Ah Python, you have spoiled me for all other languages
Michael Torrie
torriem at gmail.com
Sat May 23 22:57:12 EDT 2015
On 05/23/2015 05:40 AM, Chris Angelico wrote:
> On Sat, May 23, 2015 at 9:34 PM, Tim Chase
> <python.list at tim.thechases.com> wrote:
>> A self-signed certificate may be of minimal worth the *first* time you
>> visit a site, but if you return to the site, that initial
>> certificate's signature can be used to confirm that you're talking to
>> the same site you talked to previously. This is particularly
>> valuable on a laptop where you make initial contact over a (I
>> hesitate to say "more secure") less hostile connection through your
>> home ISP. Then, when you're out at the library, coffee-shop, or some
>> hacker convention on their wifi, it's possible to determine whether
>> you're securely connecting to the *same* site, or whether an attempt
>> is being made to MitM because the cert changed.
>
> You can get the exact same benefit (knowing when the cert changes)
> with an externally-signed cert too. How many people actually bother to
> check?
Except that you won't be notified automatically. A MitM attack nowadays
most often uses a valid certificate signed by a recognized (though
untrustworthy) CA. Thus with a self-signed cert that you've previously
accepted, you'll immediate know of the MitM attack. The odds of this
happening inside China, for example, is very high. Wasn't that long ago
bogus google certificates (still valid) were found in the wild.
Eventually Firefox and Chrome revoked the CA cert, but only after it was
found out.
More information about the Python-list
mailing list