Getting Started with SSL

Getting Started with SSL

Introductions to terminology and process around securing a site, delivered at WordCamp San Diego 2016

E081e3cb56c01059706dece56461c86a?s=128

Erick Hitter

April 24, 2016
Tweet

Transcript

  1. ethitter.com Getting Started with SSL Erick Hitter @ethitter https://ethitter.com/

  2. FIRST Why Bother?

  3. Why? • Protects data submitted in forms, including the WordPress

    login. • Much harder to “snoop” on secure traffic. • Google gives a bit of consideration to a site’s use of SSL, and will likely increase its importance. • New technologies largely negate performance concerns.
  4. Why Not? • Mixed-content warnings from items that don’t support

    SSL • Ad providers have been slow to adopt • Performance
  5. SECOND Terminology

  6. Encrypted versus unencrypted • Unencrypted data is plainly readable by

    humans and anything else that can access it • Encrypted data must be processed before it can be read
  7. Cipher Suites • Define how a browser establishes a secure

    connection with a server • Specify several components of a secure connection, including encryption type
  8. Three things that all mean the same thing* • HTTPS

    • SSL • TLS
 * Not quite, but we’ll get to that; https://vimeo.com/88500528
  9. HTTPS • Secure Hypertext Transfer Protocol • aka HTTP over

    TLS, HTTP over SSL, or HTTP Secure • Web traffic delivered with some type of encryption
  10. SSL • Secure Sockets Layer • Used synonymously with HTTPS

    • Actually the name of a type of security used for data communications • Technology isn’t (shouldn’t be) used anymore, but the term persists
  11. TLS • Transport Layer Security • Modern encryption approach used

    in place of SSL • More often than not, when someone says SSL, they really mean TLS
  12. Aside: Protocol Versions • Multiple versions of both SSL and

    TLS exist • No versions of SSL are considered secure • TLSv1 was, essentially, SSLv4 • Only TLS v1.1 and v1.2 are secure
  13. Certificate • An cryptographic convention that: • confirms domain control,

    • provides some “ownership” information to the browser, and • plays a role in encrypting traffic.
  14. Seriously, what is a certificate? • A collection of information

    used to secure communications • Involves multiple parties, as part of trust model • Uses public-key infrastructure (PKI)
  15. Certificate Authority (CA) • Independent organization that provides certificates •

    Verifies some information to ensure a level of trust • Relies on browsers trusting CAs • Examples include: Comodo, Verisign, GoDaddy, StartSSL, and Let’s Encrypt
  16. Certificate issuance also comes in threes • Certificate signing request

    • Private key • Leaf certificate
  17. CSR • Certificate signing request • An entity that needs

    a certificate provides basic biographic data • Most importantly, lists which domains are to be secured • Signed with a private key
  18. Private key • Encrypted string used to unlock the certificate

    provided by the CA • The CSR produces, or uses an existing, private key • The key is never shared, and should never leave the server it’s used on (generally)
  19. Leaf certificate • Issued by a certificate authority • Expire

    with some frequency • Generated using the CSR • Unlocked using the private key
  20. Certificate trust types • Depend on how a domain confirmed

    • Advanced types generally only needed by large, significant organizations
  21. Domain Validation (DV) • Ownership confirmed using: • WHOIS email

    records, • DNS entries, or • A file added to the server. • Also known as “domain-control validated”
  22. Organization Validation (OV) • CA performs domain-control verification • CA

    also validates organization per its requirements
  23. Extended Validation (EV) • Considerably more-thorough version of organization validation

    • Doesn’t support wildcard certificates • Only way to display organization name in address bar
  24. Certificate components • Root certificate • Intermediate certificate • Leaf

    certificate
  25. Root certificate • Certificate that browsers and devices trust •

    Specific to the CA that issues a certificate
  26. Intermediate certificate • Provided by the CA • Associates the

    domain certificate with the root certificate • CAs often have multiple
  27. Leaf certificate • Specific to the domains listed in the

    CSR • Contains organization information
  28. Wildcard certificate • Rather than listing every subdomain, a certificate

    covers any subdomain • *.ethitter.com versus ethitter.com, www.ethitter.com, i.ethitter.com, etc.
  29. Questions before I continue?

  30. THIRD Certificate Authorities

  31. Let’s Encrypt • Free • Certificates are valid for three

    (3) months • Simple command-line tools to issue certificates • Many services are adding free SSL support using this CA • Doesn’t support wildcard domains • Only allows domain validation
  32. StartSSL • Also offers free certificates, along with paid certificates

    incorporating advanced features • Free certificates are valid for one (1) year • Paid certificates are valid for two (2) years • Wildcard domains are allowed with paid options • Paid certificates support organization and extended validation
  33. Comodo, Symantec, GoDaddy, Digicert, etc • Offer paid certificates of

    various durations • Support all certificate types
  34. FOURTH Obtaining a certificate

  35. Let’s Encrypt • Provides command-line tool to request and renew

    certificates • API is also publicly-accessible • Uses new ACME protocol • More at: https://r.eth.pw/p/20/
  36. Other providers 1. Generate a CSR for the domain(s) to

    secure 2. Submit CSR to certificate authority 3. Complete domain verification according to CA’s procedures 4. CA provides leaf certificate
  37. FIFTH Installing a certificate

  38. Let’s Encrypt • Tool can configure Apache automatically • nginx

    support is coming • Can also generate certificates for manual installation
  39. All others • CA will provide intermediate and leaf certificates

    • Server software is manually configured • Comodo provides many installation guides: https://r.eth.pw/p/17/
  40. Thanks Erick Hitter @ethitter https://ethitter.com/ https://ethitter.com/p/6677/