Path: csiph.com!usenet.pasdenom.info!nntpfeed.proxad.net!proxad.net!feeder1-1.proxad.net!217.73.144.45.MISMATCH!feeder2.ecngs.de!ecngs!feeder.ecngs.de!border1.nntp.ams1.giganews.com!nntp.giganews.com!newsfeed.xs4all.nl!newsfeed2.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail
Return-Path: <python-python-list@m.gmane.org>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.018
X-Spam-Evidence: '*H*': 0.96; '*S*': 0.00; 'subject:Python': 0.05; "'''": 0.09; '22,': 0.09; 'indeed,': 0.09; 'intrusive': 0.09; 'received:80.91': 0.09; 'received:80.91.229': 0.09; 'received:gmane.org': 0.09; 'received:list': 0.09; '\xe2\x80\x94': 0.09; 'python': 0.11; 'certificate,': 0.16; 'certificate.': 0.16; 'complains': 0.16; 'language:': 0.16; 'opposite': 0.16; 'received:80.91.229.3': 0.16; 'received:plane.gmane.org': 0.16; 'reedy': 0.16; 'sheer': 0.16; 'tls': 0.16; 'wrote:': 0.16; 'ssl': 0.18; '>>>': 0.20; 'advocate': 0.22; 'browsers': 0.22; 'programming': 0.23; '2015': 0.23; 'tim': 0.24; 'header:User- Agent:1': 0.26; 'header:X-Complaints-To:1': 0.26; 'right.': 0.27; 'least': 0.27; 'asked': 0.28; "doesn't": 0.28; 'complain': 0.29; 'subject:other': 0.29; 'terry': 0.29; 'no,': 0.29; 'connection': 0.30; 'fri,': 0.31; "can't": 0.32; 'skip:[ 10': 0.32; 'subject:all': 0.32; 'problem': 0.33; 'michael': 0.33; 'http': 0.33; 'true.': 0.33; 'to:addr:python-list': 0.35; 'something': 0.35; 'problem.': 0.35; 'but': 0.36; 'there': 0.36; "let's": 0.36; 'agree': 0.37; 'subject:: ': 0.37; 'received:org': 0.38; 'pm,': 0.39; 'to:addr:python.org': 0.39; 'where': 0.40; 'some': 0.40; 'your': 0.60; 'secure': 0.61; 'confirm': 0.61; "you've": 0.61; 'become': 0.62; 'more': 0.62; 'between': 0.65; '8bit%:50': 0.66; 'encrypted': 0.66; 'secure.': 0.66; '8bit%:20': 0.72; 'presented': 0.73; 'assurance': 0.75; 'connection.': 0.76; 'subject:have': 0.80; '_o__)': 0.84; 'channel,': 0.84; 'distinguish': 0.84; 'flaw': 0.84; 'received:125': 0.84; 'scary': 0.84; 'those?': 0.84; 'subject:you': 0.88
X-Injected-Via-Gmane: http://gmane.org/
To: python-list@python.org
From: Ben Finney <ben+python@benfinney.id.au>
Subject: Re: Ah Python, you have spoiled me for all other languages
Date: Sat, 23 May 2015 14:20:57 +1000
References: <555f440a$0$12990$c3e8da3$5496439d@news.astraweb.com> <mailman.222.1432309028.17265.python-list@python.org> <555FA253.3020304@tundraware.com> <mjomke$saf$1@ger.gmane.org> <555FF482.8020007@gmail.com> <CALwzidkxFMpWc2miioN_L2mCPE6WFuHC_=HQX3vAmLL_KqqDRw@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Gmane-NNTP-Posting-Host: jigong.madmonks.org
X-Public-Key-ID: 0xAC128405
X-Public-Key-Fingerprint: 517C F14B B2F3 98B0 CB35  4855 B8B2 4C06 AC12 8405
X-Public-Key-URL: http://www.benfinney.id.au/contact/bfinney-pubkey.asc
X-Post-From: Ben Finney <bignose+hates-spam@benfinney.id.au>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (gnu/linux)
Cancel-Lock: sha1:vLwlYwAghPQBgObgJavNhnvS4JI=
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.20+
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups: comp.lang.python
Message-ID: <mailman.256.1432354870.17265.python-list@python.org>
Lines: 53
NNTP-Posting-Host: 2001:888:2000:d::a6
X-Trace: 1432354870 news.xs4all.nl 2850 [2001:888:2000:d::a6]:34022
X-Complaints-To: abuse@xs4all.nl
Xref: csiph.com comp.lang.python:91095

Ian Kelly <ian.g.kelly@gmail.com> writes:

> On Fri, May 22, 2015 at 9:31 PM, Michael Torrie <torriem@gmail.com> wrote:
> > On 05/22/2015 07:54 PM, Terry Reedy wrote:
> >> On 5/22/2015 5:40 PM, Tim Daneliuk wrote:
> >>
> >>> Lo these many years ago, I argued that Python is a whole lot more than
> >>> a programming language:
> >>>
> >>>     https://www.tundraware.com/TechnicalNotes/Python-Is-Middleware/
> >>
> >> Perhaps something at tundraware needs updating.
> >> '''
> >> This Connection is Untrusted
> >>
> >> You have asked Firefox to connect securely to www.tundraware.com, but we
> >> can't confirm that your connection is secure.
> >> […]

> Without some prior reason to trust the certificate, the certificate is
> meaningless. How is the browser to distinguish between a legitimate
> self-signed cert and a self-signed cert presented by an attacker
> conducting a man-in-the-middle attack?

Any unencrypted HTTP (“http://…”) connection has the same problem. Yet
the same browsers don't present a big scary warning for those?

The flaw in the browser is that it doesn't complain when an unencrypted
HTTP connection is established, but only complains when an *encrypted*
connection is made to a site with a self-signed certificate.

> There is still some value in TLS with a self-signed certificate in
> that at least the connection is encrypted and can't be eavesdropped by
> an attacker who can only read the channel, but there is no assurance
> that the party you're communicating with actually owns the public key
> that you've been presented.

Right. By that logic, let's advocate for browsers to present a big
intrusive warning for every HTTP connection that has no SSL layer or
certificate.

I will agree that a self-signed certificate presents the problem of how
to verify the certificate automatically.

Where I disagree is that this is somehow less secure than a completely
*unencrypted* HTTP connection. No, the opposite is true.

-- 
 \     “DRM doesn't inconvenience [lawbreakers] — indeed, over time it |
  `\     trains law-abiding users to become [lawbreakers] out of sheer |
_o__)                        frustration.” —Charles Stross, 2010-05-09 |
Ben Finney