- From: Simon Spero <ses@tipper.oit.unc.edu>
- Date: Fri, 10 Nov 1995 11:11:24 -0800 (PST)
- To: Ari Luotonen <luotonen@netscape.com>
- Cc: http-wg mailing list <http-wg%cuckoo.hpl.hp.com@hplb.hpl.hp.com>
One important security note that should be added to this draft: any client that supports this extension MUST perform some correlation between the requested hostname and the certificate returned in the SSL connection - otherwise the system becomes vulnerable to trivial Person-In-The-Middle attacks, with much less effort that conventional attacks. No currently deployed systems perform this checking; the next release of the Netscape 2 Beta does do the checking; previous versions are vulnerable. Simon ---- (defun modexpt (x y n) "computes (x^y) mod n" (cond ((= y 0) 1) ((= y 1) (mod x n)) ((evenp y) (mod (expt (modexpt x (/ y 2) n) 2) n)) (t (mod (* x (modexpt x (1- y) n)) n))))
Received on Friday, 10 November 1995 11:16:36 UTC