On 11/28/07, Dan Fandrich <dan_at_coneharvesters.com> wrote:
> On Wed, Nov 28, 2007 at 07:47:52AM +0100, paranoid paranoia wrote:
> > actually... that's more like a quick hack that happens to work for me,
> > since i set CURLOPT_SSL_VERIFYPEER to 0 after having spent a
> > few hours trying to force curl to *not* make any checks. ideally, if
> > the cipher spec only alllows anonymous key exchange or pre-shared
> > keys, one shouldn't have to explicitly disable peer verification...
>
> I'm not so sure about that. Would that allow a man-in-the-middle attack to
> take place? The middleman would only need to use an anonymous key
> and the user would never know he wasn't connected to the desired server.

ok... i must apologize in advance if i may sound agressive,
but which part of "anonymous" don't people understand?

if i choose to set my cipher list to "ADH+AES", i *know*
that the key exchange won't be authenticated, and -apparently-
i don't care.

we could start another discussion on how useful that is in reality;
and, there i'm with you 99% that this style of "opportunistic" or
"better-than-nothing" security is pretty deceiving,
but that's certainly not the point of the above...

--pp
Received on 2007-11-28