The security crowd has been saying “encrypt everything” for years now. And honestly, they’re mostly right. But a funny thing keeps happening: some of the most relied-upon internet tools still don’t bother with encryption at their core. Not because their developers are lazy or stuck in 2005, but because encryption introduces costs that don’t always make sense.
That tension between locking everything down and keeping things fast enough to actually work tells us more about real-world networking than any security whitepaper ever could.
SOCKS5 and the Case for Doing Less
Proxy protocols are a perfect place to see this tradeoff play out. Take SOCKS5. It’s been around for ages, it handles basically any traffic type you throw at it (HTTP, FTP, email, gaming, you name it), and it doesn’t encrypt a single thing by default.
That sounds bad until you think about why. SOCKS5 works as a pass-through. It routes your connection without poking around inside the data or adding extra processing steps. Companies that buy SOCKS5 proxy access tend to pick it for exactly this reason: it gets out of the way and lets the application layer handle security on its own terms.
Here’s the thing people miss: when you send an HTTPS request through a SOCKS5 proxy, the traffic is already encrypted end to end. The proxy doesn’t need its own encryption on top of that. Wrapping an encrypted connection inside another encrypted connection is like putting a safe inside a safe. Sure, you can do it, but why?
DNS Still Runs on Trust and Plaintext
DNS is probably the best example of a critical system that resists encryption. Billions of queries fly across the internet daily in plaintext over UDP. That’s your browser asking “where is google.com?” with no confidentiality whatsoever.
Encrypted alternatives exist. DNS over HTTPS and DNS over TLS both work, and some browsers now default to them. But adoption is patchy at best. The Wikipedia overview of the Domain Name System points out that DNS was built in the 1980s around speed and simplicity. Confidentiality wasn’t even on the original spec sheet.
Retrofitting encryption onto DNS breaks things. ISPs lose visibility into traffic for filtering and parental controls. Caching gets more complicated. Debugging a failed lookup goes from straightforward to painful. These aren’t hypothetical problems; they’re why full DNS encryption keeps stalling despite years of advocacy.
Old Protocols Die Hard (If They Die at All)
SMTP, the protocol behind every email you’ve ever sent, was designed in 1982. Plaintext. No authentication. No encryption. STARTTLS bolted on optional encryption later, but “optional” means plenty of servers still happily accept unencrypted connections because refusing would cut them off from older systems.
The Internet Engineering Task Force keeps publishing standards that encourage encryption, and the industry keeps adopting them at roughly the pace of continental drift. A regional hospital running radiology software from 2009 can’t just upgrade its mail server config without risking the whole workflow. Same goes for manufacturing plants running industrial controllers that predate TLS 1.2.
Ripping out these systems is expensive and risky. So they stay, usually tucked behind firewalls and VPNs instead of being individually encrypted.
Inside the Firewall, Nobody Bothers
Corporate internal networks are another blind spot. Traffic bouncing between servers in the same data center typically skips encryption entirely. The logic goes: if someone’s already breached your internal network, encrypting server-to-server calls won’t save you, and the performance hit at scale is real.
Google famously started encrypting internal links after the Snowden leaks revealed that intelligence agencies were tapping unencrypted connections between data centers. But Google has Google-sized engineering budgets. Most companies don’t. A Harvard Business Review piece on cybersecurity spending found that organizations overwhelmingly pour money into perimeter defenses rather than internal encryption. Firewalls and access controls win the budget fight every time.
It’s About Engineering Tradeoffs, Not Ideology
There’s an old Unix principle that still shapes how protocols get built: each tool should do one thing well. A routing protocol routes. An encryption protocol encrypts. Bolting both together creates something harder to maintain and harder to debug.
The internet isn’t one cohesive system with a single security policy. It’s thousands of overlapping systems with wildly different performance needs, threat profiles, and upgrade timelines. Some of those systems will adopt encryption when the tooling catches up. Others will keep choosing simplicity because, for what they’re actually doing, the math works out better that way. And that’s a perfectly valid engineering call, even if it makes the security purists uncomfortable.
Leave a Reply