LetsEncrypt : TLS/SSL certs, without the pain

Slide 1

Slide 1 text

LetsEncrypt : TLS/SSL certs, without the pain Manan Jadhav

Slide 2

Slide 2 text

SSL/TLS ● https:// vs http:// ● Encryption AND Trust Mechanism ● Prevent MITM, phishing, eavesdropping ● Green bar ● In 2017, a must have

Slide 3

Slide 3 text

Not Secure

Slide 4

Slide 4 text

Secure

Slide 5

Slide 5 text

But wait, how does that work? ● Shared Key Encryption for communication ● Digital Signatures for authentication

Slide 6

Slide 6 text

Shared Key Encryption

Slide 7

Slide 7 text

Digital Signatures / Certificates ● Signed using Private Key ● Verified using Public Key ● Certificate Authority ○ Verifies Ownership ○ Is audited regularly ○ Private Keys are kept secure ○ Public Keys are distributed in browsers

Slide 8

Slide 8 text

TODO : Certificate Authority ● Distribute public key to all browsers ● Maintain security of private keys ● Issue certs only after verification ● Offer insurance against hacks ● Audit regularly ● Maintain a revoke list

Slide 9

Slide 9 text

Getting an SSL cert : Long Story 1. Generate CSR a. Certificate Signing Request i. Domain Name (Common Name), Organization Name, Location. 2. Upload CSR & Pay 3. Verify ownership (takes minutes/hours) a. DNS, HTTP etc. methods. 4. Download & Install Certificate

Slide 10

Slide 10 text

Why it’s a problem ● Time for verification ● Manual intervention ● Errors cause delays ● Long-duration certs ● And, you have to pay for it

Slide 11

Slide 11 text

No content

Slide 12

Slide 12 text

LetsEncrypt ● Free, Automated & Open CA ● Open doesn’t mean less secure ● Backed by (ISRG) ● Backed by commercial sponsors ● Public Acceptance since late 2015

Slide 13

Slide 13 text

Certbot ● Helps automate Step 1, 2, 3 & 4 ● Uses “ACME” protocol ● https://certbot.eff.org/ ● Supports Nginx, Apache and other servers natively

Slide 14

Slide 14 text

Demo Time ! http://test.gdgbaroda.com/ https://test.gddbaroda.com/