[RFC] Default to urllib http implementation.
Andrew Cowie
andrew at operationaldynamics.com
Tue May 19 04:29:49 BST 2009
On Mon, 2009-05-18 at 19:47 -0700, Colin D Bennett wrote:
> I don't understand. Any SSL connection should prevent man-in-the-middle
> attacks, right?
No, because
> I would *not* want to turn off the host certificate check; that defeats the
> point of using a secure connection in the first place. I would want to
> instead *trust* the server certificate.
is what prevents the man-in-the-middle attack.
[ie, you had it right]
SSL provides confidentiality between endpoints. You have to go further
to establish the endpoint you are talking to is who you think it is.
That part has ever been the cumbersome part of asymmetric cryptography
and public key infrastructure.
AfC
Sydney
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : https://lists.ubuntu.com/archives/bazaar/attachments/20090519/37feab9a/attachment.pgp
More information about the bazaar
mailing list