Neff Robert A <[EMAIL PROTECTED]> writes:
> You cannot snoop a secure https transaction without somehow
> pretending to be the destination host.  To do that requires
> the cert, which is public, and private key, which you will
> not have. 
Sort of. You can certainly passively snoop an HTTP transaction.
There's no need to pose as the server.  Decrypting the traffic
requires, as you say, the private key, but not the certificate.

-Ekr

-- 
[Eric Rescorla                                   [EMAIL PROTECTED]]
                http://www.rtfm.com/
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
  • RE: Neff Robert A
    • Eric Rescorla

Reply via email to