|Main Archive Page > Month Archives > full-disclosure-uk archives|
On Mon, 05 Jan 2009 11:25:58 PST, Tim said:
> Uh, no, actually CAs provide some weak assurance that the certificate is
> the real one and associated with that server. A self-signed one
> provides none. If you can't, in some way, authenticate the certificate
> then SSL is not any better than sending data plain text.
It's *slightly* better, in that it guards against passive sniffing attacks on the data in transit. You're right that it doesn't guard against an active MITM attack.