On Fri, Aug 30, 2002 at 06:58:00PM +0100, Andrew McDonald wrote: > On a similar subject, there seem to be more than a few applications > that have had "SSL/TLS support" added, but don't do any hostname > checking against the certificate - leaving you open to > man-in-the-middle attacks.
(speaking as an offender) Why is it that TLS libraries don't handle a lot of this simple validation on behalf of applications? Why is it that the sample gnutls code doesn't seem to include this check? Can you report bugs against broken packages with patches? It seems like you've contributed a lot of mutt-specific code to handle certificate validation in the-right-way, but that the procedure is both generally useful and error-prone so should be centralized. thanks, -neil
