Ian Eure wrote: >> On Monday 13 June 2005 04:41 pm, LeVA wrote: >> I don't see why it would be helpful, unless you're trying to keep your info >> secret from a determined/resourceful attacker. But an attacker like that >> would probably get it anyways. >> >> I use TLS & PLAIN, and encrypt/sign my messages with GPG for my business >> email, and I think that's plenty secure for my needs. >> >>
That would maka it very easy for a sniffer running ettercap for example to do a MiTM attack. And of course the certificate is changed a little, but 80% of users ignore this change and click yes on whatever is shown just to read their emails, not knowing what this could lead to. Also an attacker could alter that data the server sends so that it doesn't advertise cram-md5 as an authentication method but this is more advanced. Doing a simple MiTM in ettercap is script kiddie friendly. Radu -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
