basic auth request

Chris Angelico rosuav at gmail.com
Wed Aug 25 10:19:07 EDT 2021 

On Thu, Aug 26, 2021 at 12:16 AM Jon Ribbens via Python-list
<python-list at python.org> wrote:
>
> On 2021-08-25, Chris Angelico <rosuav at gmail.com> wrote:
> > On Wed, Aug 25, 2021 at 5:20 PM Barry Scott <barry at barrys-emacs.org> wrote:
> >> Only if this threat model matters to you or your organisation.
> >> Personal its low down of the threats I watch out for.
> >>
> >> The on-line world and the real-world are the same here.
> >>
> >> If a business changes hands then do you trust the new owners?
> >>
> >> Nothing we do with PKI certificates will answer that question.
> >
> > Fair enough; but a closer parallel would be walking up to a
> > previously-familiar street vendor and seeing a different person there.
> > Did the business change hands, or did some random dude hop over the
> > counter and pretend to be a new owner?
> >
> > But you're right, it's not usually a particularly high risk threat.
> > Still, it does further weaken the value of named SSL certificates and
> > certificate authorities; there's not actually that much difference if
> > the server just gave you a self-signed cert. In theory, the CA is
> > supposed to protect you against someone doing a DNS hack and
> > substituting a different server, in practice, anyone capable of doing
> > a large-scale DNS hack is probably capable of getting a very
> > legit-looking SSL cert for the name as well.
>
> There are so many trusted CAs these days that the chances of them all
> being secure approaches zero - they are not all equal yet they are all
> equally trusted. Which is why a change of CA on a site you have visited
> before is potentially suspicious.

Do any popular web browsers notify you if that happens? I've certainly
never noticed it with any that I use (and I've transitioned several
sites from one CA to another).

I've come to the conclusion that most security threats don't bother
most people, and that security *warnings* bother nearly everyone, so
real authentication of servers doesn't really matter all that much.
*Encryption* does still have value, but you'd get that with a
self-signed cert too.

ChrisA

More information about the Python-list mailing list