[EXTERNAL] Re: Flow collection and analysis

Marcel Mitsuto mmi at ria.bi
Fri Jan 28 13:49:39 UTC 2022

My colleagues developers started adding valid let's encrypt certs
everywhere. Now I have multiple NAT entry points for build-servers in my
VPC because of the renewal frequency.

I feel less secure with them adding valid SSL certs everywhere that runs on

It's just dumb reasoning, and the CTO agreed with them. They are all gone
by now, but their legacy remains.

Now I have to find all those certs and replace them with 10 year
self-signed, and add --no-check-certificates flags in their http client

All NAT entrypoints are gone.

I'm feeling safe now.

On Fri, 28 Jan 2022 at 13:26, Jean St-Laurent via NANOG <nanog at nanog.org>

> Why DNS are still travelling in clear text?
> The software running the DNS services worldwide are probably written in C
> or any languages you mentioned below.
> Why don't they just strap a libressl on DNS or NanoSSL?
> Okay, there is DNS over https. I don't know the stats, but I doubt it's
> close to 100% adoption worldwide.
> I don't understand what is the issue about SSL, zero trust has anything to
> do about collecting flows. Do I need ssl to run shell commands in my
> terminal to read flows? Not really. Do I need to strap ssl on grep, notepad
> and excel? I'm not sure how could one do that.
> When you see the flows of your customers, you have access to how many
> times did they use Netflix, facebook and anything you could think of
> because these people are querying DNS to reach these... in clear text. They
> are also hitting servers that are well known.
> I would worry more about who is reading the flows of my business'
> customers than these flows being  not protected by SSL. They are anyway in
> a highly secure environment with zero trust.
> So if you don't like elastiflow or any software that are not being
> protected by SSL, then maybe switch off your computer. Protonmail won't
> help you to keep your digital life secure.
> This email was sent by a secure infrastructure using TLS 1.2 and clear
> text dns.
> Thank you
> Jean
> -----Original Message-----
> From: NANOG <nanog-bounces+jean=ddostest.me at nanog.org> On Behalf Of Laura
> Smith via NANOG
> Sent: January 28, 2022 5:15 AM
> To: Mel Beckman <mel at beckman.org>
> Cc: nanog at nanog.org list <nanog at nanog.org>
> Subject: Re: [EXTERNAL] Re: Flow collection and analysis
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Friday, January 28th, 2022 at 03:55, Mel Beckman <mel at beckman.org>
> wrote:
> > But nobody asked for anything from scratch Eric. Open SSL is it complete
> ready to integrate package. Any developer worth his salt should be able to
> put it on any web application. In addition to OpenSSL, there are very
> compact commercial SSL libraries such as Mocana NanoSSL and wolfSSL, if you
> want to really simplify the process.
> >
> Yup. Every single modern programming language out there has a crypto
> library.
> The high-level languages (e.g. Go) have crypto built into the standard
> library.
> The low-level languages (e.g C or Rust) all have at least one or more well
> supported third party crypto libraries (e.g. for C there's OpenSSL, GnuTLS,
> LibreSSL, Boring SSL, Mbed TLS ... and those are the ones that I can think
> of off the top of my head).
> There's no need to do any crypto "from scratch", and indeed you SHOULD NOT.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20220128/5a8bce4d/attachment.html>

More information about the NANOG mailing list