Getting Started with SSL

Transcript

1. ethitter.com Getting Started with SSL Erick Hitter @ethitter https://ethitter.com/

2. FIRST Why Bother?

3. Why? • Protects data submitted in forms, including the WordPress

   login. • Much harder to “snoop” on secure traffic. • Google gives a bit of consideration to a site’s use of SSL, and will likely increase its importance. • New technologies largely negate performance concerns.

4. Why Not? • Mixed-content warnings from items that don’t support

   SSL • Ad providers have been slow to adopt • Performance

5. SECOND Terminology

6. Encrypted versus unencrypted • Unencrypted data is plainly readable by

   humans and anything else that can access it • Encrypted data must be processed before it can be read

7. Cipher Suites • Define how a browser establishes a secure

   connection with a server • Specify several components of a secure connection, including encryption type

8. Three things that all mean the same thing* • HTTPS

   • SSL • TLS
 * Not quite, but we’ll get to that; https://vimeo.com/88500528

9. HTTPS • Secure Hypertext Transfer Protocol • aka HTTP over

   TLS, HTTP over SSL, or HTTP Secure • Web traffic delivered with some type of encryption

10. SSL • Secure Sockets Layer • Used synonymously with HTTPS

    • Actually the name of a type of security used for data communications • Technology isn’t (shouldn’t be) used anymore, but the term persists

11. TLS • Transport Layer Security • Modern encryption approach used

    in place of SSL • More often than not, when someone says SSL, they really mean TLS

12. Aside: Protocol Versions • Multiple versions of both SSL and

    TLS exist • No versions of SSL are considered secure • TLSv1 was, essentially, SSLv4 • Only TLS v1.1 and v1.2 are secure

13. Certificate • An cryptographic convention that: • confirms domain control,

    • provides some “ownership” information to the browser, and • plays a role in encrypting traffic.

14. Seriously, what is a certificate? • A collection of information

    used to secure communications • Involves multiple parties, as part of trust model • Uses public-key infrastructure (PKI)

15. Certificate Authority (CA) • Independent organization that provides certificates •

    Verifies some information to ensure a level of trust • Relies on browsers trusting CAs • Examples include: Comodo, Verisign, GoDaddy, StartSSL, and Let’s Encrypt

16. Certificate issuance also comes in threes • Certificate signing request

    • Private key • Leaf certificate

17. CSR • Certificate signing request • An entity that needs

    a certificate provides basic biographic data • Most importantly, lists which domains are to be secured • Signed with a private key

18. Private key • Encrypted string used to unlock the certificate

    provided by the CA • The CSR produces, or uses an existing, private key • The key is never shared, and should never leave the server it’s used on (generally)

19. Leaf certificate • Issued by a certificate authority • Expire

    with some frequency • Generated using the CSR • Unlocked using the private key

20. Certificate trust types • Depend on how a domain confirmed

    • Advanced types generally only needed by large, significant organizations

21. Domain Validation (DV) • Ownership confirmed using: • WHOIS email

    records, • DNS entries, or • A file added to the server. • Also known as “domain-control validated”

22. Organization Validation (OV) • CA performs domain-control verification • CA

    also validates organization per its requirements

23. Extended Validation (EV) • Considerably more-thorough version of organization validation

    • Doesn’t support wildcard certificates • Only way to display organization name in address bar

24. Certificate components • Root certificate • Intermediate certificate • Leaf

    certificate

25. Root certificate • Certificate that browsers and devices trust •

    Specific to the CA that issues a certificate

26. Intermediate certificate • Provided by the CA • Associates the

    domain certificate with the root certificate • CAs often have multiple

27. Leaf certificate • Specific to the domains listed in the

    CSR • Contains organization information

28. Wildcard certificate • Rather than listing every subdomain, a certificate

    covers any subdomain • *.ethitter.com versus ethitter.com, www.ethitter.com, i.ethitter.com, etc.

29. Questions before I continue?

30. THIRD Certificate Authorities

31. Let’s Encrypt • Free • Certificates are valid for three

    (3) months • Simple command-line tools to issue certificates • Many services are adding free SSL support using this CA • Doesn’t support wildcard domains • Only allows domain validation

32. StartSSL • Also offers free certificates, along with paid certificates

    incorporating advanced features • Free certificates are valid for one (1) year • Paid certificates are valid for two (2) years • Wildcard domains are allowed with paid options • Paid certificates support organization and extended validation

33. Comodo, Symantec, GoDaddy, Digicert, etc • Offer paid certificates of

    various durations • Support all certificate types

34. FOURTH Obtaining a certificate

35. Let’s Encrypt • Provides command-line tool to request and renew

    certificates • API is also publicly-accessible • Uses new ACME protocol • More at: https://r.eth.pw/p/20/

36. Other providers 1. Generate a CSR for the domain(s) to

    secure 2. Submit CSR to certificate authority 3. Complete domain verification according to CA’s procedures 4. CA provides leaf certificate

37. FIFTH Installing a certificate

38. Let’s Encrypt • Tool can configure Apache automatically • nginx

    support is coming • Can also generate certificates for manual installation

39. All others • CA will provide intermediate and leaf certificates

    • Server software is manually configured • Comodo provides many installation guides: https://r.eth.pw/p/17/

40. Thanks Erick Hitter @ethitter https://ethitter.com/ https://ethitter.com/p/6677/