On Sat, May 23, 2015 at 2:20 PM, Ben Finney <ben+pyt...@benfinney.id.au> wrote: > Where I disagree is that this is somehow less secure than a completely > *unencrypted* HTTP connection. No, the opposite is true.
No, it isn't less secure. However, people have been trained for years to look for the padlock (including looking for padlocks before entering credit card numbers or passwords, despite the fact that HTTPS on the form isn't actually what's significant), and that's the key here. Web browsers are intended for *humans* to use. You want a truly secure connection between your Python client script and your Python server? Sure, self-signed cert is great. You want something that an average Joe can understand? Do what 99% of the world does, and get a CSA-signed cert. Unencrypted is normal, encrypted is normal, and the only thing that's being flagged is "hey, this *looks* secured, but it might not be the right server". It's still encrypted, but the unverified origin is a potential problem. ChrisA -- https://mail.python.org/mailman/listinfo/python-list
