The distinct and important difference is that at least one party would be
able to figure out that something odd is happening when integrity is
available, where it is much more difficult when integrity isn't present.
-=R
On Tue, Nov 19, 2013 at 4:43 PM, Poul-Henning Kamp <phk@phk.freebsd.dk>wrote:
> In message <
> CAP+FsNdjAVz8T3Dr895kwiZrnQv18YDJb1zyGECLZ-ct_EdXUg@mail.gmail.com>
> , Roberto Peon writes:
>
> >The bigger problem is that the proxy might prevent the negotiation from
> >occurring.
>
> ...In which case it is very likely also blocking any attempt to avoid
> using the proxy, so your end-to-end attempt is not going to work either.
>
> Or if it works, it's probably on a trojaned cert.
>
> --
> Poul-Henning Kamp | UNIX since Zilog Zeus 3.20
> phk@FreeBSD.ORG | TCP/IP since RFC 956
> FreeBSD committer | BSD since 4.3-tahoe
> Never attribute to malice what can adequately be explained by incompetence.
>