[atlas] SSL Certificates for ripe anchors

Just to weigh in as both an Anchor host and a heavy Atlas user: we've found
the self-signed certificates to be a non-issue.


While I will not deny that they do show up in many internal security scans,
self-signed certs fall well below other "issues" such as open ports,
non-standard responses to version.bind queries, and strange traffic
patterns. Such concerns are, however, mitigated by the understanding that
the anchors are measurement points, and therefore may generate, and be
subject to, non-standard (or perceived as traditionally insecure) behaviors.


I can appreciate that there may be measurements (*i.e. *using the platform)
that would be made easier with non-self-signed certificates, but I'm not
sure I've seen that discussed here.


-m

On Wed, Sep 4, 2019 at 3:00 AM Robert Kisteleki <robert at ripe.net> wrote:

>
> On 2019-09-03 17:03, Randy Bush wrote:
> > been using LE+TLSA for a loooong time.  like 94 of us, i have recipies
> > (for LE for sites w/o web services) if you need them.  please do it.
> > it's prudent.
> >
> > randy
>
> Thank you Randy for the offer!
>
> We'll check what it takes to add this to the anchors, and report back soon.
>
> Regards,
> Robert
>
>

-- 
*Marcel Flores, PhD* | Sr. Research Scientist
research.verizondigitalmedia.com | AS15133
<https://www.peeringdb.com/asn/15133>
e: marcel.flores at verizondigitalmedia.com
13031 W Jefferson Blvd. Building 900, Los Angeles, CA 90094
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </ripe/mail/archives/ripe-atlas/attachments/20190904/40b29948/attachment.html>