Today’s fun turtle-chasing moment was trying to understand how a python application validated TLS certificates. The application relies on the certifi package, which is built from the python-certifi github repository. Both of these describe the source of this data as Mozilla, but they actually call an endpoint on the https://mkcert.org service hosted on Digital Ocean, which is built from the Lukasa/mkcert github repository. The mkcert repository uses a Mercurial repository URL hosted by Mozilla. This is fed by Mozilla’s CA inclusion process.
Even ignoring the Mozilla CA process, the number of people and companies involved in bringing a static PEM file into your python application is mind-boggling.
#python #infosec #tls
The unintentional irony of the mkcert.org landing page is 😘