mouss schrieb:
it's not required. but if you don't verify the cert, then you trust DNS. so a DNS attack (poisoning, ...) would make him send passwords to the wrong server.
<dramatic>
If you use encryption you implicitly assume that there might be someone between you and the target system. Unfortunately that 'someone' may also perform MITM attacks in that position. The only possibility to get around this is to verify the identity of the target.
So keep in mind that you should 1. always try to verify your target's identity or 2. not use encryption because it wastes cpucycles for nothing </dramatic>
