Ah Python, you have spoiled me for all other languages

Michael Torrie torriem at gmail.com
Sat May 23 00:30:07 EDT 2015 

On 05/22/2015 10:10 PM, Ian Kelly wrote:
> On Fri, May 22, 2015 at 9:31 PM, Michael Torrie <torriem at gmail.com> wrote:
>> On 05/22/2015 07:54 PM, Terry Reedy wrote:
>>> On 5/22/2015 5:40 PM, Tim Daneliuk wrote:
>>>
>>>> Lo these many years ago, I argued that Python is a whole lot more than
>>>> a programming language:
>>>>
>>>>     https://www.tundraware.com/TechnicalNotes/Python-Is-Middleware/
>>>
>>> Perhaps something at tundraware needs updating.
>>> '''
>>> This Connection is Untrusted
>>>
>>> You have asked Firefox to connect securely to www.tundraware.com, but we
>>> can't confirm that your connection is secure.
>>>
>>> Normally, when you try to connect securely, sites will present trusted
>>> identification to prove that you are going to the right place. However,
>>> this site's identity can't be verified.
>>> '''
>>
>> Sigh. I blame this as much on the browser.  There's no inherent reason
>> why a connection to a site secured with a self-signed certificate is
>> insecure.  In fact it's definitely not.
> 
> Sure it is. Without some prior reason to trust the certificate, the
> certificate is meaningless. How is the browser to distinguish between
> a legitimate self-signed cert and a self-signed cert presented by an
> attacker conducting a man-in-the-middle attack?

How does a CA actually help this problem?  It just puts trust in some
third party. But as we know, CA authorities are not all trustworthy and
they certainly don't guarantee that the site is what it says it is.  A
valid SSL cert does not mean the site won't try to hack your browser or
steal your identity.  The current system lulls us into a false sense of
security.  A self-signed cert is perfectly secure if you can verify the
fingerprint with the site's owner.  Granted that process is the rub.

> There is still some value in TLS with a self-signed certificate in 
> that at least the connection is encrypted and can't be eavesdropped
> by an attacker who can only read the channel, but there is no
> assurance that the party you're communicating with actually owns the
> public key that you've been presented.

The same can be said of CA-signed certificates.  The only way to know if
the site is who they say they are is to know what the cert's fingerprint
ought to be and see if it still is. I used to use a firefox plugin for
this purpose, but certs for some major sites like even www.google.com
change with such frequency that the utility of the plugin went away.

More information about the Python-list mailing list