> If there is an adequate answer, then you are correct. If
> there isn't, then
> both of us were wrong.
I believe I am correct. The SSL spec says very clearly that:
One such encapsulated protocol, the SSL Handshake Protocol, allows the server and client to authenticate each other and to negotiate an encryption algorithm and cryptographic keys before the application protocol transmits or receives its first byte of data.
This seems pretty clear to me. If it wasn't so, then any secure web site on the net could be spoofed.