My colleagues developers started adding valid let's encrypt certs everywhere. Now I have multiple NAT entry points for build-servers in my VPC because of the renewal frequency.
I feel less secure with them adding valid SSL certs everywhere that runs on a PRIVATE NETWORK. It's just dumb reasoning, and the CTO agreed with them. They are all gone by now, but their legacy remains. Now I have to find all those certs and replace them with 10 year self-signed, and add --no-check-certificates flags in their http client requests. All NAT entrypoints are gone. I'm feeling safe now. On Fri, 28 Jan 2022 at 13:26, Jean St-Laurent via NANOG <nanog@nanog.org> wrote: > Why DNS are still travelling in clear text? > > The software running the DNS services worldwide are probably written in C > or any languages you mentioned below. > > Why don't they just strap a libressl on DNS or NanoSSL? > > Okay, there is DNS over https. I don't know the stats, but I doubt it's > close to 100% adoption worldwide. > > I don't understand what is the issue about SSL, zero trust has anything to > do about collecting flows. Do I need ssl to run shell commands in my > terminal to read flows? Not really. Do I need to strap ssl on grep, notepad > and excel? I'm not sure how could one do that. > > When you see the flows of your customers, you have access to how many > times did they use Netflix, facebook and anything you could think of > because these people are querying DNS to reach these... in clear text. They > are also hitting servers that are well known. > > I would worry more about who is reading the flows of my business' > customers than these flows being not protected by SSL. They are anyway in > a highly secure environment with zero trust. > > So if you don't like elastiflow or any software that are not being > protected by SSL, then maybe switch off your computer. Protonmail won't > help you to keep your digital life secure. > > This email was sent by a secure infrastructure using TLS 1.2 and clear > text dns. > > Thank you > > Jean > > -----Original Message----- > From: NANOG <nanog-bounces+jean=ddostest...@nanog.org> On Behalf Of Laura > Smith via NANOG > Sent: January 28, 2022 5:15 AM > To: Mel Beckman <m...@beckman.org> > Cc: nanog@nanog.org list <nanog@nanog.org> > Subject: Re: [EXTERNAL] Re: Flow collection and analysis > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > > On Friday, January 28th, 2022 at 03:55, Mel Beckman <m...@beckman.org> > wrote: > > > But nobody asked for anything from scratch Eric. Open SSL is it complete > ready to integrate package. Any developer worth his salt should be able to > put it on any web application. In addition to OpenSSL, there are very > compact commercial SSL libraries such as Mocana NanoSSL and wolfSSL, if you > want to really simplify the process. > > > > Yup. Every single modern programming language out there has a crypto > library. > > The high-level languages (e.g. Go) have crypto built into the standard > library. > > The low-level languages (e.g C or Rust) all have at least one or more well > supported third party crypto libraries (e.g. for C there's OpenSSL, GnuTLS, > LibreSSL, Boring SSL, Mbed TLS ... and those are the ones that I can think > of off the top of my head). > > There's no need to do any crypto "from scratch", and indeed you SHOULD NOT. > >