On Wed, 28 Nov 2007, paranoid paranoia wrote:

>> I'm not so sure about that. Would that allow a man-in-the-middle attack to
>> take place? The middleman would only need to use an anonymous key and the
>> user would never know he wasn't connected to the desired server.
>
> ok... i must apologize in advance if i may sound agressive, but which part
> of "anonymous" don't people understand?
>
> if i choose to set my cipher list to "ADH+AES", i *know* that the key
> exchange won't be authenticated, and -apparently- i don't care.

I assume Dan meant that if the _server_ requested anonymous and the client
would agree to that, it would be an easy way for a middle-man to sneak in a
server.

-- 
  Commercial curl and libcurl Technical Support: http://haxx.se/curl.html