On 23.05.2015 13:21, Tim Daneliuk wrote: > Trust has context. You're going to that site to read an article. This > is rather different than, say, going somewhere to transact commerce or > move money.
Sure, for your site it doesn't really make a difference. And, as I said before, having a self-signed CA certificate doing https is still WAY better than not having it. Especially if you have PFS-only ciphersuites configured (I didn't check, but you should if you're unsure). Because this effectively means that you're protected against passive eavesdropping, no matter what. > So, there is increasing thought that we should all just > run https everywhere all the time. But then we run into the signing problem. > I am hoping that we will soon see free or inexpensive CAs to make that > problem go away. See: Running TLS everywhere is an awesome idea and I'm all for it. So good that you've already made the switch :-) But I don't think inexpensive CAs would make the signing problem go away. I think the major flaw of the X.509 certificate PKI we have today is that there's no namespacing whatsoever. This is a major problem, as the Government of Untrustworthia may give out certifictes for google.de if they wish to do so. In my opinion, it would be great to have a suffix-option in X.509 (maybe there's even an extension for this already and I'm not aware - regardless, nobody is using it if there is such a thing). For example, there'd be root certificates in the certificate store: CA1: PF=.com signs -> CA2: PF=.google.com CA3: PF=.de So CA1 could give out certificates for foo.com www.google.com And CA2 could give out certificates for www.google.com And CA3 could give out certificates for google.de But CA1 could never sign any .de domain webserver certificate. It would only ever get more restrictive down the chain. Sounds like it's trivial to implement, I wonder why it's not in place. It must have some huge drawback that I can't think of right now. Cheers, Johannes -- >> Wo hattest Du das Beben nochmal GENAU vorhergesagt? > Zumindest nicht öffentlich! Ah, der neueste und bis heute genialste Streich unsere großen Kosmologen: Die Geheim-Vorhersage. - Karl Kaos über Rüdiger Thomas in dsa <hidbv3$om2$1...@speranza.aioe.org> -- https://mail.python.org/mailman/listinfo/python-list