doh

You’re at a coffee shop. You join the free Wi-Fi, type bank.example.com, and start checking your balance. The connection to your bank is locked behind that reassuring little padlock — TLS, encrypted, private. Except the question you asked first wasn’t private at all. Before your browser could open that encrypted tunnel, it had to ask a simple question: “What’s the IP address for bank.example.com?" That question — a DNS lookup — left your laptop unencrypted, in a 40-year-old format (RFC 1035), for anyone on that Wi-Fi (and your ISP, and a few hops in between) to read, log, or quietly change....