> If you do this, you become vulnerable to man-in-the-middle attacks.
Might as well just use an unencrypted connection > in the first place.
Well, a man-in-the-middle attack is non-trivial since it typically means
stealing a domain name. And with an encrypted channel, at least
userid/passwords are nicely encrypted as is the data in the database. I
think a simple sniffer type attack is far easier. But you are right
that having the client import the cert (or using a well-known CA signed
cert) is preferable.
David
>