On 2015-05-23, Michael Torrie <torr...@gmail.com> wrote: > On 05/22/2015 10:10 PM, Ian Kelly wrote: >> There is still some value in TLS with a self-signed certificate in >> that at least the connection is encrypted and can't be eavesdropped >> by an attacker who can only read the channel, but there is no >> assurance that the party you're communicating with actually owns the >> public key that you've been presented. > > The same can be said of CA-signed certificates.
I think you are falling into the trap of believing that all things are either perfect or they are worthless. CAs aren't perfect, but neither are they worthless. A self-signed certificate, however, is worthless. > The only way to know if the site is who they say they are is to know > what the cert's fingerprint ought to be and see if it still is. I > used to use a firefox plugin for this purpose, but certs for some > major sites like even www.google.com change with such frequency that > the utility of the plugin went away. http://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning -- https://mail.python.org/mailman/listinfo/python-list
