Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[PHPDetroit 2018] Let's Encrypt All The Things: HTTPS At Scale

Philip Sharp
July 27, 2018
Programming
1
110

[PHPDetroit 2018] Let's Encrypt All The Things: HTTPS At Scale

The push for a more secure web got a boost two years ago when Let’s Encrypt--a free, automated certificate authority--was made available to everyone. It only takes a command-line tool and a few keystrokes to securely serve almost any website. But what does it take to secure 10,000 websites? Let’s see what it takes while detailing the available PHP tools, the changes in process and architecture needed to handle a large number of domains, and the inevitable surprises that appear.

Philip Sharp

July 27, 2018
Tweet

More Decks by Philip Sharp

See All by Philip Sharp
[MidDevCon 2018] Let's Encrypt All The Things: HTTPS At Scale
philipsharp
0
58

Other Decks in Programming

See All in Programming
DevToolsではじめる簡単Nostrプロトコル (Nostr勉強会 #0)
heguro
0
160
オンサイトキックオフでロケットスタート〜貴重なリアル対面を活かすやり方と構造〜
sasakendayo
0
270
APIスキーマ設計Tipsと (新)リッチエディタについて
microcms
1
570
nekoIoTLT_CatAndColorSensor
nearmugi
0
570
AWS移行を通して得られた知見と教訓
mthiroshi00excite
0
260
Spring と AWS サービスを活用して実現する安全なデプロイメント / How to launch safely using Spring and AWS services
kanamasa
3
170
UICollectionViewのAPIを活用してシンプルなコードにリファクタリングする
hicka04
1
530
K/NとNSKeyedArchiverと私
ryunen344
0
160
年間版1秒動画2023 大量配信の裏側 - MIXI TECH CONFERENCE 2023 DAY1
haman29
2
700
TokyoR#104_DataProcessing
kilometer
1
320
新しいことに挑戦したい組織が考えるべきこと
headwaters
0
130
Money Forward XでのGo利用事例について
keitaro1020
3
300

Featured

See All Featured
Design by the Numbers
sachag
271
18k
Building a Scalable Design System with Sketch
lauravandoore
451
31k
The Invisible Customer
myddelton
113
12k
Fontdeck: Realign not Redesign
paulrobertlloyd
74
4.4k
How to train your dragon (web standard)
notwaldorf
66
4.3k
How GitHub (no longer) Works
holman
299
140k
Writing Fast Ruby
sferik
613
58k
Reflections from 52 weeks, 52 projects
jeffersonlam
339
18k
Six Lessons from altMBA
skipperchong
15
2.4k
Stop Working from a Prison Cell
hatefulcrawdad
264
18k
The Illustrated Children's Guide to Kubernetes
chrisshort
23
43k
The MySQL Ecosystem @ GitHub 2015
samlambert
240
11k

Transcript

  1. View Slide

  2. Let’s Encrypt All The Things
    HTTPS At Scale
    Philip Sharp
    @philipsharp
    PHPDetroit Conference 2018

    View Slide

  3. Why HTTPS?
    Why HTTPS?
    “why?” by Art Poskanzer (https://www.flickr.com/photos/posk/8333973575/)

    View Slide

  4. Security
    “Locks and Lockers” by AL.Eyad (https://www.flickr.com/photos/linda_lila/23303173449/)

    View Slide

  5. Privacy
    “security camera” by CWCS Managed Hosting (https://www.flickr.com/photos/[email protected]/13844066275/)

    View Slide

  6. https://webmasters.googleblog.com/2014/08/https-as-ranking-signal.html

    View Slide

  7. View Slide

  8. Your Twitter Handle Here

    View Slide

  9. HTTP/2
    Your Twitter Handle Here

    View Slide

  10. What does HTTPS mean?
    “Double Rainbow” by Sharada Prasad (https://www.flickr.com/photos/sharadaprasad/9397813949/)

    View Slide

  11. “keys” by drea fournier (https://www.flickr.com/photos/dreafournier/42880176712/)
    Encryption

    View Slide

  12. Authentication
    “Purple Envelope with Gold Sealing Wax” by sk (https://www.flickr.com/photos/irisphotos/27135391951/)

    View Slide

  13. Certificate
    X.509 in PEM format

    View Slide

  14. 1. Public Key
    2. Subject
    3. Signature
    There’s no outline view...

