basic auth request

[Jon Ribbens]

On 2021-08-25, Chris Angelico <rosuav at gmail.com> wrote:
> On Thu, Aug 26, 2021 at 12:16 AM Jon Ribbens via Python-list
><python-list at python.org> wrote:
>> There are so many trusted CAs these days that the chances of them all
>> being secure approaches zero - they are not all equal yet they are all
>> equally trusted. Which is why a change of CA on a site you have visited
>> before is potentially suspicious.
>
> Do any popular web browsers notify you if that happens? I've certainly
> never noticed it with any that I use (and I've transitioned several
> sites from one CA to another).

There was, if the site was using "HTTP Public Key Pinning". But
that appears to have now been removed in favour of "Certificate
Transparency", which to me seems to be a system very much based
on the "problem: horse gone; solution: shut stable door" principle.

Another attempt at combatting this problem is DNS CAA records,
which are a way of politely asking all CAs in the world except the
ones you choose "please don't issue a certificate for my domain".
By definition someone who had hacked a CA would pay no attention
to that request, of course.

> I've come to the conclusion that most security threats don't bother
> most people, and that security *warnings* bother nearly everyone, so
> real authentication of servers doesn't really matter all that much.
> *Encryption* does still have value, but you'd get that with a
> self-signed cert too.

Encryption without knowing who you're encrypting *to* is worthless,
it's pretty much functionally equivalent to not encrypting.