lotus



previous page: 4.1) Does SSL protect users from replay attack by eavesdroppers or message interceptors?
  
page up: Secure Sockets Layer Discussion List FAQ
  
next page: 4.3) When did MD5 get "disavowed"?

4.2) Isn't encrypt-only SSL open to "man-in-the-middle" attacks?




Description

This article is from the Secure Sockets Layer Discussion List FAQ, by Shannon Appel SAppel@consensus.com with numerous contributions by others.

4.2) Isn't encrypt-only SSL open to "man-in-the-middle" attacks?

Yes, even though SSL 3.0 defines an encrypt-only cipher suite (the
SSL_DH_anon_WITH_DES_CBC_SHA cipher suite), there are many possible
attacks against it, and some recommend against using it. SSL *MUST*
have strong server authentication or it becomes open to some attacks.
Netscape's browser and server products do not presently support
encrypt-only cipher suites for this reason.

 

Continue to:













TOP
previous page: 4.1) Does SSL protect users from replay attack by eavesdroppers or message interceptors?
  
page up: Secure Sockets Layer Discussion List FAQ
  
next page: 4.3) When did MD5 get "disavowed"?