Upload
amjad-mashaal
View
222
Download
0
Embed Size (px)
Citation preview
Disclaimer
I’m not officially associated with, nor am I an employee of ISRG, EFF, Certbot, Let’s Encrypt, or any of Let’s Encrypt’s sponsors. Or anything. Or anyone. At all.
All statements are my own opinions unless explicitly described as a fact, and do not represent anyone else’s
opinion.
Let’s define some stuf
● HTTP: Hypertext transfer protocol● TLS: Transport Layer Security● HTTPS: HTTP Secure, encrypted using TLS● CA: Certificate authority
How does HTTPS work?
● (Supposedly) Trusted certificate authorities issue certificates
● Websites use these certificates to verify their identity
● Using those certificates, servers are configured to serve websites in a secure pattern (HTTPS, encrypted using TLS)
Why do we use HTTPS?
HTTP provides no security whatsoever
● MITM (Man-in-the-middle) attacks
● No confidentiality
● No identity authenticity
What’s the problem?
● Validation steps are diferent and require human interaction
● Process can’t be automated
● Costs anywhere from $10 to $1000
● Configuration is difficult, takes an average of 1 to 3 hours
What’s the solution?
What’s the solution?
● Protocol specification
● A certificate authority
● Python
● Go
● Bash scripts
What’s the solution?
● Automated
● Fast
● Free
● Free
Demo
History
● ISRG (Internet Security Research Group)
● Mozilla, EFF and University of Michigan
● Akamai, Stanford Law School, Cisco, CoreOS, OVH
● Facebook, Shopify, Vultr, Chrome, and others
Milestones
● First certificate, 14th of September, 2015
● Cross-signed by IdenTrust, 19th of October, 2015
● Public beta, 3rd of December, 2015
● Millionth certificate, 8th of March, 2016
● Leaving beta, 12th of April, 2016
Milestones
https://letsencrypt.org/stats/https://letsencrypt.org/stats/
Milestones
● 15.4 million fully qualified domains
● 10.7 million certificates
Milestones
https://letsencrypt.org/stats/https://letsencrypt.org/stats/
Milestones
● More than 50K+ certificates per day
● 1 million certificates issued on October 15th
Milestones
https://letsencrypt.org/stats/https://letsencrypt.org/stats/
Milestones
● HTTPS websites, from 40% to 48%
What is Let’s Encrypt?
● Specification: ACME
● Server: Boulder
● Clients: Certbot (beside others)
Automation? Of what?
● Domain validation
● Register, server issues you challenges, you solve them, and that’s how you prove ownership!
DV using HTTP
● ACME server generates a random token
● Client has to create a file with the token as the file name on the website
http://example.com/.well-known/acme-challenge/<token>
● ACME server requests the file and validates the challenge
Other DV methods exist too!
● DV using SNI
– Utilizes Server Name Indication extension, RFC 6066
● DV using DNS
– TXT entry, _acme-challenge.example.com
Boulder
● Server implementation of the ACME spec written in Go
● The only ACME implementation (the we know of)
● Maintained by ISRG (Let’s Encrypt team)
Certbot
● Previously known as the Let’s Encrypt official client
● Renamed to Certbot and moved to EFF on 12th of May 2016
● One of the many clients created for ACME
● Maintained by EFF (Electronic Frontier Foundation)
● Automatic configuration for Apache and nginx
● Automated certificate renewal
Get involved!
● Set up HTTPS on your site!
● Contribute
● Donate
● https://certbot.ef.org
● https://github.com/certbot/certbot
● https://github.com/letsencrypt/boulder
● https://letsencrypt.org