On Sat, May 23, 2015 at 8:57 PM, Michael Torrie <torr...@gmail.com> wrote: > On 05/23/2015 05:40 AM, Chris Angelico wrote: >> On Sat, May 23, 2015 at 9:34 PM, Tim Chase >> <python.l...@tim.thechases.com> wrote: >>> A self-signed certificate may be of minimal worth the *first* time you >>> visit a site, but if you return to the site, that initial >>> certificate's signature can be used to confirm that you're talking to >>> the same site you talked to previously. This is particularly >>> valuable on a laptop where you make initial contact over a (I >>> hesitate to say "more secure") less hostile connection through your >>> home ISP. Then, when you're out at the library, coffee-shop, or some >>> hacker convention on their wifi, it's possible to determine whether >>> you're securely connecting to the *same* site, or whether an attempt >>> is being made to MitM because the cert changed. >> >> You can get the exact same benefit (knowing when the cert changes) >> with an externally-signed cert too. How many people actually bother to >> check? > > Except that you won't be notified automatically. A MitM attack nowadays > most often uses a valid certificate signed by a recognized (though > untrustworthy) CA. Thus with a self-signed cert that you've previously > accepted, you'll immediate know of the MitM attack.
I fail to see how this is the case. If a new certificate is suddenly provided, why should the status of the *previous* certificate have anything to do with whether the browser automatically notifies you? A change from a self-signed certificate to a CA certificate likely just means that the site has upgraded its certificate, not that a MitM attack is underway. -- https://mail.python.org/mailman/listinfo/python-list