LetsEncrypt : TLS/SSL certs, without the pain

Transcript

1. LetsEncrypt : TLS/SSL certs, without the pain Manan Jadhav

2. SSL/TLS • https:// vs http:// • Encryption AND Trust Mechanism

   • Prevent MITM, phishing, eavesdropping • Green bar • In 2017, a must have

3. Not Secure

4. Secure

5. But wait, how does that work? • Shared Key Encryption

   for communication • Digital Signatures for authentication

6. Shared Key Encryption

7. Digital Signatures / Certificates • Signed using Private Key •

   Verified using Public Key • Certificate Authority ◦ Verifies Ownership ◦ Is audited regularly ◦ Private Keys are kept secure ◦ Public Keys are distributed in browsers

8. TODO : Certificate Authority • Distribute public key to all

   browsers • Maintain security of private keys • Issue certs only after verification • Offer insurance against hacks • Audit regularly • Maintain a revoke list

9. Getting an SSL cert : Long Story 1. Generate CSR

   a. Certificate Signing Request i. Domain Name (Common Name), Organization Name, Location. 2. Upload CSR & Pay 3. Verify ownership (takes minutes/hours) a. DNS, HTTP etc. methods. 4. Download & Install Certificate

10. Why it’s a problem • Time for verification • Manual

    intervention • Errors cause delays • Long-duration certs • And, you have to pay for it
11. None

12. LetsEncrypt • Free, Automated & Open CA • Open doesn’t

    mean less secure • Backed by (ISRG) • Backed by commercial sponsors • Public Acceptance since late 2015

13. Certbot • Helps automate Step 1, 2, 3 & 4

    • Uses “ACME” protocol • https://certbot.eff.org/ • Supports Nginx, Apache and other servers natively

14. Demo Time ! http://test.gdgbaroda.com/ https://test.gddbaroda.com/