The Free CA for Web Site Encryption - SLUUG · Let's Encrypt Certificate authority [CA] entered...
Transcript of The Free CA for Web Site Encryption - SLUUG · Let's Encrypt Certificate authority [CA] entered...
![Page 1: The Free CA for Web Site Encryption - SLUUG · Let's Encrypt Certificate authority [CA] entered public beta on December 3, 2015 Free, automated X.509 certificates for Transport Layer](https://reader035.fdocuments.in/reader035/viewer/2022070811/5f09af707e708231d4280610/html5/thumbnails/1.jpg)
Let's Encrypt
The Free CA forWeb Site Encryption
Lee LammertSt. Louis Linux User's Group
18 February 2016
![Page 2: The Free CA for Web Site Encryption - SLUUG · Let's Encrypt Certificate authority [CA] entered public beta on December 3, 2015 Free, automated X.509 certificates for Transport Layer](https://reader035.fdocuments.in/reader035/viewer/2022070811/5f09af707e708231d4280610/html5/thumbnails/2.jpg)
ACRONYMS● SSL (Secure Sockets Layer) – old name for the
main TCP security layer
● TLS (Transport Layer Security) – current name
● HTTPS (HTTP Secure) – HTTP plus TLS X.509 (format for TLS certs)
● PKI (Public Key Infrastructure) – infrastructure for distributing crypto keys
![Page 3: The Free CA for Web Site Encryption - SLUUG · Let's Encrypt Certificate authority [CA] entered public beta on December 3, 2015 Free, automated X.509 certificates for Transport Layer](https://reader035.fdocuments.in/reader035/viewer/2022070811/5f09af707e708231d4280610/html5/thumbnails/3.jpg)
WHY TLS?● Not just for financial data or website logins
● Wide area networks are inherently untrustworthy
● Plain HTTP offers no defense
![Page 4: The Free CA for Web Site Encryption - SLUUG · Let's Encrypt Certificate authority [CA] entered public beta on December 3, 2015 Free, automated X.509 certificates for Transport Layer](https://reader035.fdocuments.in/reader035/viewer/2022070811/5f09af707e708231d4280610/html5/thumbnails/4.jpg)
Risks - Attacks● Sidejacking
● Location tracking
● Reader privacy
● Content-based censorship
● ISP header or advertisement injection
![Page 5: The Free CA for Web Site Encryption - SLUUG · Let's Encrypt Certificate authority [CA] entered public beta on December 3, 2015 Free, automated X.509 certificates for Transport Layer](https://reader035.fdocuments.in/reader035/viewer/2022070811/5f09af707e708231d4280610/html5/thumbnails/5.jpg)
Issues● Lower performance
● Inhibits load balancing
● Certificate cost
● Time consuming, error-prone, and complex to install and renew certificates
![Page 6: The Free CA for Web Site Encryption - SLUUG · Let's Encrypt Certificate authority [CA] entered public beta on December 3, 2015 Free, automated X.509 certificates for Transport Layer](https://reader035.fdocuments.in/reader035/viewer/2022070811/5f09af707e708231d4280610/html5/thumbnails/6.jpg)
Current solutions● Self-signed Certificates
– Must be accepted in browser
– Ignore signer for other ops
● Low-cost certificates
– No validation other than domain ownership
– No traceability
![Page 7: The Free CA for Web Site Encryption - SLUUG · Let's Encrypt Certificate authority [CA] entered public beta on December 3, 2015 Free, automated X.509 certificates for Transport Layer](https://reader035.fdocuments.in/reader035/viewer/2022070811/5f09af707e708231d4280610/html5/thumbnails/7.jpg)
Let's Encrypt● Initially, a collaboration among EFF, University
of Michigan, and Mozilla
● Fully-automated Certificate Authority
● Publicly trusted in all major web browsers
