Greg Stark wrote:
>As somebody stated there is difference between authentication and
>authorization. Servers should be protected from "man in the middle"
>attacks via "Access Control" software which authorize access to
>files, servers, etc. via a triple combination of keys:
>FQDN (fully qualified domain name), TCP-IP address and user name
>(UID in Unix).
None of those things provide any protection from man-in-the-middle attacks.
Just because I attempted to connect to 1.2.3.4, www.foo.com doesn't mean the
machine I'm actually talking to is 1.2.3.4, www.foo.com. You have to assume
the man in the middle has complete control over the middle.
DS
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
