> > This is crazy.  Because SSL + auth-digest is auth + encryption...  And
> 
> No, it isn't.  It's auth *after* encryption.  That is, an encrypted
> link is created between two parties without either party
> authenticating the other.  Insert MitM attack here.  

MITM attacks are very sophisticated and extremely unlikely in this
context, or any context for that matter.  Years working in security
and with security types, and I've never personally encountered a
real-world case of them happening.  They fall into the realm of
"someone is targeting you and really knows what they're doing", in
which case if you're not an expert, you're already screwed.  If what
you're protecting is some random recorded TV shows, and you care about
this, you're probably at least a little nuts.

-- 
Derek D. Martin    http://www.pizzashack.org/   GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.  Replying to it will result in
undeliverable mail due to spam prevention.  Sorry for the inconvenience.