On Sat, Jan 23, 2010 at 5:01 PM, erik quanstrom <quans...@quanstro.net> wrote:
>> if the goal is avoiding ssl mitm attacks,
>> dns is the least of your worries. a mitm will
>> just take over the connection attempt for the
>> actual ip address.  the solution there is
>> to implement proper ssl certificate chain checking.
>
> doesn't work with the recent renegotiation bug.

disable renegotiation.

> but i don't
> think one can dismiss dns as a non-issue.

dns is a non-issue if the rest of ssl is working.
dns is irrelevant if it isn't.

russ

Reply via email to