On Sat, Jan 23, 2010 at 5:01 PM, erik quanstrom <quans...@quanstro.net> wrote: >> if the goal is avoiding ssl mitm attacks, >> dns is the least of your worries. a mitm will >> just take over the connection attempt for the >> actual ip address. the solution there is >> to implement proper ssl certificate chain checking. > > doesn't work with the recent renegotiation bug.
disable renegotiation. > but i don't > think one can dismiss dns as a non-issue. dns is a non-issue if the rest of ssl is working. dns is irrelevant if it isn't. russ