Ah Python, you have spoiled me for all other languages
Chris Angelico
rosuav at gmail.com
Sat May 23 00:55:43 EDT 2015
On Sat, May 23, 2015 at 2:49 PM, Ian Kelly <ian.g.kelly at gmail.com> wrote:
>> The same can be said of CA-signed certificates. The only way to know if
>> the site is who they say they are is to know what the cert's fingerprint
>> ought to be and see if it still is. I used to use a firefox plugin for
>> this purpose, but certs for some major sites like even www.google.com
>> change with such frequency that the utility of the plugin went away.
>
> So instead of trusting a CA, you have to trust the maintainers of the
> plugin. How is that any different?
It brings it local. If you're able to see the source code for the
plugin, you could check exactly how it does its verification (and by
the sound of it, it'd be pretty simple: just look up the cert, see if
it's different, if so, big noisy warning). Or, of course, you could do
the check yourself: click on the padlock, look at fingerprint, compare
against previously-noted fingerprint. That'd at least prove that your
plugin is checking properly.
But it still doesn't solve the fundamental problem of knowing when you
have the right site to start with.
ChrisA
More information about the Python-list
mailing list