Path: csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!eternal-september.org!feeder.eternal-september.org!border1.nntp.ams1.giganews.com!nntp.giganews.com!newsfeed.xs4all.nl!newsfeed2.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.033 X-Spam-Evidence: '*H*': 0.93; '*S*': 0.00; 'warnings': 0.03; 'subject:Python': 0.05; "'''": 0.09; '22,': 0.09; 'https': 0.09; 'intrusive': 0.09; 'python': 0.11; '*should*': 0.16; 'certificate,': 0.16; 'certificate.': 0.16; 'complains': 0.16; 'encryption': 0.16; 'language:': 0.16; 'opposite': 0.16; 'reedy': 0.16; 'tls': 0.16; 'wrote:': 0.16; 'ssl': 0.18; '>>>': 0.20; 'advocate': 0.22; 'browsers': 0.22; 'programming': 0.23; '2015': 0.23; 'wrote': 0.23; 'header:In-Reply-To:1': 0.24; 'tim': 0.24; 'plain': 0.27; 'right.': 0.27; 'least': 0.27; 'message- id:@mail.gmail.com': 0.28; 'asked': 0.28; "doesn't": 0.28; '(although': 0.29; 'complain': 0.29; 'subject:other': 0.29; 'terry': 0.29; 'no,': 0.29; 'connection': 0.30; 'connections': 0.31; 'fri,': 0.31; "can't": 0.32; 'subject:all': 0.32; 'problem': 0.33; 'michael': 0.33; 'http': 0.33; 'true.': 0.33; 'received:google.com': 0.34; 'to:addr:python-list': 0.35; 'something': 0.35; 'problem.': 0.35; 'but': 0.36; 'there': 0.36; "let's": 0.36; 'agree': 0.37; 'subject:: ': 0.37; 'pm,': 0.39; 'to:addr:python.org': 0.39; 'where': 0.40; 'some': 0.40; 'your': 0.60; 'secure': 0.61; 'confirm': 0.61; "you've": 0.61; 'provide': 0.61; 'more': 0.62; 'you.': 0.64; 'between': 0.65; '8bit%:50': 0.66; 'encrypted': 0.66; 'secure.': 0.66; 'presented': 0.73; 'assurance': 0.75; 'connection.': 0.76; 'subject:have': 0.80; 'channel,': 0.84; 'distinguish': 0.84; 'flaw': 0.84; 'scary': 0.84; 'those?': 0.84; 'to:name:python': 0.84; 'subject:you': 0.88 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type:content-transfer-encoding; bh=B73ywY7RXK3q9hEymBciv+LqIvKhMXV3KCbY6ej7Ses=; b=I6BhBpZoS7xj8CTh0FnhvC7NprWvmgyJbLBm02A2+6qoPs1aEB6Behafug93kyo3bE 6evQd94vWTtYd5a6+ICuAiWYI7iUJgKQYkTahWIXBy+5+Kyd5Ibzf+jMlKkSssBqWpz9 yKxi9P1fTbJ0howDoVl0lOwQAXiIjq/J+d161VBXUgaDmiERV2KpO02SkT7EGAiSjG2J 8E+V38FFBtAHKQyG46N3HyRkJdBHglQ7QROc0j8UCH1dW/JBi1EMWOWZmfTfN2Vwa0d/ S2NXvhXJbbnSBS47ZVOeI7+iIkBOJCpMOygYa0zqTxa5ebUiQeRwpr2lqME2nC+vLgmP wtaQ== X-Received: by 10.107.36.207 with SMTP id k198mr15074312iok.69.1432355432640; Fri, 22 May 2015 21:30:32 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <85382nylee.fsf@benfinney.id.au> References: <555f440a$0$12990$c3e8da3$5496439d@news.astraweb.com> <555FA253.3020304@tundraware.com> <555FF482.8020007@gmail.com> <85382nylee.fsf@benfinney.id.au> From: Ian Kelly Date: Fri, 22 May 2015 22:29:52 -0600 Subject: Re: Ah Python, you have spoiled me for all other languages To: Python Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.20+ Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 58 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1432355434 news.xs4all.nl 2833 [2001:888:2000:d::a6]:37123 X-Complaints-To: abuse@xs4all.nl Xref: csiph.com comp.lang.python:91097 On Fri, May 22, 2015 at 10:20 PM, Ben Finney w= rote: > Ian Kelly writes: > >> On Fri, May 22, 2015 at 9:31 PM, Michael Torrie wrot= e: >> > On 05/22/2015 07:54 PM, Terry Reedy wrote: >> >> On 5/22/2015 5:40 PM, Tim Daneliuk wrote: >> >> >> >>> Lo these many years ago, I argued that Python is a whole lot more th= an >> >>> a programming language: >> >>> >> >>> https://www.tundraware.com/TechnicalNotes/Python-Is-Middleware/ >> >> >> >> Perhaps something at tundraware needs updating. >> >> ''' >> >> This Connection is Untrusted >> >> >> >> You have asked Firefox to connect securely to www.tundraware.com, but= we >> >> can't confirm that your connection is secure. >> >> [=E2=80=A6] > >> Without some prior reason to trust the certificate, the certificate is >> meaningless. How is the browser to distinguish between a legitimate >> self-signed cert and a self-signed cert presented by an attacker >> conducting a man-in-the-middle attack? > > Any unencrypted HTTP (=E2=80=9Chttp://=E2=80=A6=E2=80=9D) connection has = the same problem. Yet > the same browsers don't present a big scary warning for those? > > The flaw in the browser is that it doesn't complain when an unencrypted > HTTP connection is established, but only complains when an *encrypted* > connection is made to a site with a self-signed certificate. > >> There is still some value in TLS with a self-signed certificate in >> that at least the connection is encrypted and can't be eavesdropped by >> an attacker who can only read the channel, but there is no assurance >> that the party you're communicating with actually owns the public key >> that you've been presented. > > Right. By that logic, let's advocate for browsers to present a big > intrusive warning for every HTTP connection that has no SSL layer or > certificate. > > I will agree that a self-signed certificate presents the problem of how > to verify the certificate automatically. > > Where I disagree is that this is somehow less secure than a completely > *unencrypted* HTTP connection. No, the opposite is true. I don't disagree with you. There *should* be scary warnings for plain HTTP connections (although there is a counter-argument that many sites don't need any encryption and HTTPS would just be wasteful in those cases). The fact that browsers don't yet provide those warnings doesn't change anything that I wrote above.