Ah Python, you have spoiled me for all other languages

Ben Finney ben+python at benfinney.id.au
Sat May 23 00:20:57 EDT 2015 

Ian Kelly <ian.g.kelly at gmail.com> writes:

> On Fri, May 22, 2015 at 9:31 PM, Michael Torrie <torriem at gmail.com> wrote:
> > On 05/22/2015 07:54 PM, Terry Reedy wrote:
> >> On 5/22/2015 5:40 PM, Tim Daneliuk wrote:
> >>
> >>> Lo these many years ago, I argued that Python is a whole lot more than
> >>> a programming language:
> >>>
> >>>     https://www.tundraware.com/TechnicalNotes/Python-Is-Middleware/
> >>
> >> Perhaps something at tundraware needs updating.
> >> '''
> >> This Connection is Untrusted
> >>
> >> You have asked Firefox to connect securely to www.tundraware.com, but we
> >> can't confirm that your connection is secure.
> >> […]

> Without some prior reason to trust the certificate, the certificate is
> meaningless. How is the browser to distinguish between a legitimate
> self-signed cert and a self-signed cert presented by an attacker
> conducting a man-in-the-middle attack?

Any unencrypted HTTP (“http://…”) connection has the same problem. Yet
the same browsers don't present a big scary warning for those?

The flaw in the browser is that it doesn't complain when an unencrypted
HTTP connection is established, but only complains when an *encrypted*
connection is made to a site with a self-signed certificate.

> There is still some value in TLS with a self-signed certificate in
> that at least the connection is encrypted and can't be eavesdropped by
> an attacker who can only read the channel, but there is no assurance
> that the party you're communicating with actually owns the public key
> that you've been presented.

Right. By that logic, let's advocate for browsers to present a big
intrusive warning for every HTTP connection that has no SSL layer or
certificate.

I will agree that a self-signed certificate presents the problem of how
to verify the certificate automatically.

Where I disagree is that this is somehow less secure than a completely
*unencrypted* HTTP connection. No, the opposite is true.

-- 
 \     “DRM doesn't inconvenience [lawbreakers] — indeed, over time it |
  `\     trains law-abiding users to become [lawbreakers] out of sheer |
_o__)                        frustration.” —Charles Stross, 2010-05-09 |
Ben Finney

More information about the Python-list mailing list