    View Slide

  15. Web of
    Trust
    “Web” by AJ Cann (https://www.flickr.com/photos/ajc1/15491327276)

    View Slide

  16. Authority
    “Queen” by Ovidiu Borlean (https://www.flickr.com/photos/ovidiu_borlean/3878029087/)

    View Slide

  17. Getting
    Certificates
    “Paperwork” by Camilo Rueda López (https://www.flickr.com/photos/kozumel/2228603119/)

    View Slide

  18. Your Twitter Handle Here

    View Slide

  19. ACME
    “coyote at sunrise” by Jared Tarbell (https://www.flickr.com/photos/generated/5375935769/)

    View Slide

  20. Automated
    “teeth” by artethgray (https://www.flickr.com/photos/[email protected]/4857336929/)

    View Slide

  21. sudo certbot --apache
    Your Twitter Handle Here

    View Slide

  22. 12 6,18 * * * certbot renew -q
    Your Twitter Handle Here

    View Slide

  23. Scaling
    “Diving Maldives: Large school of Kashmir Snapper” by Mal B (https://www.flickr.com/photos/mal-b/6834470100/)

    View Slide

  24. Distinguished
    Name
    Your Twitter Handle Here

    View Slide

  25. CN = www.microsoft.com
    OU = Microsoft Corporation
    O = Microsoft Corporation
    L = Redmond
    ST = WA
    C = US
    Your Twitter Handle Here

    View Slide

  26. Subject
    Alternative
    Name
    Your Twitter Handle Here

    View Slide

  27. Common Name
    Your Twitter Handle Here

    View Slide

  28. 4
    2
    2
    NaN
    2

    View Slide

  29. Tooling
    “old vintage stuff” by spline splinson (https://www.flickr.com/photos/splinson/28062883398/)

    View Slide

  30. Acme PHP
    Your Twitter Handle Here

    View Slide

  31. [photos.kerzap.com, ...]

    new-cert

    authz

    complete
    Your Twitter Handle Here

    View Slide

  32. [photos.kerzap.com, ...]

    new-authz

    new-cert
    Your Twitter Handle Here

    View Slide

  33. View Slide

  34. Challenges
    Domain
    Queue
    Acme PHP
    Certificate
    Queue
    Issuance

    View Slide

  35. Renewals
    ‘Rebuilding” by Jo Elphick (https://www.flickr.com/photos/joelphick/27132941018/)

    View Slide

  36. 1 5 9 13 17 21 25 29 33 37 41 45 49 53 57 61 65 69 73 77 81 85 89 93 97
    101
    105
    109
    113
    117
    0
    2000
    4000
    6000
    8000
    10000
    12000
    Day
    Domains

    View Slide

  37. Rate Limits
    “southbound I-15 – speed limit 80 mph” by Garrett (https://www.flickr.com/photos/countylemonade/5916416464/)

    View Slide

  38. The Gotchas
    “Cliffs of Moher, Liscannor, Ireland” by Giuseppe Milo (https://www.flickr.com/photos/giuseppemilo/13972911980/)

    View Slide

  39. All The Things That Can Go
    Wrong When Trying To Get A
    Certificate For Someone Else’s
    Domain
    “Cliffs of Moher, Liscannor, Ireland” by Giuseppe Milo (https://www.flickr.com/photos/giuseppemilo/13972911980/)

    View Slide

  40. Chekhov
    “Portrait of Anton Pavlovich Chekhov” (1898) by Osip Braz

    View Slide

  41. invalid_hostname.kerzap.com
    Your Twitter Handle Here

    View Slide

  42. $ host photos.kerzap.com
    photos.kerzap.com is an alias for domains.example.com.
    domains.example.com has address 18.234.20.125
    domains.example.com has address 18.234.20.121
    domains.example.com has address 18.234.20.119
    Your Twitter Handle Here

    View Slide

  43. Certificate
    Authority
    Authorization
    Your Twitter Handle Here

    View Slide

  44. photos.kerzap.com
    CNAME domains.example.com
    kerzap.com
    CAA 0 issue "legacyca.com"
    domains.example.com
    A 18.234.20.119
    CAA 0 issue "letsencrypt.org"

    View Slide

  45. DNSSEC
    Your Twitter Handle Here

    View Slide

  46. photos.kerzap.com
    DNSKEY [public key]
    kerzap.com
    DS [signature for photos.kerzap.com]
    DNSKEY [public key]
    com
    DS [signature for kerzap.com]
    DNSKEY [public key]

    View Slide

  47. Google safe browsing

    View Slide

  48. unboundtest.com
    letsdebug.net
    Your Twitter Handle Here

    View Slide

  49. - Me
    https://twitter.com/philipsharp/status/959536858488287234

    View Slide

  50. What’s Next
    “Falcon Heavy Demo Mission” by Official SpaceX Photos (https://www.flickr.com/photos/spacex/40126461851)

    View Slide

  51. Recap
    “Snow Capped” by Richard Walker (https://www.flickr.com/photos/richardwalkerphotography/8550310861/)

    View Slide

  52. Lessons
    1. Scaling means different problems.
    2. Custom hostnames are user input.

    View Slide

  53. Thank You
    https://joind.in/talk/2f870
    Image Credit goes here
    Let’s Encrypt All The Things
    HTTPS At Scale
    Philip Sharp
    @philipsharp
    www.philipsharp.com
    Slide design based on “A white-label slide deck” by Alice Bartlett
    (http://alicebartlett.co.uk/blog/how-to-do-ok-at-slides).
    Fonts: Source Sans Pro, Source Code Pro
    All photos public domain or licensed under Creative Commons.
    See individual photos for credits.

    View Slide