HTTPS Everywhere

HTTPS Everywhere

Based on 32C3 What launching a free CA looks like

Fcebe976d7c72e909e987826f4a07eb8?s=128

Hannes Moser

January 11, 2016
Tweet

Transcript

  1. HTTPS Everywhere ! based on 32C3 What launching a free

    CA looks like Hannes Moser – @eliias 2016
  2. HTTPS what? HTTPS is just HTTP with encryption and authentication.

    Hannes Moser – @eliias 2016
  3. Encryption Nobody knows (except you and Netflix) which movie your

    are watching Hannes Moser – @eliias 2016
  4. Authentication You can be sure you are watching the movie

    on Netflix Hannes Moser – @eliias 2016
  5. Why » Secure communication » The Google bonus » It

    is the new default (HTTP/2) Hannes Moser – @eliias 2016
  6. It was awful Hannes Moser – @eliias 2016

  7. It still is » Still servers without SNI support »

    Missing root certificates on mobile devices » SSL Hardening » Heartbleed » Logjam » FREAK, BEAST » … Hannes Moser – @eliias 2016
  8. StartSSL Let’s Encrypt for the rescue Hannes Moser – @eliias

    2016
  9. Let’s Encrypt Is a new Certificate Authority. It’s free, automated,

    and open. In Public Beta Follows ACME specification Hannes Moser – @eliias 2016
  10. ACME Automated Certificate Management Environment Hannes Moser – @eliias 2016

  11. Let’s Encrypt – Install $ git clone https://git.io/letsencrypt $ cd

    ./letsencrypt $ ./letsencrypt-auto —help Hannes Moser – @eliias 2016
  12. Hannes Moser – @eliias 2016

  13. Let’s Encrypt – Install You might get a warning/error like

    this. Creating virtual environment… Updating letsencrypt and virtual environment dependencies…../root/.local/share/letsencrypt/lib/python2.6/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning. InsecurePlatformWarning Command „python setup.py egg_info“ failed with error code 1 in /tmp/pip-build-TVlyY0/ConfigArgParse /root/.local/share/letsencrypt/lib/python2.6/site-packages/pip/_vendor/requests/packages/urllib3/util/ssl_.py:90: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning. InsecurePlatformWarning Important part A true SSLContext object is not available. It is strongly recommended to upgrade to a newer Python version!1 1 https://community.letsencrypt.org/t/insecureplatformwarning-on-ubuntu-14-04-w-python-2-7-6/2871 Hannes Moser – @eliias 2016
  14. Let’s Encrypt – Install letsencrypt —debug ATTENTION At least Ubuntu

    14.04/Debian 7 systems are affected by this error. http://urllib3.readthedocs.org/en/latest/ security.html#insecureplatformwarning Hannes Moser – @eliias 2016
  15. Let’s Encrypt – Install Hannes Moser – @eliias 2016

  16. Let’s Encrypt – Install These plugins are available at the

    moment: - Apache - Standalone - Webroot For nginx and other clients ./letsencrypt-auto certonly —webroot -w /www -d abc.xyz -d www.abc.xyz Checks for this directory in webroot .well_known Hannes Moser – @eliias 2016
  17. Let’s Encrypt – Install letsencrypt will automatically create the directory

    during certificate creation, but it must be serveable by nginx. Just in case it is not working, add the following config to your server. location /.well-known { allow all; } Hannes Moser – @eliias 2016
  18. Server Config server { listen x.x.x.x:443 ssl; server_name abc.xyz; root

    /var/www; index index.html; ssl on; ssl_certificate /etc/letsencrypt/live/abc.xyz/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/abc.xyz/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/abc.xyz/fullchain.pem; } Hannes Moser – @eliias 2016
  19. Yuchey! ! Hannes Moser – @eliias 2016

  20. Location of files Hannes Moser – @eliias 2016

  21. Location of files Goto directory cd /etc/letsencrypt/live cd abc.xyz Check

    files cert.pem chain.pem fullchain.pem privkey.pem Hannes Moser – @eliias 2016
  22. SSL Hardening Hannes Moser – @eliias 2016

  23. SSL Hardening Diffie-Hellman “The Logjam attack allows a man-in-the-middle attacker

    to downgrade vulnerable TLS connections to 512-bit export-grade cryptography.” Solution Create your own Diffie-Hellman parameters openssl dhparam -out dhparams.pem 4096 ssl_dhparam /etc/ssl/certs/dhparam.pem; Hannes Moser – @eliias 2016
  24. SSL TLS Hardening SSL1, SSL2 are bad. Only use the

    following SSL/TLS versions when possible. ssl_protocols TLSv1 TLSv1.1 TLSv1.2; Do not support outdated or invalid ciphers! ssl_ciphers "…:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; Hannes Moser – @eliias 2016
  25. SSL Hardening Analyze Loop w/ SSLLabs SSLTest Jetzt großes Bild

    herzeigen! Hannes Moser – @eliias 2016
  26. SSL Hardening Public Key Pinning HPKP or why you should

    not trust your CA! MDN – Public Key Pinning Hannes Moser – @eliias 2016
  27. SSL Hardening Hannes Moser – @eliias 2016

  28. Renewal Let’s Encrypt certificates will expire after 90 days! Renew

    manually ./letsencrypt-auto certonly -a webroot —renew-by-default —config le-renew-webroot.ini Hannes Moser – @eliias 2016
  29. Auto renewal » Will be part of ACME specification, but

    not anytime soon! » Use a script + cronjob to renew every 60 days le-renew-webroot # cli.ini rsa-key-size = 4096 email = box@conc.at domains = conc.cat, www.conc.at webroot-path = /usr/share/nginx/html Hannes Moser – @eliias 2016
  30. Auto renewal Issues You need a script and to install

    bc on your system. apt-get install -y bc The Script curl -L -o /usr/local/sbin/le-renew-webroot https://goo.gl/QEHVtG chmod +x /usr/local/sbin/le-renew-webroot /etc/cron.weekly/le-renewal #!/usr/bin/env bash le-renew-webroot >> /var/log/le-renewal.log Hannes Moser – @eliias 2016
  31. Demo Time Hannes Moser – @eliias 2016

  32. Resources » Let’s Encrypt » ACME Spec » How To

    nginx » How To Apache » Example Hannes Moser – @eliias 2016