Re: SSL without verifying server certificate

From: d(dot)wall(at)computer(dot)org
To: pgsql-jdbc(at)postgresql(dot)org
Subject: Re: SSL without verifying server certificate
Date: 2004-02-17 02:38:46
Message-ID: 40317EB6.4070304@computer.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-jdbc

> If you do this, you become vulnerable to man-in-the-middle attacks.
Might as well just use an unencrypted connection > in the first place.

Well, a man-in-the-middle attack is non-trivial since it typically means
stealing a domain name. And with an encrypted channel, at least
userid/passwords are nicely encrypted as is the data in the database. I
think a simple sniffer type attack is far easier. But you are right
that having the client import the cert (or using a well-known CA signed
cert) is preferable.

David

>

In response to

Browse pgsql-jdbc by date

  From Date Subject
Next Message Kris Jurka 2004-02-17 03:35:57 Re: SSL without verifying server certificate
Previous Message Oliver Jowett 2004-02-16 22:48:42 Re: SSL without verifying server certificate