Ah Python, you have spoiled me for all other languages
Ian Kelly
ian.g.kelly at gmail.com
Sat May 23 00:29:52 EDT 2015
On Fri, May 22, 2015 at 10:20 PM, Ben Finney <ben+python at benfinney.id.au> wrote:
> Ian Kelly <ian.g.kelly at gmail.com> writes:
>
>> On Fri, May 22, 2015 at 9:31 PM, Michael Torrie <torriem at gmail.com> wrote:
>> > On 05/22/2015 07:54 PM, Terry Reedy wrote:
>> >> On 5/22/2015 5:40 PM, Tim Daneliuk wrote:
>> >>
>> >>> Lo these many years ago, I argued that Python is a whole lot more than
>> >>> a programming language:
>> >>>
>> >>> https://www.tundraware.com/TechnicalNotes/Python-Is-Middleware/
>> >>
>> >> Perhaps something at tundraware needs updating.
>> >> '''
>> >> This Connection is Untrusted
>> >>
>> >> You have asked Firefox to connect securely to www.tundraware.com, but we
>> >> can't confirm that your connection is secure.
>> >> […]
>
>> Without some prior reason to trust the certificate, the certificate is
>> meaningless. How is the browser to distinguish between a legitimate
>> self-signed cert and a self-signed cert presented by an attacker
>> conducting a man-in-the-middle attack?
>
> Any unencrypted HTTP (“http://…”) connection has the same problem. Yet
> the same browsers don't present a big scary warning for those?
>
> The flaw in the browser is that it doesn't complain when an unencrypted
> HTTP connection is established, but only complains when an *encrypted*
> connection is made to a site with a self-signed certificate.
>
>> There is still some value in TLS with a self-signed certificate in
>> that at least the connection is encrypted and can't be eavesdropped by
>> an attacker who can only read the channel, but there is no assurance
>> that the party you're communicating with actually owns the public key
>> that you've been presented.
>
> Right. By that logic, let's advocate for browsers to present a big
> intrusive warning for every HTTP connection that has no SSL layer or
> certificate.
>
> I will agree that a self-signed certificate presents the problem of how
> to verify the certificate automatically.
>
> Where I disagree is that this is somehow less secure than a completely
> *unencrypted* HTTP connection. No, the opposite is true.
I don't disagree with you. There *should* be scary warnings for plain
HTTP connections (although there is a counter-argument that many sites
don't need any encryption and HTTPS would just be wasteful in those
cases). The fact that browsers don't yet provide those warnings
doesn't change anything that I wrote above.
More information about the Python-list
mailing list