Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: Alex Alten (Altenhome.com)
Date: Fri Jan 05 2001 - 21:48:09 CST
At 10:07 PM 1/5/2001 +0100, Daniel Roethlisberger wrote:
>>> A rumor over on the ipsec mailing list mentions that there is
>>> a sniff tool that can crack SSL. Would anyone here know anything
>>> at all about this? Is there a man-in-the-middle attack that
>>> doesn't require a trusted server certificate?
>It all boils down to: you do not need a trusted server
>certificate, but if you are using an untrusted cert, some clients
>(browsers) may pop up a window asking the user whether the cert
>is ok to use, while some other clients don't allow communicating
>with untrusted servers.
I guess things would get real interesting if the private key to a trusted
intermediate or root certificate authority got stolen and published. It
might take a while to update all the browsers out there to not accept it
as a valid signer of server certificates.