Ian Kelly <ian.g.ke...@gmail.com> writes: > On Fri, May 22, 2015 at 9:31 PM, Michael Torrie <torr...@gmail.com> wrote: > > On 05/22/2015 07:54 PM, Terry Reedy wrote: > >> On 5/22/2015 5:40 PM, Tim Daneliuk wrote: > >> > >>> Lo these many years ago, I argued that Python is a whole lot more than > >>> a programming language: > >>> > >>> https://www.tundraware.com/TechnicalNotes/Python-Is-Middleware/ > >> > >> Perhaps something at tundraware needs updating. > >> ''' > >> This Connection is Untrusted > >> > >> You have asked Firefox to connect securely to www.tundraware.com, but we > >> can't confirm that your connection is secure. > >> […]
> Without some prior reason to trust the certificate, the certificate is > meaningless. How is the browser to distinguish between a legitimate > self-signed cert and a self-signed cert presented by an attacker > conducting a man-in-the-middle attack? Any unencrypted HTTP (“http://…”) connection has the same problem. Yet the same browsers don't present a big scary warning for those? The flaw in the browser is that it doesn't complain when an unencrypted HTTP connection is established, but only complains when an *encrypted* connection is made to a site with a self-signed certificate. > There is still some value in TLS with a self-signed certificate in > that at least the connection is encrypted and can't be eavesdropped by > an attacker who can only read the channel, but there is no assurance > that the party you're communicating with actually owns the public key > that you've been presented. Right. By that logic, let's advocate for browsers to present a big intrusive warning for every HTTP connection that has no SSL layer or certificate. I will agree that a self-signed certificate presents the problem of how to verify the certificate automatically. Where I disagree is that this is somehow less secure than a completely *unencrypted* HTTP connection. No, the opposite is true. -- \ “DRM doesn't inconvenience [lawbreakers] — indeed, over time it | `\ trains law-abiding users to become [lawbreakers] out of sheer | _o__) frustration.” —Charles Stross, 2010-05-09 | Ben Finney -- https://mail.python.org/mailman/listinfo/python-list
