Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[MidDevCon 2018] Let's Encrypt All The Things: HTTPS At Scale

Philip Sharp
July 13, 2018
Programming
0
58

[MidDevCon 2018] Let's Encrypt All The Things: HTTPS At Scale

The push for a more secure web got a boost two years ago when Let’s Encrypt—a free, automated certificate authority–was made available to everyone. It only takes a command line tool and a few keystrokes to securely serve almost any website. But what does it take to secure 10,000 websites? Let’s see what it takes while detailing the available tools, the changes in process and architecture needed to handle a large number of domains, and the inevitable surprises that appear.

Philip Sharp

July 13, 2018
Tweet

More Decks by Philip Sharp

See All by Philip Sharp
[PHPDetroit 2018] Let's Encrypt All The Things: HTTPS At Scale
philipsharp
1
120

Other Decks in Programming

See All in Programming
Swagger Codegenで楽にSwiftのModelを生成する / Easily generate Swift Models with Swagger Codegen
naokimrmt
0
140
M5Stack用の指紋認証デバイスを試す
ufoo68
0
120
Implementing "++" operator, stepping into parse.y
coe401_
3
6k
その Swift コード、
こう書き換えてみないか / Polishing your Swift code with me!
treastrain
1
3.4k
サバンナ便り〜自動テストに関する連載で得られた知見のまとめ(2023年5月版)〜 / Automated Test Knowledge from Savanna 202305 edition
twada
PRO
15
4.9k
NotionのURLをWorkersで綺麗にしよう!
totto2727
0
210
LINEBotCourse.pdf
maguroalternative
0
110
2023年5月ミートアップRubyKaigi2023スペシャル
umizaru
0
5.1k
ランニングコストやっべぇぞ!ECS/FargateでECRへのアクセスについて
honma12345
0
840
Kotlin Multiplatform Library 배포하기
fornewid
0
200
Multiverse Ruby
shioyama
1
2.5k
From complexity to observability using OpenTelemetry
danilop
1
340

Featured

See All Featured
Product Roadmaps are Hard
iamctodd
39
8.2k
How New CSS Is Changing Everything About Graphic Design on the Web
jensimmons
214
12k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
32
8.4k
YesSQL, Process and Tooling at Scale
rocio
158
13k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
33
21k
Principles of Awesome APIs and How to Build Them.
keavy
119
16k
Git: the NoSQL Database
bkeepers
PRO
420
60k
Robots, Beer and Maslow
schacon
154
7.5k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
16
1.2k
Build your cross-platform service in a week with App Engine
jlugia
222
17k
Facilitating Awesome Meetings
lara
35
4.8k
Raft: Consensus for Rubyists
vanstee
130
5.8k

Transcript

  1. View Slide

  2. Let’s Encrypt All The Things
    HTTPS At Scale
    Philip Sharp
    @philipsharp
    Mid-Atlantic Developer Conference 2018

    View Slide

  3. Why HTTPS?
    Why HTTPS?
    “why?” by Art Poskanzer (https://www.flickr.com/photos/posk/8333973575/)

    View Slide

  4. Yahoo! Homepage in 1994 (https://www.flickr.com/photos/yodelanecdotal/3740158785)

    View Slide

  5. Netscape Navigator, v1.0, 1994

    View Slide

  6. Security
    “Locks and Lockers” by AL.Eyad (https://www.flickr.com/photos/linda_lila/23303173449/)

    View Slide

  7. Privacy
    “security camera” by CWCS Managed Hosting (https://www.flickr.com/photos/[email protected]/13844066275/)

    View Slide

  8. https://webmasters.googleblog.com/2014/08/https-as-ranking-signal.html

    View Slide

  9. View Slide

  10. Your Twitter Handle Here

    View Slide

  11. View Slide

  12. HTTP/2
    Your Twitter Handle Here

    View Slide

  13. What does HTTPS mean?
    “Double Rainbow” by Sharada Prasad (https://www.flickr.com/photos/sharadaprasad/9397813949/)

    View Slide

  14. “keys” by drea fournier (https://www.flickr.com/photos/dreafournier/42880176712/)
    Encryption

    View Slide

  15. Authentication
    “Purple Envelope with Gold Sealing Wax” by sk (https://www.flickr.com/photos/irisphotos/27135391951/)

    View Slide

  16. Certificate
    X.509 in PEM format

    View Slide

  17. 1. Public Key
    2. Subject
    3. Signature
    There’s no outline view...

