On Fri, May 22, 2015 at 10:20 PM, Ben Finney <ben+pyt...@benfinney.id.au> wrote: > Ian Kelly <ian.g.ke...@gmail.com> writes: > >> On Fri, May 22, 2015 at 9:31 PM, Michael Torrie <torr...@gmail.com> wrote: >> > On 05/22/2015 07:54 PM, Terry Reedy wrote: >> >> On 5/22/2015 5:40 PM, Tim Daneliuk wrote: >> >> >> >>> Lo these many years ago, I argued that Python is a whole lot more than >> >>> a programming language: >> >>> >> >>> https://www.tundraware.com/TechnicalNotes/Python-Is-Middleware/ >> >> >> >> Perhaps something at tundraware needs updating. >> >> ''' >> >> This Connection is Untrusted >> >> >> >> You have asked Firefox to connect securely to www.tundraware.com, but we >> >> can't confirm that your connection is secure. >> >> […] > >> Without some prior reason to trust the certificate, the certificate is >> meaningless. How is the browser to distinguish between a legitimate >> self-signed cert and a self-signed cert presented by an attacker >> conducting a man-in-the-middle attack? > > Any unencrypted HTTP (“http://…”) connection has the same problem. Yet > the same browsers don't present a big scary warning for those? > > The flaw in the browser is that it doesn't complain when an unencrypted > HTTP connection is established, but only complains when an *encrypted* > connection is made to a site with a self-signed certificate. > >> There is still some value in TLS with a self-signed certificate in >> that at least the connection is encrypted and can't be eavesdropped by >> an attacker who can only read the channel, but there is no assurance >> that the party you're communicating with actually owns the public key >> that you've been presented. > > Right. By that logic, let's advocate for browsers to present a big > intrusive warning for every HTTP connection that has no SSL layer or > certificate. > > I will agree that a self-signed certificate presents the problem of how > to verify the certificate automatically. > > Where I disagree is that this is somehow less secure than a completely > *unencrypted* HTTP connection. No, the opposite is true.
I don't disagree with you. There *should* be scary warnings for plain HTTP connections (although there is a counter-argument that many sites don't need any encryption and HTTPS would just be wasteful in those cases). The fact that browsers don't yet provide those warnings doesn't change anything that I wrote above. -- https://mail.python.org/mailman/listinfo/python-list