Path: csiph.com!usenet.pasdenom.info!news.albasani.net!feeder.erje.net!1.eu.feeder.erje.net!newsfeed.xs4all.nl!newsfeed4a.news.xs4all.nl!xs4all!post.news.xs4all.nl!not-for-mail Return-Path: X-Original-To: python-list@python.org Delivered-To: python-list@mail.python.org X-Spam-Status: OK 0.077 X-Spam-Evidence: '*H*': 0.85; '*S*': 0.00; 'subject:Python': 0.05; 'properly.': 0.07; 'cc:addr:python-list': 0.10; '23,': 0.16; 'certs': 0.16; 'different,': 0.16; 'different?': 0.16; 'from:addr:rosuav': 0.16; 'from:name:chris angelico': 0.16; 'local.': 0.16; 'maintainers': 0.16; 'wrote:': 0.16; 'compare': 0.20; 'cc:2**0': 0.21; 'cc:addr:python.org': 0.21; '2015': 0.23; 'sat,': 0.23; 'header:In-Reply-To:1': 0.24; 'checking': 0.27; 'least': 0.27; 'message-id:@mail.gmail.com': 0.28; "doesn't": 0.28; 'went': 0.28; 'away.': 0.29; 'subject:other': 0.29; 'source': 0.31; 'code': 0.31; 'subject:all': 0.32; 'problem': 0.33; 'ca,': 0.33; 'utility': 0.33; 'received:google.com': 0.34; 'could': 0.35; 'but': 0.36; '(and': 0.36; 'so,': 0.37; 'subject:: ': 0.37; 'instead': 0.38; 'say': 0.38; 'or,': 0.38; 'pm,': 0.39; 'does': 0.39; 'some': 0.40; 'your': 0.60; 'even': 0.61; 'is.': 0.63; 'frequency': 0.66; 'fundamental': 0.66; 'sound': 0.72; 'verification': 0.73; 'click': 0.77; 'subject:have': 0.80; 'chrisa': 0.84; "it'd": 0.84; 'plugin.': 0.84; 'simple:': 0.84; 'subject:you': 0.88; 'to:none': 0.90 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:cc :content-type; bh=/dq0PrLNKB+f9F5LB2Zmsxp9XbfMFo6eJ6NQV6zShdM=; b=jyhW/hN1qGKyeaG5vSC9yMM/u6AARDuLCMjBQqYcYfIiT0CYPDOE3shat3afaIbB9+ 1i7qRGgDn4iB7zD60Jm5JiCh+OL66l0bVqFYZXEo7HVoXdzE6tohI3db6ZPfSgBiHWmN Jjkzoo/jkq8QaMqh5CilniVMbh4h7e6zoCkCjYQyb9ztn50x93pyfcZ6smP+6VPOQf65 Iphi0zpxdhb6QGZGhlgoVguC+W6mMyN7AsT9Llfd2ny4GBKQ/G3LcMUTRetJtTYQ4Yxg 2CTZWtL3OJ9VlBbKEhuvD44vLIr+M33Q2YyErCG0ZI/XeWJmRnsZOg9HAQs13ovzF0xk T/7w== MIME-Version: 1.0 X-Received: by 10.50.176.228 with SMTP id cl4mr9924959igc.2.1432356943326; Fri, 22 May 2015 21:55:43 -0700 (PDT) In-Reply-To: References: <555f440a$0$12990$c3e8da3$5496439d@news.astraweb.com> <555FA253.3020304@tundraware.com> <555FF482.8020007@gmail.com> <5560024F.7000800@gmail.com> Date: Sat, 23 May 2015 14:55:43 +1000 Subject: Re: Ah Python, you have spoiled me for all other languages From: Chris Angelico Cc: Python Content-Type: text/plain; charset=UTF-8 X-BeenThere: python-list@python.org X-Mailman-Version: 2.1.20+ Precedence: list List-Id: General discussion list for the Python programming language List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Newsgroups: comp.lang.python Message-ID: Lines: 22 NNTP-Posting-Host: 2001:888:2000:d::a6 X-Trace: 1432356947 news.xs4all.nl 2852 [2001:888:2000:d::a6]:47565 X-Complaints-To: abuse@xs4all.nl Xref: csiph.com comp.lang.python:91100 On Sat, May 23, 2015 at 2:49 PM, Ian Kelly wrote: >> The same can be said of CA-signed certificates. The only way to know if >> the site is who they say they are is to know what the cert's fingerprint >> ought to be and see if it still is. I used to use a firefox plugin for >> this purpose, but certs for some major sites like even www.google.com >> change with such frequency that the utility of the plugin went away. > > So instead of trusting a CA, you have to trust the maintainers of the > plugin. How is that any different? It brings it local. If you're able to see the source code for the plugin, you could check exactly how it does its verification (and by the sound of it, it'd be pretty simple: just look up the cert, see if it's different, if so, big noisy warning). Or, of course, you could do the check yourself: click on the padlock, look at fingerprint, compare against previously-noted fingerprint. That'd at least prove that your plugin is checking properly. But it still doesn't solve the fundamental problem of knowing when you have the right site to start with. ChrisA