    View Slide

  18. Web of
    Trust
    “Web” by AJ Cann (https://www.flickr.com/photos/ajc1/15491327276)

    View Slide

  19. Authority
    “Queen” by Ovidiu Borlean (https://www.flickr.com/photos/ovidiu_borlean/3878029087/)

    View Slide

  20. Getting
    Certificates
    “Paperwork” by Camilo Rueda López (https://www.flickr.com/photos/kozumel/2228603119/)

    View Slide

  21. Your Twitter Handle Here

    View Slide

  22. ACME
    “coyote at sunrise” by Jared Tarbell (https://www.flickr.com/photos/generated/5375935769/)

    View Slide

  23. Automated
    “teeth” by artethgray (https://www.flickr.com/photos/[email protected]/4857336929/)

    View Slide

  24. sudo certbot --apache
    Your Twitter Handle Here

    View Slide

  25. 12 6,18 * * * certbot renew -q
    Your Twitter Handle Here

    View Slide

  26. Scaling
    “Diving Maldives: Large school of Kashmir Snapper” by Mal B (https://www.flickr.com/photos/mal-b/6834470100/)

    View Slide

  27. Distinguished
    Name
    Your Twitter Handle Here

    View Slide

  28. CN = www.microsoft.com
    OU = Microsoft Corporation
    O = Microsoft Corporation
    L = Redmond
    ST = WA
    C = US
    Your Twitter Handle Here

    View Slide

  29. Subject
    Alternative
    Name
    Your Twitter Handle Here

    View Slide

  30. Common Name
    Your Twitter Handle Here

    View Slide

  31. 4
    2
    2
    NaN
    2

    View Slide

  32. Tooling
    “old vintage stuff” by spline splinson (https://www.flickr.com/photos/splinson/28062883398/)

    View Slide

  33. Acme PHP
    Your Twitter Handle Here

    View Slide

  34. [example.com, ...]

    new-cert

    authz

    complete
    Your Twitter Handle Here

    View Slide

  35. [example.com, ...]

    new-authz

    new-cert
    Your Twitter Handle Here

    View Slide

  36. View Slide

  37. Challenges
    Domain
    Queue
    Acme PHP
    Certificate
    Queue
    Issuance

    View Slide

  38. Renewals
    ‘Rebuilding” by Jo Elphick (https://www.flickr.com/photos/joelphick/27132941018/)

    View Slide

  39. 1 5 9 13 17 21 25 29 33 37 41 45 49 53 57 61 65 69 73 77 81 85 89 93 97
    101
    105
    109
    113
    117
    0
    2000
    4000
    6000
    8000
    10000
    12000
    Day
    Domains

    View Slide

  40. Rate Limits
    “southbound I-15 – speed limit 80 mph” by Garrett (https://www.flickr.com/photos/countylemonade/5916416464/)

    View Slide

  41. The Gotchas
    “Cliffs of Moher, Liscannor, Ireland” by Giuseppe Milo (https://www.flickr.com/photos/giuseppemilo/13972911980/)

    View Slide

  42. Chekhov
    “Portrait of Anton Pavlovich Chekhov” (1898) by Osip Braz

    View Slide

  43. invalid_hostname.example.com
    Your Twitter Handle Here

    View Slide

  44. 18.234.20.119
    Your Twitter Handle Here

    View Slide

  45. Certificate
    Authority
    Authorization
    Your Twitter Handle Here

    View Slide

  46. subdomain.example.com
    CNAME custom.example.net
    example.com
    CAA 0 issue "legacyca.com"
    custom.example.net
    A 18.234.20.119
    CAA 0 issue "letsencrypt.org"

    View Slide

  47. DNSSEC
    Your Twitter Handle Here

    View Slide

  48. subdomain.example.com
    DNSKEY [public key]
    example.com
    DS [signature for subdomain.example.com]
    DNSKEY [public key]
    com
    DS [signature for example.com]
    DNSKEY [public key]

    View Slide

  49. Google safe browsing

    View Slide

  50. unboundtest.com
    letsdebug.net
    Your Twitter Handle Here

    View Slide

  51. - Me
    https://twitter.com/philipsharp/status/959536858488287234

    View Slide

  52. What’s Next
    “Falcon Heavy Demo Mission” by Official SpaceX Photos (https://www.flickr.com/photos/spacex/40126461851)

    View Slide

  53. Recap
    “Snow Capped” by Richard Walker (https://www.flickr.com/photos/richardwalkerphotography/8550310861/)

    View Slide

  54. Lessons
    1. Scaling means different problems.
    2. Custom hostnames are user input.

    View Slide

  55. View Slide

  56. Thank You
    https://joind.in/talk/28389
    Image Credit goes here
    Let’s Encrypt All The Things
    HTTPS At Scale
    Philip Sharp
    @philipsharp
    www.philipsharp.com
    Slide design based on “A white-label slide deck” by Alice Bartlett
    (http://alicebartlett.co.uk/blog/how-to-do-ok-at-slides).
    Fonts: Source Sans Pro, Source Code Pro
    All photos public domain or licensed under Creative Commons.
    See individual photos for credits.

    View Slide