@mwlucas We need to get DANE adopted, all of these CA SSL workarounds just SUCK.
And with ESNI they're not even bothering to pretend that a DNS lookup per request or putting public key information in DNS is "bad" anymore,
I truly believe this is part of Google leaning on Mozilla.
@mwlucas @22decembre Never thought about it.
But the question is 'why?' they don't love the CA cartel, they've undercut the CAs at every opportunity. Their solutions of certificate pinning, certificate transparency, have been shown to be snakeoil and crap at every turn... What do they get by opposing DANE/DNSSEC... ESPECIALLY as they support a DNS powered ESNI?
@mwlucas @22decembre this reminds me of cloudflare's business model. Everything they do/support (ESNI, DoH, DNS) works better/faster if you are their customer, and slower than before if you are not.