HTTPS Everywhere

Transcript

1. HTTPS Everywhere ! based on 32C3 What launching a free

   CA looks like Hannes Moser – @eliias 2016

2. HTTPS what? HTTPS is just HTTP with encryption and authentication.

   Hannes Moser – @eliias 2016

3. Encryption Nobody knows (except you and Netflix) which movie your

   are watching Hannes Moser – @eliias 2016

4. Authentication You can be sure you are watching the movie

   on Netflix Hannes Moser – @eliias 2016

5. Why » Secure communication » The Google bonus » It

   is the new default (HTTP/2) Hannes Moser – @eliias 2016

6. It was awful Hannes Moser – @eliias 2016

7. It still is » Still servers without SNI support »

   Missing root certificates on mobile devices » SSL Hardening » Heartbleed » Logjam » FREAK, BEAST » … Hannes Moser – @eliias 2016

8. StartSSL Let’s Encrypt for the rescue Hannes Moser – @eliias

   2016

9. Let’s Encrypt Is a new Certificate Authority. It’s free, automated,

   and open. In Public Beta Follows ACME specification Hannes Moser – @eliias 2016

10. ACME Automated Certificate Management Environment Hannes Moser – @eliias 2016

11. Let’s Encrypt – Install $ git clone https://git.io/letsencrypt $ cd

    ./letsencrypt $ ./letsencrypt-auto —help Hannes Moser – @eliias 2016

12. Hannes Moser – @eliias 2016

13. Let’s Encrypt – Install You might get a warning/error like

    this. Creating virtual environment… Updating letsencrypt and virtual environment dependencies…../root/.local/share/letsencrypt/lib/python2.6/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning. InsecurePlatformWarning Command „python setup.py egg_info“ failed with error code 1 in /tmp/pip-build-TVlyY0/ConfigArgParse /root/.local/share/letsencrypt/lib/python2.6/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning. InsecurePlatformWarning Important part A true SSLContext object is not available. It is strongly recommended to upgrade to a newer Python version!1 1 https://community.letsencrypt.org/t/insecureplatformwarning-on-ubuntu-14-04-w-python-2-7-6/2871 Hannes Moser – @eliias 2016

14. Let’s Encrypt – Install letsencrypt —debug ATTENTION At least Ubuntu

    14.04/Debian 7 systems are affected by this error. http://urllib3.readthedocs.org/en/latest/ security.html#insecureplatformwarning Hannes Moser – @eliias 2016

15. Let’s Encrypt – Install Hannes Moser – @eliias 2016

16. Let’s Encrypt – Install These plugins are available at the

    moment: - Apache - Standalone - Webroot For nginx and other clients ./letsencrypt-auto certonly —webroot -w /www -d abc.xyz -d www.abc.xyz Checks for this directory in webroot .well_known Hannes Moser – @eliias 2016

17. Let’s Encrypt – Install letsencrypt will automatically create the directory

    during certificate creation, but it must be serveable by nginx. Just in case it is not working, add the following config to your server. location /.well-known { allow all; } Hannes Moser – @eliias 2016

18. Server Config server { listen x.x.x.x:443 ssl; server_name abc.xyz; root

    /var/www; index index.html; ssl on; ssl_certificate /etc/letsencrypt/live/abc.xyz/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/abc.xyz/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/abc.xyz/fullchain.pem; } Hannes Moser – @eliias 2016

19. Yuchey! ! Hannes Moser – @eliias 2016

20. Location of files Hannes Moser – @eliias 2016

21. Location of files Goto directory cd /etc/letsencrypt/live cd abc.xyz Check

    files cert.pem chain.pem fullchain.pem privkey.pem Hannes Moser – @eliias 2016

22. SSL Hardening Hannes Moser – @eliias 2016

23. SSL Hardening Diffie-Hellman “The Logjam attack allows a man-in-the-middle attacker

    to downgrade vulnerable TLS connections to 512-bit export-grade cryptography.” Solution Create your own Diffie-Hellman parameters openssl dhparam -out dhparams.pem 4096 ssl_dhparam /etc/ssl/certs/dhparam.pem; Hannes Moser – @eliias 2016

24. SSL TLS Hardening SSL1, SSL2 are bad. Only use the

    following SSL/TLS versions when possible. ssl_protocols TLSv1 TLSv1.1 TLSv1.2; Do not support outdated or invalid ciphers! ssl_ciphers "…:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; Hannes Moser – @eliias 2016

25. SSL Hardening Analyze Loop w/ SSLLabs SSLTest Jetzt großes Bild

    herzeigen! Hannes Moser – @eliias 2016

26. SSL Hardening Public Key Pinning HPKP or why you should

    not trust your CA! MDN – Public Key Pinning Hannes Moser – @eliias 2016

27. SSL Hardening Hannes Moser – @eliias 2016

28. Renewal Let’s Encrypt certificates will expire after 90 days! Renew

    manually ./letsencrypt-auto certonly -a webroot —renew-by-default —config le-renew-webroot.ini Hannes Moser – @eliias 2016

29. Auto renewal » Will be part of ACME specification, but

    not anytime soon! » Use a script + cronjob to renew every 60 days le-renew-webroot # cli.ini rsa-key-size = 4096 email = [email protected] domains = conc.cat, www.conc.at webroot-path = /usr/share/nginx/html Hannes Moser – @eliias 2016

30. Auto renewal Issues You need a script and to install

    bc on your system. apt-get install -y bc The Script curl -L -o /usr/local/sbin/le-renew-webroot https://goo.gl/QEHVtG chmod +x /usr/local/sbin/le-renew-webroot /etc/cron.weekly/le-renewal #!/usr/bin/env bash le-renew-webroot >> /var/log/le-renewal.log Hannes Moser – @eliias 2016

31. Demo Time Hannes Moser – @eliias 2016

32. Resources » Let’s Encrypt » ACME Spec » How To

    nginx » How To Apache » Example Hannes Moser – @eliias 2016