Jan P. Kessler a écrit : > mouss schrieb: >> it's not required. but if you don't verify the cert, then you trust DNS. >> so a DNS attack (poisoning, ...) would make him send passwords to the >> wrong server. >> > <dramatic> > > If you use encryption you implicitly assume that there might be someone > between you and the target system. Unfortunately that 'someone' may also > perform MITM attacks in that position. The only possibility to get > around this is to verify the identity of the target. > > So keep in mind that you should > > 1. always try to verify your target's identity > or > 2. not use encryption because it wastes cpucycles for nothing > > </dramatic>
you may still want to encrypt a channel to avoid sniffing by "local" machines. sniffing traffic is a lot easier than (active) MITM attacks. so no, encryption without verification is not a waste. (I'm not saying verification is useless. I'm saying there may be cases where verification may be problematic while encryption is still desirable).
