Path: csiph.com!usenet.pasdenom.info!news.redatomik.org!newsfeed.xs4all.nl!newsfeed2.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail
Return-Path: <ian.g.kelly@gmail.com>
X-Original-To: python-list@python.org
Delivered-To: python-list@mail.python.org
X-Spam-Status: OK 0.065
X-Spam-Evidence: '*H*': 0.87; '*S*': 0.00; 'subject:Python': 0.05; 'upgraded': 0.05; 'accepted,': 0.09; 'attack.': 0.09; '23,': 0.16; 'certificate,': 0.16; 'check?': 0.16; 'notifies': 0.16; 'nowadays': 0.16; 'wifi,': 0.16; 'wrote:': 0.16; 'case.': 0.18; 'library,': 0.18; '>>>': 0.20; 'provided,': 0.22; 'am,': 0.23; '2015': 0.23; 'sat,': 0.23; 'header:In-Reply-To:1': 0.24; 'previously': 0.24; 'recognized': 0.24; 'thus': 0.24; 'tim': 0.24; 'signed': 0.24; 'chris': 0.26; 'message-id:@mail.gmail.com': 0.28; 'initial': 0.29; 'chase': 0.29; 'hacker': 0.29; 'subject:other': 0.29; 'talked': 0.29; 'connection': 0.30; 'too.': 0.30; 'convention': 0.31; 'minimal': 0.31; 'you?': 0.32; 'subject:all': 0.32; 'michael': 0.33; 'suddenly': 0.33; 'received:google.com': 0.34; 'to:addr:python-list': 0.35; 'attempt': 0.35; 'fail': 0.35; 'but': 0.36; 'being': 0.36; 'except': 0.36; 'possible': 0.36; 'should': 0.37; 'subject:: ': 0.37; 'signature': 0.37; "won't": 0.38; 'say': 0.38; 'means': 0.39; 'pm,': 0.39; 'to:addr:python.org': 0.39; 'where': 0.40; 'why': 0.40; 'some': 0.40; 'your': 0.60; 'determine': 0.61; 'valuable': 0.61; 'confirm': 0.61; "you'll": 0.61; "you've": 0.61; 'skip:u 10': 0.62; 'notified': 0.62; 'visit': 0.64; 'contact': 0.66; 'laptop': 0.67; 'talking': 0.67; 'home': 0.67; 'hesitate': 0.69; 'benefit': 0.70; 'worth': 0.73; 'subject:have': 0.80; 'hostile': 0.84; 'to:name:python': 0.84; 'subject:you': 0.88
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :content-type; bh=Sto5MtV4kROI79cxm40+g7a7sw8IX0PZ/GZ37S/bbl8=; b=BaFdoXtjw1w+Y/+/tXwhRyu6k8UyhlhmRrpnqbtL7hshJY/5vV7zOQ1ksNGQZ2g8c/ E+4TGo6UZryTxI/vCBAnWbgHDFgJaUpoF5U2xJ5raBuoVS44kShiXN8hCgTKuOMoDF7F LgSj7ixqllL5698g++XMKdIFYIa0wnr17iljMUfGLl19RiRoOlkV7u/zgw2fNQk3EKAS rPcBK1npjQqcgoXhaHzfUMhrmqdEylToplM+DZ63hbOl+fgHuFO3XAFnqHHRdAswOqB0 V0yQZcGQq9TNRGFdVYbGxkf5E4YWzVOBcbjbk8qwRdXsr+ss18LemIoXM26mpWadcS6Y Hx4w==
X-Received: by 10.43.104.69 with SMTP id dl5mr18318436icc.94.1432452183799; Sun, 24 May 2015 00:23:03 -0700 (PDT)
MIME-Version: 1.0
In-Reply-To: <55613E08.70707@gmail.com>
References: <555f440a$0$12990$c3e8da3$5496439d@news.astraweb.com> <mailman.222.1432309028.17265.python-list@python.org> <555FA253.3020304@tundraware.com> <mjomke$saf$1@ger.gmane.org> <555FF482.8020007@gmail.com> <CALwzidkxFMpWc2miioN_L2mCPE6WFuHC_=HQX3vAmLL_KqqDRw@mail.gmail.com> <mailman.257.1432355416.17265.python-list@python.org> <slrnmm0o3c.864.jon+usenet@frosty.unequivocal.co.uk> <20150523063424.34308765@bigbox.christie.dr> <CAPTjJmp4P_ojbUpwgO_xtY9Do6X6p6oV25TNgKzrRnZ3sZ0xpw@mail.gmail.com> <55613E08.70707@gmail.com>
From: Ian Kelly <ian.g.kelly@gmail.com>
Date: Sun, 24 May 2015 01:22:23 -0600
Subject: Re: Ah Python, you have spoiled me for all other languages
To: Python <python-list@python.org>
Content-Type: text/plain; charset=UTF-8
X-BeenThere: python-list@python.org
X-Mailman-Version: 2.1.20+
Precedence: list
List-Id: General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe: <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive: <http://mail.python.org/pipermail/python-list/>
List-Post: <mailto:python-list@python.org>
List-Help: <mailto:python-list-request@python.org?subject=help>
List-Subscribe: <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups: comp.lang.python
Message-ID: <mailman.7.1432452192.5151.python-list@python.org>
Lines: 30
NNTP-Posting-Host: 2001:888:2000:d::a6
X-Trace: 1432452192 news.xs4all.nl 2958 [2001:888:2000:d::a6]:42842
X-Complaints-To: abuse@xs4all.nl
Xref: csiph.com comp.lang.python:91162

On Sat, May 23, 2015 at 8:57 PM, Michael Torrie <torriem@gmail.com> wrote:
> On 05/23/2015 05:40 AM, Chris Angelico wrote:
>> On Sat, May 23, 2015 at 9:34 PM, Tim Chase
>> <python.list@tim.thechases.com> wrote:
>>> A self-signed certificate may be of minimal worth the *first* time you
>>> visit a site, but if you return to the site, that initial
>>> certificate's signature can be used to confirm that you're talking to
>>> the same site you talked to previously.  This is particularly
>>> valuable on a laptop where you make initial contact over a (I
>>> hesitate to say "more secure") less hostile connection through your
>>> home ISP.  Then, when you're out at the library, coffee-shop, or some
>>> hacker convention on their wifi, it's possible to determine whether
>>> you're securely connecting to the *same* site, or whether an attempt
>>> is being made to MitM because the cert changed.
>>
>> You can get the exact same benefit (knowing when the cert changes)
>> with an externally-signed cert too. How many people actually bother to
>> check?
>
> Except that you won't be notified automatically.  A MitM attack nowadays
> most often uses a valid certificate signed by a recognized (though
> untrustworthy) CA.  Thus with a self-signed cert that you've previously
> accepted, you'll immediate know of the MitM attack.

I fail to see how this is the case. If a new certificate is suddenly
provided, why should the status of the *previous* certificate have
anything to do with whether the browser automatically notifies you? A
change from a self-signed certificate to a CA certificate likely just
means that the site has upgraded its certificate, not that a MitM
attack is underway.