Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[MidDevCon 2018] Let's Encrypt All The Things: HTTPS At Scale

[MidDevCon 2018] Let's Encrypt All The Things: HTTPS At Scale

The push for a more secure web got a boost two years ago when Let’s Encrypt—a free, automated certificate authority–was made available to everyone. It only takes a command line tool and a few keystrokes to securely serve almost any website. But what does it take to secure 10,000 websites? Let’s see what it takes while detailing the available tools, the changes in process and architecture needed to handle a large number of domains, and the inevitable surprises that appear.

Philip Sharp

July 13, 2018
Tweet

More Decks by Philip Sharp

Other Decks in Programming

Transcript

  1. View Slide

  2. Let’s Encrypt All The Things
    HTTPS At Scale
    Philip Sharp
    @philipsharp
    Mid-Atlantic Developer Conference 2018

    View Slide

  3. Why HTTPS?
    Why HTTPS?
    “why?” by Art Poskanzer (https://www.flickr.com/photos/posk/8333973575/)

    View Slide

  4. Yahoo! Homepage in 1994 (https://www.flickr.com/photos/yodelanecdotal/3740158785)

    View Slide

  5. Netscape Navigator, v1.0, 1994

    View Slide

  6. Security
    “Locks and Lockers” by AL.Eyad (https://www.flickr.com/photos/linda_lila/23303173449/)

    View Slide

  7. Privacy
    “security camera” by CWCS Managed Hosting (https://www.flickr.com/photos/[email protected]/13844066275/)

    View Slide

  8. https://webmasters.googleblog.com/2014/08/https-as-ranking-signal.html

    View Slide

  9. View Slide

  10. Your Twitter Handle Here

    View Slide

  11. View Slide

  12. HTTP/2
    Your Twitter Handle Here

    View Slide

  13. What does HTTPS mean?
    “Double Rainbow” by Sharada Prasad (https://www.flickr.com/photos/sharadaprasad/9397813949/)

    View Slide

  14. “keys” by drea fournier (https://www.flickr.com/photos/dreafournier/42880176712/)
    Encryption

    View Slide

  15. Authentication
    “Purple Envelope with Gold Sealing Wax” by sk (https://www.flickr.com/photos/irisphotos/27135391951/)

    View Slide

  16. Certificate
    X.509 in PEM format

    View Slide

  17. 1. Public Key
    2. Subject
    3. Signature
    There’s no outline view...

    View Slide

  18. Web of
    Trust
    “Web” by AJ Cann (https://www.flickr.com/photos/ajc1/15491327276)

    View Slide

  19. Authority
    “Queen” by Ovidiu Borlean (https://www.flickr.com/photos/ovidiu_borlean/3878029087/)

    View Slide

  20. Getting
    Certificates
    “Paperwork” by Camilo Rueda López (https://www.flickr.com/photos/kozumel/2228603119/)

    View Slide

  21. Your Twitter Handle Here

    View Slide

  22. ACME
    “coyote at sunrise” by Jared Tarbell (https://www.flickr.com/photos/generated/5375935769/)

    View Slide

  23. Automated
    “teeth” by artethgray (https://www.flickr.com/photos/[email protected]/4857336929/)

    View Slide

  24. sudo certbot --apache
    Your Twitter Handle Here

    View Slide

  25. 12 6,18 * * * certbot renew -q
    Your Twitter Handle Here

    View Slide

  26. Scaling
    “Diving Maldives: Large school of Kashmir Snapper” by Mal B (https://www.flickr.com/photos/mal-b/6834470100/)

    View Slide

  27. Distinguished
    Name
    Your Twitter Handle Here

    View Slide

  28. CN = www.microsoft.com
    OU = Microsoft Corporation
    O = Microsoft Corporation
    L = Redmond
    ST = WA
    C = US
    Your Twitter Handle Here

    View Slide

  29. Subject
    Alternative
    Name
    Your Twitter Handle Here

    View Slide

  30. Common Name
    Your Twitter Handle Here

    View Slide

  31. 4
    2
    2
    NaN
    2

    View Slide

  32. Tooling
    “old vintage stuff” by spline splinson (https://www.flickr.com/photos/splinson/28062883398/)

    View Slide

  33. Acme PHP
    Your Twitter Handle Here

    View Slide

  34. [example.com, ...]

    new-cert

    authz

    complete
    Your Twitter Handle Here

    View Slide

  35. [example.com, ...]

    new-authz

    new-cert
    Your Twitter Handle Here

    View Slide

  36. View Slide

  37. Challenges
    Domain
    Queue
    Acme PHP
    Certificate
    Queue
    Issuance

    View Slide

  38. Renewals
    ‘Rebuilding” by Jo Elphick (https://www.flickr.com/photos/joelphick/27132941018/)

    View Slide

  39. 1 5 9 13 17 21 25 29 33 37 41 45 49 53 57 61 65 69 73 77 81 85 89 93 97
    101
    105
    109
    113
    117
    0
    2000
    4000
    6000
    8000
    10000
    12000
    Day
    Domains

    View Slide

  40. Rate Limits
    “southbound I-15 – speed limit 80 mph” by Garrett (https://www.flickr.com/photos/countylemonade/5916416464/)

    View Slide

  41. The Gotchas
    “Cliffs of Moher, Liscannor, Ireland” by Giuseppe Milo (https://www.flickr.com/photos/giuseppemilo/13972911980/)

    View Slide

  42. Chekhov
    “Portrait of Anton Pavlovich Chekhov” (1898) by Osip Braz

    View Slide

  43. invalid_hostname.example.com
    Your Twitter Handle Here

    View Slide

  44. 18.234.20.119
    Your Twitter Handle Here

    View Slide

  45. Certificate
    Authority
    Authorization
    Your Twitter Handle Here

    View Slide

  46. subdomain.example.com
    CNAME custom.example.net
    example.com
    CAA 0 issue "legacyca.com"
    custom.example.net
    A 18.234.20.119
    CAA 0 issue "letsencrypt.org"

    View Slide

  47. DNSSEC
    Your Twitter Handle Here

    View Slide

  48. subdomain.example.com
    DNSKEY [public key]
    example.com
    DS [signature for subdomain.example.com]
    DNSKEY [public key]
    com
    DS [signature for example.com]
    DNSKEY [public key]

    View Slide

  49. Google safe browsing

    View Slide

  50. unboundtest.com
    letsdebug.net
    Your Twitter Handle Here

    View Slide

  51. - Me
    https://twitter.com/philipsharp/status/959536858488287234

    View Slide

  52. What’s Next
    “Falcon Heavy Demo Mission” by Official SpaceX Photos (https://www.flickr.com/photos/spacex/40126461851)

    View Slide

  53. Recap
    “Snow Capped” by Richard Walker (https://www.flickr.com/photos/richardwalkerphotography/8550310861/)

    View Slide

  54. Lessons
    1. Scaling means different problems.
    2. Custom hostnames are user input.

    View Slide

  55. View Slide

  56. Thank You
    https://joind.in/talk/28389
    Image Credit goes here
    Let’s Encrypt All The Things
    HTTPS At Scale
    Philip Sharp
    @philipsharp
    www.philipsharp.com
    Slide design based on “A white-label slide deck” by Alice Bartlett
    (http://alicebartlett.co.uk/blog/how-to-do-ok-at-slides).
    Fonts: Source Sans Pro, Source Code Pro
    All photos public domain or licensed under Creative Commons.
    See individual photos for credits.

    View Slide