Le Fri 26/12/2008, mouss disait > > it's not required. but if you don't verify the cert, then you trust DNS. > so a DNS attack (poisoning, ...) would make him send passwords to the > wrong server.
But if you want to verify the cert the standard way of trusting any CA just because it appears in the default lists for OSes is also wrong. Those CAs have done nopthing to build this trust. The only way would be to get the certificate directly from google, and not by electronic mean... The validation part of SSL works if SSL is correctly used, but NOT in the standard modus of operation. -- Erwan
