[EXTERNAL] Re: Flow collection and analysis
cma at cmadams.net
Wed Jan 26 14:26:38 UTC 2022
Once upon a time, Laura Smith <n5d9xq3ti233xiyif2vp at protonmail.ch> said:
> I don't know about anyone else here, but frankly in 2022 TLS support should be a first class citizen.
> If I have to mess around with running something else as a proxy in front of it then that's the end of my software evaluation.
> Crypto is no longer "nice to have" option these days.
Having every thing under the sun trying to implement the complexities of
TLS leads to lots of failures and security issues... so lots of web
things are designed to be simple and only implement HTTP, listen on
localhost, and let a well-optimized front-end (e.g. nginx) handle the
crypto side (as well as all the weird things browsers do).
It also makes it easier from an system admin point of view, because
handling cert updates in nginx is easy and well-known, so you don't have
to figure out 27 different ways alternate software handles certs and
Chris Adams <cma at cmadams.net>
More information about the NANOG