Home > mailing lists

Re: SSL without verifying server certificate - Mailing list pgsql-jdbc

From	d.wall@computer.org
Subject	Re: SSL without verifying server certificate
Date	February 17, 2004 01:40:59
Msg-id	40317EB6.4070304@computer.org Whole thread Raw
In response to	Re: SSL without verifying server certificate (Oliver Jowett <oliver@opencloud.com>)
List	pgsql-jdbc

Tree view

 > If you do this, you become vulnerable to man-in-the-middle attacks.
Might as well just use an unencrypted connection > in the first place.

Well, a man-in-the-middle attack is non-trivial since it typically means
stealing a domain name.  And with an encrypted channel, at least
userid/passwords are nicely encrypted as is the data in the database.  I
think a simple sniffer type attack is far easier.  But you are right
that having the client import the cert (or using a well-known CA signed
cert) is preferable.

David

>

pgsql-jdbc by date:

From: Oliver Jowett
Date: 16 February 2004, 21:48:50
Subject: Re: SSL without verifying server certificate

From: Kris Jurka
Date: 17 February 2004, 02:35:18
Subject: Re: SSL without verifying server certificate

Re: SSL without verifying server certificate - Mailing list pgsql-jdbc

Previous

Next