Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Life of a Safe Gopher

The Life of a Safe Gopher

This talk delves into the details of what a certificate is so we can have a better understanding of how certificates play a role in a TLS connection. At the end I demo how to generate a certificate and install it on a simple Go web server.

Sample code: https://gist.github.com/carlisia/c40d9a4f2003140f8d97dd6c56e5420b

7dd0071ce2021bea2b63fb4662592784?s=128

Carlisia Campos

November 18, 2017
Tweet

Transcript

  1. THE LIFE OF A SAFE GOPHER TLS, CERTIFICATES, AND SECURE

    GO APPS CARLISIA PINTO GO DEVELOPER @ FASTLY CO-HOST OF @GOTIMEFM
  2. AGENDA ▸ Information security ▸ TLS and certificates ▸ Demo

  3. BENEFITS OF
 SECURITY

  4. None
  5. SECURITY PRINCIPLES

  6. CONFIDENTIALITY INFORMATION IS NOT MADE AVAILABLE TO UNAUTHORIZED ENTITIES.

  7. INTEGRITY INFORMATION IS ACCURATE AND COMPLETE FROM ORIGIN UNTIL DESTINATION.

  8. AVAILABILITY INFORMATION IS AVAILABLE WHEN IT IS NEEDED.

  9. NON-REPUDIATION EFFORT TO VALIDATE THAT AN INTENDED RECIPIENT CAN'T DENY

    HAVING RECEIVED THE INFORMATION, AND TO VALIDATE THAT THE SENDER CAN'T DENY HAVING SENT THE INFORMATION.
  10. TLS - FTW

  11. TLS PROPERTIES ▸ Confidentiality ▸ Integrity ▸ Non-repudiation ▸ Certificates

  12. TLS CONNECTIONS HTTP • SMTP • IMAP • POP •

    SIP • XMPP
  13. NETWORK STACK

  14. TLS HANDSHAKE

  15. TLS SESSION

  16. HANDSHAKE OVERVIEW

  17. None
  18. TLS CERTIFICATE ▸ Binds a public key and an identity

    (DNS) ▸ Authenticates a connection ▸ Signed by a certificate authority
  19. None
  20. None
  21. None
  22. CERTIFICATE AUTHORITY (CA) ▸ Entity recognized as trustworthy ▸ Allowed

    to issue certificates ▸ Root CA is a (different) thing
  23. None
  24. ROOT CA ▸ Top-most certificate of a certificate chain ▸

    Confers trust: certificates inherit the same trust
  25. None
  26. CERTIFICATE STORE ▸ Exists in clients (ex: operating systems and

    web browsers) ▸ Used to validate identity
  27. DEMO

  28. GENERATE A CERTIFICATE 1. Create host key This will generate

    an RSA private/public key pair: `ssh-keygen -f example.com.key` 2. Generate a CSR (Certificate Signing Request) Using the host key created above, create the CSR `openssl req -new -key example.com.key -out example.com.csr` 3. Create a certificate (self-signed) `openssl x509 -req -days 365 -in example.com.csr -signkey example.com.key -out example.com.crt`
  29. INSTALL CERT ON THE SERVER Sample code: https://gist.github.com/carlisia/ c40d9a4f2003140f8d97dd6c56e5 420b

  30. BOOT UP THE SERVER 1. Build the program - `go

    build main.go` 2. Change permissions of the binary - `sudo chown root main` - `sudo chmod +s main` 3. Run the program - `./main` 1. Access the page - https://localhost/topconferences
  31. RESULT ‣ The client will inform that the cert has

    not be signed by a recognized authority ‣ Makes sense since ours is a self- signed cert ‣ But it still is a TLS connection
  32. RESULT

  33. TROUBLESHOOTING Troubleshoot a SSL cert installation (public hostnames only) https://www.sslshopper.com/ssl-checker.html

    https://www.ssllabs.com/ssltest/analyze.html Test how a browser implements SSL https://www.ssllabs.com/ssltest/viewMyClient.html Types of potential certificate failures, with examples https://badssl.com