stason.org logo Articles / TULARC / Security / SSL Discussion List / lotus


previous page: 4.1) Does SSL protect users from replay attack by eavesdroppers or message interceptors?page up: Secure Sockets Layer Discussion List FAQnext page: 4.3) When did MD5 get "disavowed"?

4.2) Isn't encrypt-only SSL open to "man-in-the-middle" attacks?

stason.org

 Articles


 Development


 Books


 Teaching


 Photography


 Bits and Pieces


 TULARC


 Contact Us


 Site Map



Search






Favorites

  Free Online Books


  Meta Religion


  Travel Blogs


  StasoSphere


  Healing Info


  Article Collection


  Practical mod_perl


  mod_perl2 Book


  MailChannels













Description

This article is from the Secure Sockets Layer Discussion List FAQ, by Shannon Appel SAppel@consensus.com with numerous contributions by others.

4.2) Isn't encrypt-only SSL open to "man-in-the-middle" attacks?

Yes, even though SSL 3.0 defines an encrypt-only cipher suite (the
SSL_DH_anon_WITH_DES_CBC_SHA cipher suite), there are many possible
attacks against it, and some recommend against using it. SSL *MUST*
have strong server authentication or it becomes open to some attacks.
Netscape's browser and server products do not presently support
encrypt-only cipher suites for this reason.

 

Continue to:


Share and Enjoy

Bookmark this story so others can enjoy it:
  • digg
  • Reddit
  • del.icio.us
  • Furl
  • Wists

Tags

security, SSL, Secure Sockets Layer, protocol



TOP
previous page: 4.1) Does SSL protect users from replay attack by eavesdroppers or message interceptors?page up: Secure Sockets Layer Discussion List FAQnext page: 4.3) When did MD5 get "disavowed"?

Last modified Thu May 8 22:39:28 2008

Created by Stas Bekman and his DocSet.

[ Privacy Policy ] [ Copyright ] [ About Us ] [ Advertise on This Site ] [ Search ]