> Thank you, David and Steve.
> Yes, it will be a big problem if someone spoof DNS,
> but it can prevent man-in-the-middle to some extent.
No, it cannot.
> If the DNS is sabotaged, what can we do?
> What should I believe? :-)
You should ignore the DNS entirely. If you receive a certificate signed by
a trusted authority, you can believe that you are talking to the entity
whose name appears in that certificate. All a man-in-the-middle can do in
that case is break the connection.
I don't understand why you care about DNS at all. If you receive a
certificate with a common name of 'foo.example.com', you are talking to
'foo.example.com', period. It doesn't matter what IP address you connected
to, connect to you, or what it resolves or doesn't resolve to.
DS
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
