Embed Size (px)
Citation preview
MAKINGHTTPS
ACCESSIBLE
THEACTORS
Certi cateAuthorityanentitytrustedbyclient(browser)installations.
Hostcreatesprivate&publickeypair,certi cate,andgetsitsignedbyaCAaftervalidationprocess.
Clientconnectsserver,downloadscerti cate,andchecksthatit'spreinstalledlistoftrustedCAs
containstheissuersignature.
WHYDOWENEEDITANYWAY?
MITMprotectionContentinjection
Sessionhijacking
Contentcensorship
HTTP/2
SEO
MajorbrowsersaregoingtomarkHTTPasinsecurechrome:// ags->Marknonsecureoriginsasnon-secure
WHAT'STHEPROBLEMTHEN?
ObtainingDVcerti catesisunnecessarilycumbersomeEverdoneit?You'llagree.
Avoidingitbyobtainingunnecessarywildcardcerts?
Moreimportantly:tediouscon guration-movingtarget
OHYEAHSSLProtocol all -SSLv2 -SSLv3SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHASSLHonorCipherOrder onSSLCompression off
SSLOptions +StrictRequire
WHAT'STHEPROBLEMTHEN?
ObtainingDVcerti catesisunnecessarilycumbersomeEverdoneit?You'llagree.
Avoidingitbyobtainingunnecessarywildcardcerts?
Moreimportantly:tediouscon guration-movingtarget
Repeattheaboveevery1/2/5years
Iflazy,skippingthecon gurationpart...Highpossibilityofinsecurecon guration.
REVOCATIONTOO.. .
CRLstandardisnotgoingtoworkChromefamilyofbrowsersalreadyignoringitinfavorofcuratedCRLSet.
We'replanningtoencryptthewholeweb,remember?
CA&THEOFFICIALCLIENT
LET'SENCRYPTCA
Free&OpenSource
SpeaksACMEprotocol
OnlyDV
Nowildcards,butupto100domainsinSAN
ChallengetypesDVSNI(tls-sni-01)
Nonceasvhostname
HTTP(http-01)
Customcontentin/.well-known/acme-challenge/nonce_ lename
DNS(dns-01)
NonceasTXTrecord
https://github.com/letsencrypt/boulder
https://tools.ietf.org/html/draft-ietf-acme-acme-02
SOMESTATISTICS, WHEREWEARE
NOW
Certi catesissuedby5thofApril2016:1,427,274
Outofwhich90,4%arenewtotheWebPKI!
StatisticsbyJ.C.Jones( ):
Certi catesissuedcurrently:2,010,081
Coveringroughly4milliondomains
Widevarietyofclients
@jamespugjones
https://tacticalsecret.com/124-days-of-lets-encrypt/
THEOFFICIALCLIENT
Authenticator/Installerpluginarchitecture
Savesyourcon gurationforrenewalRenewalworkssimplybyissuing:
Onsystemswithmultiplecerti cates,attemptstorenewonlyifneeded
Appendtocrontab� re&forget
$ letsencrypt renew
CURRENTCLIENTPLUGINS
ManualpluginExecutecommandstocompletethechallengemanually(inremotemachineforexample).
StandalonepluginStartinternalhttpdtorespondtohttp-01ortls-sni-01challenges
WebrootpluginUsealreadyrunninghttpdtoservechallengeresponsesfromde nedwebrootdirectory/
directories.
Apacheplugin(alsoappliestoexperimentalNGINXplugin)Readsyourconfuguration,andprompts(ifnotchosenbycliarguments)youtochoosefrom1to
100domainsfromthevhostsfound
Answerchallengesusingtls-sni-01
Con guresyourvhostswithnewlyacquiredcerti cates,andgooddefaults
Restartsservertoactivatethecon guration
Ifsomethingfails,willrollbackyourcon guration
THEDIRECTION
OCSPmust-staple
ClientnamechangeandmoveunderEFF
Con gurationmanagementKeepupwiththestate-of-the-artcon guration.
90dexpirationcomeshandy
WE'RESOLVINGEXACTLYWHAT?
It'scumbersometoaquirecerti catesLet'sEncryptCA+ACME+automation
Tediouscon gurationtheof cialclient
Methodsofrevocationinbadshape90dexpiry
OCSPMust-staple
THEFUTURE
Autonomouscerti categeneration&validationprocessbythe
serversoftwareitself
VerymuchachievableCheckoutCaddy:https://github.com/mholt/caddy
LINKS
Let'sEncrypt-
TheCA-
Theclient-
https://letsencrypt.org
https://github.com/letsencrypt/boulder
https://github.com/letsencrypt/letsencrypt
