basic auth request
Jon Ribbens
jon+usenet at unequivocal.eu
Wed Aug 25 06:59:45 EDT 2021
On 2021-08-25, Chris Angelico <rosuav at gmail.com> wrote:
> On Wed, Aug 25, 2021 at 5:20 PM Barry Scott <barry at barrys-emacs.org> wrote:
>> Only if this threat model matters to you or your organisation.
>> Personal its low down of the threats I watch out for.
>>
>> The on-line world and the real-world are the same here.
>>
>> If a business changes hands then do you trust the new owners?
>>
>> Nothing we do with PKI certificates will answer that question.
>
> Fair enough; but a closer parallel would be walking up to a
> previously-familiar street vendor and seeing a different person there.
> Did the business change hands, or did some random dude hop over the
> counter and pretend to be a new owner?
>
> But you're right, it's not usually a particularly high risk threat.
> Still, it does further weaken the value of named SSL certificates and
> certificate authorities; there's not actually that much difference if
> the server just gave you a self-signed cert. In theory, the CA is
> supposed to protect you against someone doing a DNS hack and
> substituting a different server, in practice, anyone capable of doing
> a large-scale DNS hack is probably capable of getting a very
> legit-looking SSL cert for the name as well.
There are so many trusted CAs these days that the chances of them all
being secure approaches zero - they are not all equal yet they are all
equally trusted. Which is why a change of CA on a site you have visited
before is potentially suspicious.
More information about the Python-list
mailing list