[jedberg]

And how is this all that much different? In fact I would say it's more secure. DNS can be spoofed pretty easily. This is a cryptographically signed package. If anything, I'd have more faith in this changing my URL than a proxy via DNS.

Just because Google invented it doesn't make it bad.

[lol768]

> In fact I would say it's more secure. DNS can be spoofed pretty easily. This is a cryptographically signed package

How is it more secure? If, as you say, DNS can be spoofed easily - I can easily get a certificate issued with the required extension and make a "cryptographically signed package".

[jefftk]

> If, as you say, DNS can be spoofed easily - I can easily get a certificate issued with the required extension and make a "cryptographically signed package".

Spoofing DNS to clients is much easier than spoofing DNS to certificate authorities. Otherwise domain-validated HTTPS certs wouldn't mean much.

[luckylion]

> And how is this all that much different?

It changes the meaning of the address bar from "this is who I'm talking to" to "this is who (at some point in time) signed this content".

[jedberg]

But when there is a CDN there, "who I'm talking to" is really just an intermediary who pretends to be you, and may have in fact modified the content. With this, it is still an intermediary pretending to be you, but at least now the package is signed and can be verified.

[luckylion]

The CDN is you, for all intents and purposes. It's your agent in the back and forth, as much as your hosting provider would be. A third-party cache isn't.

I don't mind that you can sign and verify content, that's fine and useful. I'm just not a fan of changing the address bar's meaning.

[jedberg]

But what I'm saying is that the meaning that you ascribe to the address bar is incorrect -- it already only tells you who published the content, not who you are actually connected to.

What I'm saying is that this does not change the meaning of what's in the URL bar. It's the same as before. It tells you who published the content originally.

[luckylion]

> it already only tells you who published the content

No, it tells you the origin of the document. If you are the creator, and you choose to put your content on server X it will tell you "I've got this from server X". Whether that server is a reverse proxy or a shared webhost or a dedicated server in a DC or a raspberry pi running on your desk doesn't matter - it's the designated original that you, the owner of example.org chose.

That's what it always meant, and it changes when you do a redirect, and it shows you the current URL even if there is a canonical header of http-equiv. I can put a reverse proxy on my host and proxy example.com to example.org - the address bar tells you that you're reading example.com, not example.org, as it should, because you're connected to me, not to example.org.