Warnings about SSL.

svn path=/trunk/; revision=3040

1 files changed, 11 insertions, 0 deletions

diff --git a/fetchmail.man b/fetchmail.man
index 737b92f9..a77926de 100644
--- a/fetchmail.man
+++ b/fetchmail.man
@@ -770,6 +770,17 @@ is not valid.  Some servers may require client side certificates be signed
 by a recognized Certifying Authority.  The format for the key files and
 the certificate files is that required by the underlying SSL libraries
 (OpenSSL in the general case).
+.PP
+Finally, a word of care about the use of SSL: While above mentioned
+setup with self-signed server certificates retrieved over the wires
+can protect you from a passive eavesdropper it doesn't help against an
+active attacker. It's clearly an improvement over sending the
+passwords in clear but you should be aware that a man-in-the-middle
+attack is trivially possible (in particular with tools such as dsniff,
+http://www.monkey.org/~dugsong/dsniff/).  Therefore and if possible,
+the use of an appropriately ssh tunnel (see below for some examples)
+is preferable if you seriously care about the security of your
+mailbox.
 
 .SH DAEMON MODE
 The