On 2021-08-25, Chris Angelico <ros...@gmail.com> wrote: > On Thu, Aug 26, 2021 at 12:16 AM Jon Ribbens via Python-list ><python-list@python.org> wrote: >> There are so many trusted CAs these days that the chances of them all >> being secure approaches zero - they are not all equal yet they are all >> equally trusted. Which is why a change of CA on a site you have visited >> before is potentially suspicious. > > Do any popular web browsers notify you if that happens? I've certainly > never noticed it with any that I use (and I've transitioned several > sites from one CA to another).
There was, if the site was using "HTTP Public Key Pinning". But that appears to have now been removed in favour of "Certificate Transparency", which to me seems to be a system very much based on the "problem: horse gone; solution: shut stable door" principle. Another attempt at combatting this problem is DNS CAA records, which are a way of politely asking all CAs in the world except the ones you choose "please don't issue a certificate for my domain". By definition someone who had hacked a CA would pay no attention to that request, of course. > I've come to the conclusion that most security threats don't bother > most people, and that security *warnings* bother nearly everyone, so > real authentication of servers doesn't really matter all that much. > *Encryption* does still have value, but you'd get that with a > self-signed cert too. Encryption without knowing who you're encrypting *to* is worthless, it's pretty much functionally equivalent to not encrypting. -- https://mail.python.org/mailman/listinfo/python-list
