From 4e1db9d3b89d27acf1b80c51c02e73cc7ad69bc1 Mon Sep 17 00:00:00 2001
From: "Eric S. Raymond" <esr@thyrsus.com>
Date: Sat, 10 Feb 2001 21:24:29 +0000
Subject: Warnings about SSL.

svn path=/trunk/; revision=3040
---
 fetchmail.man | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'fetchmail.man')

diff --git a/fetchmail.man b/fetchmail.man
index 737b92f9..a77926de 100644
--- a/fetchmail.man
+++ b/fetchmail.man
@@ -770,6 +770,17 @@ is not valid.  Some servers may require client side certificates be signed
 by a recognized Certifying Authority.  The format for the key files and
 the certificate files is that required by the underlying SSL libraries
 (OpenSSL in the general case).
+.PP
+Finally, a word of care about the use of SSL: While above mentioned
+setup with self-signed server certificates retrieved over the wires
+can protect you from a passive eavesdropper it doesn't help against an
+active attacker. It's clearly an improvement over sending the
+passwords in clear but you should be aware that a man-in-the-middle
+attack is trivially possible (in particular with tools such as dsniff,
+http://www.monkey.org/~dugsong/dsniff/).  Therefore and if possible,
+the use of an appropriately ssh tunnel (see below for some examples)
+is preferable if you seriously care about the security of your
+mailbox.
 
 .SH DAEMON MODE
 The 
-- 
cgit v1.2.3