Upgrade to Pro — share decks privately, control downloads, hide ads and more …

LetsEncrypt : TLS/SSL certs, without the pain

LetsEncrypt : TLS/SSL certs, without the pain

This talk was presented at GDG Devfest Baroda 2017.

Manan Jadhav

October 01, 2017
Tweet

More Decks by Manan Jadhav

Other Decks in Technology

Transcript

  1. SSL/TLS • https:// vs http:// • Encryption AND Trust Mechanism

    • Prevent MITM, phishing, eavesdropping • Green bar • In 2017, a must have
  2. But wait, how does that work? • Shared Key Encryption

    for communication • Digital Signatures for authentication
  3. Digital Signatures / Certificates • Signed using Private Key •

    Verified using Public Key • Certificate Authority ◦ Verifies Ownership ◦ Is audited regularly ◦ Private Keys are kept secure ◦ Public Keys are distributed in browsers
  4. TODO : Certificate Authority • Distribute public key to all

    browsers • Maintain security of private keys • Issue certs only after verification • Offer insurance against hacks • Audit regularly • Maintain a revoke list
  5. Getting an SSL cert : Long Story 1. Generate CSR

    a. Certificate Signing Request i. Domain Name (Common Name), Organization Name, Location. 2. Upload CSR & Pay 3. Verify ownership (takes minutes/hours) a. DNS, HTTP etc. methods. 4. Download & Install Certificate
  6. Why it’s a problem • Time for verification • Manual

    intervention • Errors cause delays • Long-duration certs • And, you have to pay for it
  7. LetsEncrypt • Free, Automated & Open CA • Open doesn’t

    mean less secure • Backed by (ISRG) • Backed by commercial sponsors • Public Acceptance since late 2015
  8. Certbot • Helps automate Step 1, 2, 3 & 4

    • Uses “ACME” protocol • https://certbot.eff.org/ • Supports Nginx, Apache and other servers natively