Ah Python, you have spoiled me for all other languages
Chris Angelico
rosuav at gmail.com
Sat May 23 00:28:59 EDT 2015
On Sat, May 23, 2015 at 2:20 PM, Ben Finney <ben+python at benfinney.id.au> wrote:
> Where I disagree is that this is somehow less secure than a completely
> *unencrypted* HTTP connection. No, the opposite is true.
No, it isn't less secure. However, people have been trained for years
to look for the padlock (including looking for padlocks before
entering credit card numbers or passwords, despite the fact that HTTPS
on the form isn't actually what's significant), and that's the key
here. Web browsers are intended for *humans* to use. You want a truly
secure connection between your Python client script and your Python
server? Sure, self-signed cert is great. You want something that an
average Joe can understand? Do what 99% of the world does, and get a
CSA-signed cert. Unencrypted is normal, encrypted is normal, and the
only thing that's being flagged is "hey, this *looks* secured, but it
might not be the right server". It's still encrypted, but the
unverified origin is a potential problem.
ChrisA
More information about the Python-list
mailing list