<div dir="ltr">My colleagues developers started adding valid let's encrypt certs everywhere. Now I have multiple NAT entry points for build-servers in my VPC because of the renewal frequency. <div><br></div><div>I feel less secure with them adding valid SSL certs everywhere that runs on a PRIVATE NETWORK. </div><div><br></div><div>It's just dumb reasoning, and the CTO agreed with them. They are all gone by now, but their legacy remains.</div><div><br></div><div>Now I have to find all those certs and replace them with 10 year self-signed, and add --no-check-certificates flags in their http client requests. </div><div><br></div><div>All NAT entrypoints are gone. </div><div><br></div><div>I'm feeling safe now.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, 28 Jan 2022 at 13:26, Jean St-Laurent via NANOG <<a href="mailto:nanog@nanog.org">nanog@nanog.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Why DNS are still travelling in clear text?<br>
<br>
The software running the DNS services worldwide are probably written in C or any languages you mentioned below.<br>
<br>
Why don't they just strap a libressl on DNS or NanoSSL?<br>
<br>
Okay, there is DNS over https. I don't know the stats, but I doubt it's close to 100% adoption worldwide.<br>
<br>
I don't understand what is the issue about SSL, zero trust has anything to do about collecting flows. Do I need ssl to run shell commands in my terminal to read flows? Not really. Do I need to strap ssl on grep, notepad and excel? I'm not sure how could one do that.<br>
<br>
When you see the flows of your customers, you have access to how many times did they use Netflix, facebook and anything you could think of because these people are querying DNS to reach these... in clear text. They are also hitting servers that are well known.<br>
<br>
I would worry more about who is reading the flows of my business' customers than these flows being not protected by SSL. They are anyway in a highly secure environment with zero trust.<br>
<br>
So if you don't like elastiflow or any software that are not being protected by SSL, then maybe switch off your computer. Protonmail won't help you to keep your digital life secure.<br>
<br>
This email was sent by a secure infrastructure using TLS 1.2 and clear text dns.<br>
<br>
Thank you<br>
<br>
Jean<br>
<br>
-----Original Message-----<br>
From: NANOG <nanog-bounces+jean=<a href="mailto:ddostest.me@nanog.org" target="_blank">ddostest.me@nanog.org</a>> On Behalf Of Laura Smith via NANOG<br>
Sent: January 28, 2022 5:15 AM<br>
To: Mel Beckman <<a href="mailto:mel@beckman.org" target="_blank">mel@beckman.org</a>><br>
Cc: <a href="mailto:nanog@nanog.org" target="_blank">nanog@nanog.org</a> list <<a href="mailto:nanog@nanog.org" target="_blank">nanog@nanog.org</a>><br>
Subject: Re: [EXTERNAL] Re: Flow collection and analysis<br>
<br>
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐<br>
<br>
On Friday, January 28th, 2022 at 03:55, Mel Beckman <<a href="mailto:mel@beckman.org" target="_blank">mel@beckman.org</a>> wrote:<br>
<br>
> But nobody asked for anything from scratch Eric. Open SSL is it complete ready to integrate package. Any developer worth his salt should be able to put it on any web application. In addition to OpenSSL, there are very compact commercial SSL libraries such as Mocana NanoSSL and wolfSSL, if you want to really simplify the process.<br>
><br>
<br>
Yup. Every single modern programming language out there has a crypto library.<br>
<br>
The high-level languages (e.g. Go) have crypto built into the standard library.<br>
<br>
The low-level languages (e.g C or Rust) all have at least one or more well supported third party crypto libraries (e.g. for C there's OpenSSL, GnuTLS, LibreSSL, Boring SSL, Mbed TLS ... and those are the ones that I can think of off the top of my head).<br>
<br>
There's no need to do any crypto "from scratch", and indeed you SHOULD NOT.<br>
<br>
</blockquote></div>