![Page 8: The Free CA for Web Site Encryption - SLUUG · Let's Encrypt Certificate authority [CA] entered public beta on December 3, 2015 Free, automated X.509 certificates for Transport Layer](https://reader035.fdocuments.in/reader035/viewer/2022070811/5f09af707e708231d4280610/html5/thumbnails/8.jpg)
Let's Encrypt● Certificate authority [CA] entered public beta on
December 3, 2015
● Free, automated X.509 certificates for Transport Layer Security encryption (TLS)
● Expires in 90 days
● Renewal easily automated
![Page 9: The Free CA for Web Site Encryption - SLUUG · Let's Encrypt Certificate authority [CA] entered public beta on December 3, 2015 Free, automated X.509 certificates for Transport Layer](https://reader035.fdocuments.in/reader035/viewer/2022070811/5f09af707e708231d4280610/html5/thumbnails/9.jpg)
Validation● Free certificates attest only that the applicant
controls the domain
● Green Lock Symbol
● OV and EV are out of scope for now
![Page 10: The Free CA for Web Site Encryption - SLUUG · Let's Encrypt Certificate authority [CA] entered public beta on December 3, 2015 Free, automated X.509 certificates for Transport Layer](https://reader035.fdocuments.in/reader035/viewer/2022070811/5f09af707e708231d4280610/html5/thumbnails/10.jpg)
Publicly Trusted● Complies with WebTrust audit requirements
● Open Source software and specs
● Open Audits / Publication
● Browser root programs
● Cross-signatures from IdenTrust
![Page 11: The Free CA for Web Site Encryption - SLUUG · Let's Encrypt Certificate authority [CA] entered public beta on December 3, 2015 Free, automated X.509 certificates for Transport Layer](https://reader035.fdocuments.in/reader035/viewer/2022070811/5f09af707e708231d4280610/html5/thumbnails/11.jpg)
Registration● For open web site (i.e. no authentication)
![Page 12: The Free CA for Web Site Encryption - SLUUG · Let's Encrypt Certificate authority [CA] entered public beta on December 3, 2015 Free, automated X.509 certificates for Transport Layer](https://reader035.fdocuments.in/reader035/viewer/2022070811/5f09af707e708231d4280610/html5/thumbnails/12.jpg)
Validation
![Page 13: The Free CA for Web Site Encryption - SLUUG · Let's Encrypt Certificate authority [CA] entered public beta on December 3, 2015 Free, automated X.509 certificates for Transport Layer](https://reader035.fdocuments.in/reader035/viewer/2022070811/5f09af707e708231d4280610/html5/thumbnails/13.jpg)
Issuance
![Page 14: The Free CA for Web Site Encryption - SLUUG · Let's Encrypt Certificate authority [CA] entered public beta on December 3, 2015 Free, automated X.509 certificates for Transport Layer](https://reader035.fdocuments.in/reader035/viewer/2022070811/5f09af707e708231d4280610/html5/thumbnails/14.jpg)
Process● For a simple site, as easy as:
– sudo apt-get install lets-encrypt
– sudo lets-encrypt
● The lets-encrypt client will not only obtain, but also deploy, the new cert in less than one minute
![Page 15: The Free CA for Web Site Encryption - SLUUG · Let's Encrypt Certificate authority [CA] entered public beta on December 3, 2015 Free, automated X.509 certificates for Transport Layer](https://reader035.fdocuments.in/reader035/viewer/2022070811/5f09af707e708231d4280610/html5/thumbnails/15.jpg)
Authenticated Sites● Let's Encrypt client cannot automate process
due to authentication requirement
● standalone method used, where the client supplies a server to respond to the handshake
![Page 16: The Free CA for Web Site Encryption - SLUUG · Let's Encrypt Certificate authority [CA] entered public beta on December 3, 2015 Free, automated X.509 certificates for Transport Layer](https://reader035.fdocuments.in/reader035/viewer/2022070811/5f09af707e708231d4280610/html5/thumbnails/16.jpg)
Examples● https://oc.omnitec.net
● https://nagios.omnitec.net