Sybren Stuvel <[EMAIL PROTECTED]> writes: > John J. Lee enlightened us with: > > Of course, remembering that the first thing to ask in response to > > "is it secure?" is "against what?", for lots of purposes it just > > doesn't matter that it ignores certificates. > > I'm curious. Can you give me an example? AFAIK you need to know who > you're talking to before transmitting sensitive information, otherwise > you could be talking to anybody - and that's just what you wanted to > prevent with the encryption, right?
If Edward hadn't answered I would have said something along the lines of what he said too, but more than that I just had in mind situations where, when fetching a web page, the risk (probability and consequences) of a man-in-the-middle attack doesn't feature much higher than the risk of getting hit by a piece of debris from outer space that day. Surprisingly often, it so happens that the people setting up the web site used https, even though as a user of the site I don't really care about the encryption or authentication. That doesn't mean proper certificate handling wouldn't be good to have (it would), just that installing m2crypto and finding the right docs isn't necessarily worth the bother. BTW, I assume the reason the OP (I forgot who that was) didn't have https support compiled in was just that they didn't have OpenSSL installed when they typed ./configure (since the Python build process on unix uses autoconf). Either that or they installed a system package to get Python (e.g. an .rpm) and the SSL support is is a separate package (seems unlikely). John -- http://mail.python.org/mailman/listinfo/python-list
