Re: Netscape's use of SSL Paul Snively (psnively@earthlink.net)
Sun, 07 Nov 1999 11:19:12 -0800

Norm Hardy wrote:

> It is tedious to check the cert on each URL reference (about 10 sec when
> you rember exactly how). Commonly the "name on the cert" is the domain name
> from the URL. I have seen exceptions. The danger for not checking is DNS
> spoofing that directs the URL reference to a site with a cert, but not the
> one you planned to visit. The bogus site learms the swiss nmber and the jig is
up.

Versions of BIND 8.2 or later provide facilities that make such man-in-the-middle attacks considerably less likely. Anyone who is serious about SSL/TLS security should take measures to ensure that Secure DNS is in operation on at least one server involved in the resolution chain.

Best,
Paul

--
Please reply to <mailto:psnively@earthlink.net> using PGP. My public key can
be found at <http://pgpkeys.mit.edu:11371>. PGP can be found at
<http://web.mit.edu/network/pgp.html>. Beginning 11/1/1999, unenciphered
e-mail will be immediately deleted unread. Thank you.