RE: [EXTERNAL] Re: Flow collection and analysis

[Jean St-Laurent via NANOG <nanog () nanog org>]

Why DNS are still travelling in clear text?

The software running the DNS services worldwide are probably written in C or any languages you mentioned below.

Why don't they just strap a libressl on DNS or NanoSSL?

Okay, there is DNS over https. I don't know the stats, but I doubt it's close to 100% adoption worldwide.

I don't understand what is the issue about SSL, zero trust has anything to do about collecting flows. Do I need ssl to 
run shell commands in my terminal to read flows? Not really. Do I need to strap ssl on grep, notepad and excel? I'm not 
sure how could one do that.

When you see the flows of your customers, you have access to how many times did they use Netflix, facebook and anything 
you could think of because these people are querying DNS to reach these... in clear text. They are also hitting servers 
that are well known.

I would worry more about who is reading the flows of my business' customers than these flows being  not protected by 
SSL. They are anyway in a highly secure environment with zero trust.

So if you don't like elastiflow or any software that are not being protected by SSL, then maybe switch off your 
computer. Protonmail won't help you to keep your digital life secure.

This email was sent by a secure infrastructure using TLS 1.2 and clear text dns.

Thank you

Jean

-----Original Message-----
From: NANOG <nanog-bounces+jean=ddostest.me () nanog org> On Behalf Of Laura Smith via NANOG
Sent: January 28, 2022 5:15 AM
To: Mel Beckman <mel () beckman org>
Cc: nanog () nanog org list <nanog () nanog org>
Subject: Re: [EXTERNAL] Re: Flow collection and analysis

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

On Friday, January 28th, 2022 at 03:55, Mel Beckman <mel () beckman org> wrote:

> But nobody asked for anything from scratch Eric. Open SSL is it complete ready to integrate package. Any developer 
> worth his salt should be able to put it on any web application. In addition to OpenSSL, there are very compact 
> commercial SSL libraries such as Mocana NanoSSL and wolfSSL, if you want to really simplify the process.

Yup. Every single modern programming language out there has a crypto library.

The high-level languages (e.g. Go) have crypto built into the standard library.

The low-level languages (e.g C or Rust) all have at least one or more well supported third party crypto libraries (e.g. 
for C there's OpenSSL, GnuTLS, LibreSSL, Boring SSL, Mbed TLS ... and those are the ones that I can think of off the 
top of my head).

There's no need to do any crypto "from scratch", and indeed you SHOULD NOT.