On Sat, May 23, 2015 at 2:49 PM, Ian Kelly <ian.g.ke...@gmail.com> wrote: >> The same can be said of CA-signed certificates. The only way to know if >> the site is who they say they are is to know what the cert's fingerprint >> ought to be and see if it still is. I used to use a firefox plugin for >> this purpose, but certs for some major sites like even www.google.com >> change with such frequency that the utility of the plugin went away. > > So instead of trusting a CA, you have to trust the maintainers of the > plugin. How is that any different?
It brings it local. If you're able to see the source code for the plugin, you could check exactly how it does its verification (and by the sound of it, it'd be pretty simple: just look up the cert, see if it's different, if so, big noisy warning). Or, of course, you could do the check yourself: click on the padlock, look at fingerprint, compare against previously-noted fingerprint. That'd at least prove that your plugin is checking properly. But it still doesn't solve the fundamental problem of knowing when you have the right site to start with. ChrisA -- https://mail.python.org/mailman/listinfo/python-list
