Hacker News new | ask | show | jobs
by ghusto 493 days ago
Kind of related, but a little off-topic: I think tying name checking to encrypting traffic was a mistake. They are two different use cases, and shouldn't have been so tightly coupled.

Sometimes I care only about my traffic being encrypted, and resent having to jump through hoops to ignore the name mismatch. Sometimes I care only about assurances that the name is correct, and don't care about having the traffic encrypted.
2 comments
Jasper_ 493 days ago
Encryption without authentication is not very useful; if unauthenticated, your ISP could middle-man your connection and effectively decrypt everything while making you think you're encrypted.

If that's not in your threat model, and you want encryption for another purpose, then I could understand that, but currently, protecting the endpoints against malicious attackers in the middle is the big value of TLS.

link
SahAssar 493 days ago
> Sometimes I care only about my traffic being encrypted, and resent having to jump through hoops to ignore the name mismatch.

Why do you care about encryption without authentication? Without TOFU, PKI or a preshared key what is the value?

> Sometimes I care only about assurances that the name is correct, and don't care about having the traffic encrypted.

So signing?

link