SSL/TLS - am I doing it right?
Sybren Stuvel
sybrenUSE at YOURthirdtower.com.imagination
Mon Mar 13 06:07:41 EST 2006
Frank Millman enlightened us with:
> The point of the exercise for me is encryption. I am not too worried
> about authentication.
Encryption can't function fully without authenication.
> The next step in my app is for the client to enter a user id and
> password, and the server will not proceed without verifying this.
But the client is willing to give that username and password to
anybody that's listening. It doesn't authenticate the server, so it
can be very easily tricked into talking to someone else. Your system
is open to Man in the Middle attacks.
> However, I realise that security is not something to be trivialised,
> so if your recommendation is that I do complete the validation
> steps, I will try to understand that part of the documentation and
> apply that as well.
That is indeed my recommendation indeed :)
Sybren
--
The problem with the world is stupidity. Not saying there should be a
capital punishment for stupidity, but why don't we just take the
safety labels off of everything and let the problem solve itself?
Frank Zappa
More information about the Python-list
mailing list