Re: [EXTERNAL] Re: Flow collection and analysis

[Marcel Mitsuto <mmi () ria bi>]

My colleagues developers started adding valid let's encrypt certs
everywhere. Now I have multiple NAT entry points for build-servers in my
VPC because of the renewal frequency.

I feel less secure with them adding valid SSL certs everywhere that runs on
a PRIVATE NETWORK.

It's just dumb reasoning, and the CTO agreed with them. They are all gone
by now, but their legacy remains.

Now I have to find all those certs and replace them with 10 year
self-signed, and add --no-check-certificates flags in their http client
requests.

All NAT entrypoints are gone.

I'm feeling safe now.

On Fri, 28 Jan 2022 at 13:26, Jean St-Laurent via NANOG <nanog () nanog org>
wrote:

> Why DNS are still travelling in clear text?
>
> The software running the DNS services worldwide are probably written in C
> or any languages you mentioned below.
>
> Why don't they just strap a libressl on DNS or NanoSSL?
>
> Okay, there is DNS over https. I don't know the stats, but I doubt it's
> close to 100% adoption worldwide.
>
> I don't understand what is the issue about SSL, zero trust has anything to
> do about collecting flows. Do I need ssl to run shell commands in my
> terminal to read flows? Not really. Do I need to strap ssl on grep, notepad
> and excel? I'm not sure how could one do that.
>
> When you see the flows of your customers, you have access to how many
> times did they use Netflix, facebook and anything you could think of
> because these people are querying DNS to reach these... in clear text. They
> are also hitting servers that are well known.
>
> I would worry more about who is reading the flows of my business'
> customers than these flows being  not protected by SSL. They are anyway in
> a highly secure environment with zero trust.
>
> So if you don't like elastiflow or any software that are not being
> protected by SSL, then maybe switch off your computer. Protonmail won't
> help you to keep your digital life secure.
>
> This email was sent by a secure infrastructure using TLS 1.2 and clear
> text dns.
>
> Thank you
>
> Jean
>
> -----Original Message-----
> From: NANOG <nanog-bounces+jean=ddostest.me () nanog org> On Behalf Of Laura
> Smith via NANOG
> Sent: January 28, 2022 5:15 AM
> To: Mel Beckman <mel () beckman org>
> Cc: nanog () nanog org list <nanog () nanog org>
> Subject: Re: [EXTERNAL] Re: Flow collection and analysis
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>
> On Friday, January 28th, 2022 at 03:55, Mel Beckman <mel () beckman org>
> wrote:
>
> > But nobody asked for anything from scratch Eric. Open SSL is it complete
> ready to integrate package. Any developer worth his salt should be able to
> put it on any web application. In addition to OpenSSL, there are very
> compact commercial SSL libraries such as Mocana NanoSSL and wolfSSL, if you
> want to really simplify the process.
> >
>
> Yup. Every single modern programming language out there has a crypto
> library.
>
> The high-level languages (e.g. Go) have crypto built into the standard
> library.
>
> The low-level languages (e.g C or Rust) all have at least one or more well
> supported third party crypto libraries (e.g. for C there's OpenSSL, GnuTLS,
> LibreSSL, Boring SSL, Mbed TLS ... and those are the ones that I can think
> of off the top of my head).
>
> There's no need to do any crypto "from scratch", and indeed you SHOULD NOT.