Albrecht =?iso-8859-1?b?RHJl3w==?= <albrecht.dress@xxxxxxxx> writes: > A different, confusing point (which is closer to a “bug” IMHO) is that connections to localhost are actually encrypted by default. This is basically useless and just a waste of cpu cycles – if a malicious user may somehow tap (tcpdump) lo, there is a different problem which can not be mitigated by encryption… I agree that it's not very useful to do that, but it'd be tough for us to make it not happen by default --- that requires knowing an awful lot about the local network topology. Not sure that we'd want to assume that "localhost" is safe, and we'd certainly not know what to do for connections that use the host's name. Note that in most scenarios, "local" connections travel over a Unix socket not TCP, and in that case we don't encrypt. regards, tom lane
