On Thu, Aug 26, 2021 at 12:16 AM Jon Ribbens via Python-list <python-list@python.org> wrote: > > On 2021-08-25, Chris Angelico <ros...@gmail.com> wrote: > > On Wed, Aug 25, 2021 at 5:20 PM Barry Scott <ba...@barrys-emacs.org> wrote: > >> Only if this threat model matters to you or your organisation. > >> Personal its low down of the threats I watch out for. > >> > >> The on-line world and the real-world are the same here. > >> > >> If a business changes hands then do you trust the new owners? > >> > >> Nothing we do with PKI certificates will answer that question. > > > > Fair enough; but a closer parallel would be walking up to a > > previously-familiar street vendor and seeing a different person there. > > Did the business change hands, or did some random dude hop over the > > counter and pretend to be a new owner? > > > > But you're right, it's not usually a particularly high risk threat. > > Still, it does further weaken the value of named SSL certificates and > > certificate authorities; there's not actually that much difference if > > the server just gave you a self-signed cert. In theory, the CA is > > supposed to protect you against someone doing a DNS hack and > > substituting a different server, in practice, anyone capable of doing > > a large-scale DNS hack is probably capable of getting a very > > legit-looking SSL cert for the name as well. > > There are so many trusted CAs these days that the chances of them all > being secure approaches zero - they are not all equal yet they are all > equally trusted. Which is why a change of CA on a site you have visited > before is potentially suspicious.
Do any popular web browsers notify you if that happens? I've certainly never noticed it with any that I use (and I've transitioned several sites from one CA to another). I've come to the conclusion that most security threats don't bother most people, and that security *warnings* bother nearly everyone, so real authentication of servers doesn't really matter all that much. *Encryption* does still have value, but you'd get that with a self-signed cert too. ChrisA -- https://mail.python.org/mailman/listinfo/python-list
