<div dir="ltr">





<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:Helvetica">Just to weigh in as both an Anchor host and a heavy Atlas user: we've found the self-signed certificates to be a non-issue.</p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:Helvetica;min-height:14px"><br></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:Helvetica">While I will not deny that they do show up in many internal security scans, self-signed certs fall well below other "issues" such as open ports, non-standard responses to version.bind queries, and strange traffic patterns. Such concerns are, however, mitigated by the understanding that the anchors are measurement points, and therefore may generate, and be subject to, non-standard (or perceived as traditionally insecure) behaviors.</p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:Helvetica;min-height:14px"><br></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:Helvetica">I can appreciate that there may be measurements (<i>i.e. </i>using the platform) that would be made easier with non-self-signed certificates, but I'm not sure I've seen that discussed here.</p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:Helvetica;min-height:14px"><br></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:12px;line-height:normal;font-family:Helvetica">-m</p></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Sep 4, 2019 at 3:00 AM Robert Kisteleki <<a href="mailto:robert@ripe.net">robert@ripe.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
On 2019-09-03 17:03, Randy Bush wrote:<br>
> been using LE+TLSA for a loooong time.  like 94 of us, i have recipies<br>
> (for LE for sites w/o web services) if you need them.  please do it.<br>
> it's prudent.<br>
> <br>
> randy<br>
<br>
Thank you Randy for the offer!<br>
<br>
We'll check what it takes to add this to the anchors, and report back soon.<br>
<br>
Regards,<br>
Robert<br>
<br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><b>Marcel Flores, PhD</b> | <span style="color:rgb(102,102,102);font-size:12.8px">Sr. </span><span style="color:rgb(102,102,102);font-size:12.8px">Research Scientist</span></div><div dir="ltr"><font color="#ff0000"><a href="http://research.verizondigitalmedia.com" target="_blank">research.verizondigitalmedia.com</a></font> | <a href="https://www.peeringdb.com/asn/15133" target="_blank">AS15133</a><br><span style="font-size:12.8px"><font color="#666666">e:</font> </span><a href="mailto:marcel.flores@verizondigitalmedia.com" style="font-size:12.8px" target="_blank"><font color="#ff0000">marcel.flores@verizondigitalmedia.com</font></a><span style="font-size:12.8px">  </span><br><font color="#666666">13031 W Jefferson Blvd. Building 900, Los Angeles, CA 90094</font></div></div></div></div></div></div></div></div>