1 comment

[ 0.22 ms ] story [ 11.1 ms ] thread
> Opportunistic encryption, or OE for short, essentially means "try to encrypt it, don't bother if you can't". It also often means "don't bother to check the authenticity of the other endpoint."

I was under the impression OE only has the latter meaning, ie "Encrypt all the time, check authenticity if it's easy otherwise keep it unchecked but _still_ encrypted". The major idea is that checking authenticity is a hard problem so instead of trying to solve all problems at once, we do what we can already reliably do for now, while still acknowledging that the connection isn't technically secure but has good chances to be if you want to protect against passive/poor attackers. That's exactly what "opportunistic" means: in some cases (and some might say most) not checking authenticity can be good enough, so we should go with it _at all times_.

The first meaning is just about using advertised capabilities.