Upgrade to Pro — share decks privately, control downloads, hide ads and more …

HTTPS Everywhere

HTTPS Everywhere

Based on 32C3 What launching a free CA looks like

Hannes Moser

January 11, 2016
Tweet

More Decks by Hannes Moser

Other Decks in Technology

Transcript

  1. HTTPS Everywhere !
    based on 32C3 What
    launching a free CA looks
    like
    Hannes Moser – @eliias 2016

    View Slide

  2. HTTPS what?
    HTTPS is just HTTP with
    encryption and
    authentication.
    Hannes Moser – @eliias 2016

    View Slide

  3. Encryption
    Nobody knows (except you and Netflix) which movie
    your are watching
    Hannes Moser – @eliias 2016

    View Slide

  4. Authentication
    You can be sure you are watching the movie on Netflix
    Hannes Moser – @eliias 2016

    View Slide

  5. Why
    » Secure communication
    » The Google bonus
    » It is the new default (HTTP/2)
    Hannes Moser – @eliias 2016

    View Slide

  6. It was awful
    Hannes Moser – @eliias 2016

    View Slide

  7. It still is
    » Still servers without SNI support
    » Missing root certificates on mobile devices
    » SSL Hardening
    » Heartbleed
    » Logjam
    » FREAK, BEAST
    » …
    Hannes Moser – @eliias 2016

    View Slide

  8. StartSSL Let’s Encrypt for
    the rescue
    Hannes Moser – @eliias 2016

    View Slide

  9. Let’s Encrypt
    Is a new Certificate Authority. It’s free,
    automated, and open.
    In Public Beta
    Follows ACME specification
    Hannes Moser – @eliias 2016

    View Slide

  10. ACME
    Automated Certificate
    Management Environment
    Hannes Moser – @eliias 2016

    View Slide

  11. Let’s Encrypt – Install
    $ git clone https://git.io/letsencrypt
    $ cd ./letsencrypt
    $ ./letsencrypt-auto —help
    Hannes Moser – @eliias 2016

    View Slide

  12. Hannes Moser – @eliias 2016

    View Slide

  13. Let’s Encrypt – Install
    You might get a warning/error like this.
    Creating virtual environment…
    Updating letsencrypt and virtual environment dependencies…../root/.local/share/letsencrypt/lib/python2.6/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
    InsecurePlatformWarning
    Command „python setup.py egg_info“ failed with error code 1 in /tmp/pip-build-TVlyY0/ConfigArgParse
    /root/.local/share/letsencrypt/lib/python2.6/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
    InsecurePlatformWarning
    Important part
    A true SSLContext object is not available.
    It is strongly recommended to upgrade to a newer
    Python version!1
    1 https://community.letsencrypt.org/t/insecureplatformwarning-on-ubuntu-14-04-w-python-2-7-6/2871
    Hannes Moser – @eliias 2016

    View Slide

  14. Let’s Encrypt – Install
    letsencrypt —debug
    ATTENTION
    At least Ubuntu 14.04/Debian 7 systems are affected
    by this error.
    http://urllib3.readthedocs.org/en/latest/
    security.html#insecureplatformwarning
    Hannes Moser – @eliias 2016

    View Slide

  15. Let’s Encrypt – Install
    Hannes Moser – @eliias 2016

    View Slide

  16. Let’s Encrypt – Install
    These plugins are available at the moment:
    - Apache
    - Standalone
    - Webroot
    For nginx and other clients
    ./letsencrypt-auto certonly —webroot -w /www -d abc.xyz -d www.abc.xyz
    Checks for this directory in webroot
    .well_known
    Hannes Moser – @eliias 2016

    View Slide

  17. Let’s Encrypt – Install
    letsencrypt will automatically create the directory
    during certificate creation, but it must be serveable
    by nginx. Just in case it is not working, add the
    following config to your server.
    location /.well-known {
    allow all;
    }
    Hannes Moser – @eliias 2016

    View Slide

  18. Server Config
    server {
    listen x.x.x.x:443 ssl;
    server_name abc.xyz;
    root /var/www;
    index index.html;
    ssl on;
    ssl_certificate /etc/letsencrypt/live/abc.xyz/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/abc.xyz/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/abc.xyz/fullchain.pem;
    }
    Hannes Moser – @eliias 2016

    View Slide

  19. Yuchey! !
    Hannes Moser – @eliias 2016

    View Slide

  20. Location of files
    Hannes Moser – @eliias 2016

    View Slide

  21. Location of files
    Goto directory
    cd /etc/letsencrypt/live
    cd abc.xyz
    Check files
    cert.pem chain.pem fullchain.pem privkey.pem
    Hannes Moser – @eliias 2016

    View Slide

  22. SSL Hardening
    Hannes Moser – @eliias 2016

    View Slide

  23. SSL Hardening
    Diffie-Hellman
    “The Logjam attack allows a man-in-the-middle
    attacker to downgrade vulnerable TLS connections to
    512-bit export-grade cryptography.”
    Solution
    Create your own Diffie-Hellman parameters
    openssl dhparam -out dhparams.pem 4096
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    Hannes Moser – @eliias 2016

    View Slide

  24. SSL TLS Hardening
    SSL1, SSL2 are bad. Only use the following SSL/TLS
    versions when possible.
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    Do not support outdated or invalid ciphers!
    ssl_ciphers "…:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    Hannes Moser – @eliias 2016

    View Slide

  25. SSL Hardening
    Analyze Loop w/ SSLLabs
    SSLTest
    Jetzt großes Bild herzeigen!
    Hannes Moser – @eliias 2016

    View Slide

  26. SSL Hardening
    Public Key Pinning HPKP
    or why you should not trust your CA!
    MDN – Public Key Pinning
    Hannes Moser – @eliias 2016

    View Slide

  27. SSL Hardening
    Hannes Moser – @eliias 2016

    View Slide

  28. Renewal
    Let’s Encrypt certificates will expire after 90
    days!
    Renew manually
    ./letsencrypt-auto certonly -a webroot —renew-by-default —config le-renew-webroot.ini
    Hannes Moser – @eliias 2016

    View Slide

  29. Auto renewal
    » Will be part of ACME specification, but not anytime
    soon!
    » Use a script + cronjob to renew every 60 days
    le-renew-webroot
    # cli.ini
    rsa-key-size = 4096
    email = [email protected]
    domains = conc.cat, www.conc.at
    webroot-path = /usr/share/nginx/html
    Hannes Moser – @eliias 2016

    View Slide

  30. Auto renewal
    Issues
    You need a script and to install bc on your system.
    apt-get install -y bc
    The Script
    curl -L -o /usr/local/sbin/le-renew-webroot https://goo.gl/QEHVtG
    chmod +x /usr/local/sbin/le-renew-webroot
    /etc/cron.weekly/le-renewal
    #!/usr/bin/env bash
    le-renew-webroot >> /var/log/le-renewal.log
    Hannes Moser – @eliias 2016

    View Slide

  31. Demo Time
    Hannes Moser – @eliias 2016

    View Slide

  32. Resources
    » Let’s Encrypt
    » ACME Spec
    » How To nginx
    » How To Apache
    » Example
    Hannes Moser – @eliias 2016

    View Slide