Path: csiph.com!x330-a1.tempe.blueboxinc.net!newsfeed.hal-mli.net!feeder1.hal-mli.net!news.glorb.com!news-out.octanews.net!indigo.octanews.net!auth.beige.octanews.com.POSTED!not-for-mail From: Paul Rubin Newsgroups: comp.lang.python Subject: Re: Strategy to Verify Python Program is POST'ing to a web server. References: <4dfde576$0$30002$c3e8da3$5496439d@news.astraweb.com> Date: Sun, 19 Jun 2011 05:18:53 -0700 Message-ID: <7xtybmc8uq.fsf@ruckus.brouhaha.com> Organization: Nightsong/Fort GNOX User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.1 (gnu/linux) Cancel-Lock: sha1:Z9yDtA4WWpKyoWd/Rrv/lqjzEDU= MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Lines: 11 NNTP-Posting-Date: 19 Jun 2011 07:18:53 CDT X-Complaints-To: abuse@octanews.net Xref: x330-a1.tempe.blueboxinc.net comp.lang.python:7950 Steven D'Aprano writes: >> Supply the client with tamper-proof hardware containing a private key. > > Is that resistant to man-in-the-middle attacks by somebody with a packet > sniffer watching the traffic between the device and the website? Sure, why not? As long as the crypto is done properly, that is. But, there is also the matter of securing the path from the data to the hardware. I don't have the impression that the OP has really thought this through.