Nico Kadel-Garcia <nkadel@gmail.com> wrote:

> > > Not quite. SSL allows the NULL cipher, which is no encryption.
> >
> > Is that really secure? SSL = Secure sockets layer. A NULL cypher may
> > be permitted but I don't call that secure.
>
> It's not, but it's exactly what the original poster was asking about.
> buck wanted to be sure that his SSL connection was, in fact,
> encrypted. A sneaky bastard of an SSL server could, in theory,
> negotiate a 'null'' cipher, and that way a connection with a browser
> might show a lovely little 'secured' icon but in actuality be
> unencrypted.
>
> I don't know if any browsers or stunnel could be misled this way, but
> it's a fascinating question.

Modern browsers can't. They warn about weak encryption. I don't know,
how stunnel behaves.


Regards,
Ertugrul.


--
http://ertes.de/