I find myself pondering the whole TLS/PKI mess. I say mess because the "trusted thrid parties" (always a bad idea imho) are clearly not trustworthy.
My Pondering went like this.. we need the underlying protocol to be encrypted by default. something very like Tor hidden services or I2P where you don't need to worry about it being encrypted or verified because the transport layer does all that by default.
But is there such a thing??
IPsec is geared towards VPN's
TCPCrypt seems a bit of an expirimental hack and probably not well supported by the masses
OE never seems to have happened and would be unauthenticated at best.
My current compromise is to use TLS with a self signed Cert. that I add to devices needing to access things on my server. All well and good for Mumble, XMPP (S2C), SMTP, IMAP, etc..
but no use at all for my website. I know theres "Let's Encrypt" but to me that seems like throwing effort into a lost cause.
Anyone know of something that would work to up the level on encryption on my webserver from none to more then none without buying into a broken and failing system?