand why you care about DNS at all. If you receive a certificate with a common name of 'foo.example.com', you are talking to 'foo.example.com', period. It doesn't matter what IP address you connected to, connect to you, or what it resolves or doesn't resolve to. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]