On Tue, Oct 02, 2007 at 08:01:25PM +0200, Andreas Hellstr?m wrote:

> David, thank you for answering. I really appreciate it as a newbie in
> the SSL arena.
> 
> As for the need of encryption, I didn't want the username/password to
> be sent in clear.

Because you are concerned about the network not being secure, in which
case you should likely also be concerned about clients reaching not the
server, but an impostor using "dsniff", poisoning DNS caches, ... And
so you need to authenticate not just encrypt.

If the only realistic attacks on your network are packet capture and
not active attacks, then encryption suffices.

-- 
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to