Ah Python, you have spoiled me for all other languages

Jon Ribbens jon+usenet at unequivocal.co.uk
Sat May 23 07:10:30 EDT 2015


On 2015-05-23, Michael Torrie <torriem at gmail.com> wrote:
> On 05/22/2015 10:10 PM, Ian Kelly wrote:
>> There is still some value in TLS with a self-signed certificate in 
>> that at least the connection is encrypted and can't be eavesdropped
>> by an attacker who can only read the channel, but there is no
>> assurance that the party you're communicating with actually owns the
>> public key that you've been presented.
>
> The same can be said of CA-signed certificates.

I think you are falling into the trap of believing that all things are
either perfect or they are worthless. CAs aren't perfect, but neither
are they worthless. A self-signed certificate, however, is worthless.

> The only way to know if the site is who they say they are is to know
> what the cert's fingerprint ought to be and see if it still is. I
> used to use a firefox plugin for this purpose, but certs for some
> major sites like even www.google.com change with such frequency that
> the utility of the plugin went away.

http://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning



More information about the Python-list mailing list