Re: [EXTERNAL] Re: Flow collection and analysis

[Mel Beckman <mel () beckman org>]

But nobody asked for anything from scratch Eric. Open SSL is it complete ready to integrate package. Any developer 
worth his salt should be able to put it on any web application. In addition to OpenSSL, there are very compact 
commercial SSL libraries such as Mocana NanoSSL and wolfSSL, if you want to really simplify the process.

Nobody need write any crypto software at all, and the extensive manhours you claim are not real.

 -mel

On Jan 27, 2022, at 6:26 PM, Eric Kuhnke <eric.kuhnke () gmail com> wrote:


Not at all, what I'm recommending is that people who develop something that is specialized (like netflow analysis 
software) don't need to expend the person-hours and extensive development time to implement something that has already 
been better implemented by people who are httpd specialists.

The amount of possible design complexities and security risks that go into shipping a 'stable' versio of apache2 or 
nginx are beyond the scope of any small to medium sized non-httpd-related opens source software project. Let the 
apache2 or nginx developers handle that.

It's like saying that because a piece of software communicates with something externally by SMTP, either inbound or 
outbound email or both, some software developer should take the time to re-implemnt and write from scratch their own 
SMTP, rather than relaying mail via a postfix daemon running on the same server.

Or because you have a piece of software that queries something over SNMP, don't use the perfectly good ISC SNMP 
packages that exist for centos or debian to issue snmpgets, but write from scratch your own snmp poller.








On Wed, 26 Jan 2022 at 07:34, Mel Beckman <mel () beckman org<mailto:mel () beckman org>> wrote:
People who advocate TLS lash-ups like nginx front ends remind me of Mr. Beans DIY automobile security, which started 
with a screwed-on metal hasp and padlock, and then continued to a range of additional “layers”. Not “defense-in-depth”, 
merely unwarranted “complexity-in-depth”:

https://youtu.be/CCl_KxGLgOA

TLS is a standardized, fully open-source package that can be integrated into even tiny IoT devices (witness this $10 
WiFi module https://www.adafruit.com/product/4201<https://www.adafruit.com/product/4201>). The argument that people who 
want intrinsically secure products can just bolt-on their own security are missing the point entirely. Every 
web-enabled product should be required to implement TLS and then let custiners decide when they want to enable it. 
Vendors who are so weak that they can’t should have their products go straight into /dev/null.

-mel via cell

On Jan 26, 2022, at 6:51 AM, heasley <heas () shrubbery net<mailto:heas () shrubbery net>> wrote:

Wed, Jan 26, 2022 at 07:21:19AM -0600, Mike Hammett:
Why is it [TLS] even necessary for such a function?

confidentiality and integrity, even if you do not care about authentication.
I am surprised that question is asked.

The fewer things that are left unprotected, the better for everyone.  those
with concern about erosion of their privacy and human rights benefit from
everything being protected, everywhere for everyone.