On 05/22/2015 10:10 PM, Ian Kelly wrote: > On Fri, May 22, 2015 at 9:31 PM, Michael Torrie <torr...@gmail.com> wrote: >> On 05/22/2015 07:54 PM, Terry Reedy wrote: >>> On 5/22/2015 5:40 PM, Tim Daneliuk wrote: >>> >>>> Lo these many years ago, I argued that Python is a whole lot more than >>>> a programming language: >>>> >>>> https://www.tundraware.com/TechnicalNotes/Python-Is-Middleware/ >>> >>> Perhaps something at tundraware needs updating. >>> ''' >>> This Connection is Untrusted >>> >>> You have asked Firefox to connect securely to www.tundraware.com, but we >>> can't confirm that your connection is secure. >>> >>> Normally, when you try to connect securely, sites will present trusted >>> identification to prove that you are going to the right place. However, >>> this site's identity can't be verified. >>> ''' >> >> Sigh. I blame this as much on the browser. There's no inherent reason >> why a connection to a site secured with a self-signed certificate is >> insecure. In fact it's definitely not. > > Sure it is. Without some prior reason to trust the certificate, the > certificate is meaningless. How is the browser to distinguish between > a legitimate self-signed cert and a self-signed cert presented by an > attacker conducting a man-in-the-middle attack?
How does a CA actually help this problem? It just puts trust in some third party. But as we know, CA authorities are not all trustworthy and they certainly don't guarantee that the site is what it says it is. A valid SSL cert does not mean the site won't try to hack your browser or steal your identity. The current system lulls us into a false sense of security. A self-signed cert is perfectly secure if you can verify the fingerprint with the site's owner. Granted that process is the rub. > There is still some value in TLS with a self-signed certificate in > that at least the connection is encrypted and can't be eavesdropped > by an attacker who can only read the channel, but there is no > assurance that the party you're communicating with actually owns the > public key that you've been presented. The same can be said of CA-signed certificates. The only way to know if the site is who they say they are is to know what the cert's fingerprint ought to be and see if it still is. I used to use a firefox plugin for this purpose, but certs for some major sites like even www.google.com change with such frequency that the utility of the plugin went away. -- https://mail.python.org/mailman/listinfo/python-list
