On Mar 12, 2024, at 1:57 AM, Alessandro Vesely <vesely@tana.it> wrote:
DNSSEC everywhere would make more sense than HTTPS everywhere, which instead won the hype.
I figure enabling DNSSEC validation everywhere and signing what makes sense after doing a cost/benefit trade off would be the rational way to go. As signing technologies get more mature, the cost goes down and even the marginal benefit of signing everything would be justified.
Being sure to connect to the IP designated by the domain is essential, while encrypting every page of sites like, say, wikipedia is just wasting cycles.
As Randy points out, TLS also gives you authentication (as long as you trust the myriad CAs) and with more granularity than the IP address. On wasting cycles, if you only encrypt the sensitive stuff, you give away the fact that you’re communicating sensitive stuff when you encrypt. However, I suspect this isn’t particularly in the charter of this mailing list… Regards, -drc Partner/CTO, Layer 9 Technologies (layer9.tech <http://layer9.tech/>)