Ah Python, you have spoiled me for all other languages

[Ian Kelly]

On Fri, May 22, 2015 at 10:30 PM, Michael Torrie <torriem at gmail.com> wrote:
> On 05/22/2015 10:10 PM, Ian Kelly wrote:
>> Sure it is. Without some prior reason to trust the certificate, the
>> certificate is meaningless. How is the browser to distinguish between
>> a legitimate self-signed cert and a self-signed cert presented by an
>> attacker conducting a man-in-the-middle attack?
>
> How does a CA actually help this problem?  It just puts trust in some
> third party. But as we know, CA authorities are not all trustworthy and
> they certainly don't guarantee that the site is what it says it is.

Nobody is forcing you to trust them. Go ahead and remove the CA
certificates that you consider untrustworthy if you want. Remove all
of them if you like, although good luck with verifying all those site
certificates yourself.

The CA helps because some assurance is better than none.

>> There is still some value in TLS with a self-signed certificate in
>> that at least the connection is encrypted and can't be eavesdropped
>> by an attacker who can only read the channel, but there is no
>> assurance that the party you're communicating with actually owns the
>> public key that you've been presented.
>
> The same can be said of CA-signed certificates.  The only way to know if
> the site is who they say they are is to know what the cert's fingerprint
> ought to be and see if it still is. I used to use a firefox plugin for
> this purpose, but certs for some major sites like even www.google.com
> change with such frequency that the utility of the plugin went away.

So instead of trusting a CA, you have to trust the maintainers of the
plugin. How is that any different?