From 4e1db9d3b89d27acf1b80c51c02e73cc7ad69bc1 Mon Sep 17 00:00:00 2001
From: "Eric S. Raymond" <esr@thyrsus.com>
Date: Sat, 10 Feb 2001 21:24:29 +0000
Subject: Warnings about SSL.

svn path=/trunk/; revision=3040
---
 fetchmail-FAQ.html |  7 ++++---
 fetchmail.man      | 11 +++++++++++
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/fetchmail-FAQ.html b/fetchmail-FAQ.html
index 51c58ad1..d4d0123e 100644
--- a/fetchmail-FAQ.html
+++ b/fetchmail-FAQ.html
@@ -10,7 +10,7 @@
 <table width="100%" cellpadding=0><tr>
 <td width="30%">Back to <a href="index.html">Fetchmail Home Page</a>
 <td width="30%" align=center>To <a href="/~esr/sitemap.html">Site Map</a>
-<td width="30%" align=right>$Date: 2001/02/10 21:20:33 $
+<td width="30%" align=right>$Date: 2001/02/10 21:24:24 $
 </table>
 <HR>
 <H1>Frequently Asked Questions About Fetchmail</H1>
@@ -1946,7 +1946,8 @@ an equal sign.<p>
 Fetchmail binaries built this way support <code>ssl</code>,
 <code>sslkey</code>, and <code>sslcert</code> options that control
 SSL encryption.  You will need to have an SSL-enabled mailserver
-to use these options.  See the manual page for detals.<p>
+to use these options.  See the manual page for details and some words
+of care on the limited security provided.<p>
 
 If your open OpenSSL session dies with a message that complains "PRNG
 not seeded", update or improve your operating system.  This means that
@@ -2966,7 +2967,7 @@ switching to IMAP and using a short expunge interval.<p>
 <table width="100%" cellpadding=0><tr>
 <td width="30%">Back to <a href="index.html">Fetchmail Home Page</a>
 <td width="30%" align=center>To <a href="/~esr/sitemap.html">Site Map</a>
-<td width="30%" align=right>$Date: 2001/02/10 21:20:33 $
+<td width="30%" align=right>$Date: 2001/02/10 21:24:24 $
 </table>
 
 <P><ADDRESS>Eric S. Raymond <A HREF="mailto:esr@thyrsus.com">&lt;esr@snark.thyrsus.com&gt;</A></ADDRESS>
diff --git a/fetchmail.man b/fetchmail.man
index 737b92f9..a77926de 100644
--- a/fetchmail.man
+++ b/fetchmail.man
@@ -770,6 +770,17 @@ is not valid.  Some servers may require client side certificates be signed
 by a recognized Certifying Authority.  The format for the key files and
 the certificate files is that required by the underlying SSL libraries
 (OpenSSL in the general case).
+.PP
+Finally, a word of care about the use of SSL: While above mentioned
+setup with self-signed server certificates retrieved over the wires
+can protect you from a passive eavesdropper it doesn't help against an
+active attacker. It's clearly an improvement over sending the
+passwords in clear but you should be aware that a man-in-the-middle
+attack is trivially possible (in particular with tools such as dsniff,
+http://www.monkey.org/~dugsong/dsniff/).  Therefore and if possible,
+the use of an appropriately ssh tunnel (see below for some examples)
+is preferable if you seriously care about the security of your
+mailbox.
 
 .SH DAEMON MODE
 The 
-- 
cgit v1.2.3