At 04:35 PM 10/6/99 , Phillip Hallam-Baker wrote:
>>This is a problem with SSL 2.0 first discovered by Simon Spero then at EIT.
>>It was fixed in SSL 3.0, that must be almost three years ago.
>>The server certificate now binds the public key to a specific Web server
>>address.
That means that you can only succeed against web-users whose browsers
still accept SSL2.0, which is most Netscape users by default;
I don't know if IE also defaults to that, but it probably does.
Even if the https://www.target.com uses SSL3.0, the user isn't talking to it -
they're talking to https://www.attacker.com, which can use 2.0 if it wants.
Thanks!
Bill
Bill Stewart, [EMAIL PROTECTED]
PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
