Slide 1

Slide 1 text

ethitter.com Getting Started with SSL Erick Hitter @ethitter https://ethitter.com/

Slide 2

Slide 2 text

FIRST Why Bother?

Slide 3

Slide 3 text

Why? • Protects data submitted in forms, including the WordPress login. • Much harder to “snoop” on secure traffic. • Google gives a bit of consideration to a site’s use of SSL, and will likely increase its importance. • New technologies largely negate performance concerns.

Slide 4

Slide 4 text

Why Not? • Mixed-content warnings from items that don’t support SSL • Ad providers have been slow to adopt • Performance

Slide 5

Slide 5 text

SECOND Terminology

Slide 6

Slide 6 text

Encrypted versus unencrypted • Unencrypted data is plainly readable by humans and anything else that can access it • Encrypted data must be processed before it can be read

Slide 7

Slide 7 text

Cipher Suites • Define how a browser establishes a secure connection with a server • Specify several components of a secure connection, including encryption type

Slide 8

Slide 8 text

Three things that all mean the same thing* • HTTPS • SSL • TLS
 * Not quite, but we’ll get to that; https://vimeo.com/88500528

Slide 9

Slide 9 text

HTTPS • Secure Hypertext Transfer Protocol • aka HTTP over TLS, HTTP over SSL, or HTTP Secure • Web traffic delivered with some type of encryption

Slide 10

Slide 10 text

SSL • Secure Sockets Layer • Used synonymously with HTTPS • Actually the name of a type of security used for data communications • Technology isn’t (shouldn’t be) used anymore, but the term persists

Slide 11

Slide 11 text

TLS • Transport Layer Security • Modern encryption approach used in place of SSL • More often than not, when someone says SSL, they really mean TLS

Slide 12

Slide 12 text

Aside: Protocol Versions • Multiple versions of both SSL and TLS exist • No versions of SSL are considered secure • TLSv1 was, essentially, SSLv4 • Only TLS v1.1 and v1.2 are secure

Slide 13

Slide 13 text

Certificate • An cryptographic convention that: • confirms domain control, • provides some “ownership” information to the browser, and • plays a role in encrypting traffic.

Slide 14

Slide 14 text

Seriously, what is a certificate? • A collection of information used to secure communications • Involves multiple parties, as part of trust model • Uses public-key infrastructure (PKI)

Slide 15

Slide 15 text

Certificate Authority (CA) • Independent organization that provides certificates • Verifies some information to ensure a level of trust • Relies on browsers trusting CAs • Examples include: Comodo, Verisign, GoDaddy, StartSSL, and Let’s Encrypt

Slide 16

Slide 16 text

Certificate issuance also comes in threes • Certificate signing request • Private key • Leaf certificate

Slide 17

Slide 17 text

CSR • Certificate signing request • An entity that needs a certificate provides basic biographic data • Most importantly, lists which domains are to be secured • Signed with a private key

Slide 18

Slide 18 text

Private key • Encrypted string used to unlock the certificate provided by the CA • The CSR produces, or uses an existing, private key • The key is never shared, and should never leave the server it’s used on (generally)

Slide 19

Slide 19 text

Leaf certificate • Issued by a certificate authority • Expire with some frequency • Generated using the CSR • Unlocked using the private key

Slide 20

Slide 20 text

Certificate trust types • Depend on how a domain confirmed • Advanced types generally only needed by large, significant organizations

Slide 21

Slide 21 text

Domain Validation (DV) • Ownership confirmed using: • WHOIS email records, • DNS entries, or • A file added to the server. • Also known as “domain-control validated”

Slide 22

Slide 22 text

Organization Validation (OV) • CA performs domain-control verification • CA also validates organization per its requirements

Slide 23

Slide 23 text

Extended Validation (EV) • Considerably more-thorough version of organization validation • Doesn’t support wildcard certificates • Only way to display organization name in address bar

Slide 24

Slide 24 text

Certificate components • Root certificate • Intermediate certificate • Leaf certificate

Slide 25

Slide 25 text

Root certificate • Certificate that browsers and devices trust • Specific to the CA that issues a certificate

Slide 26

Slide 26 text

Intermediate certificate • Provided by the CA • Associates the domain certificate with the root certificate • CAs often have multiple

Slide 27

Slide 27 text

Leaf certificate • Specific to the domains listed in the CSR • Contains organization information

Slide 28

Slide 28 text

Wildcard certificate • Rather than listing every subdomain, a certificate covers any subdomain • *.ethitter.com versus ethitter.com, www.ethitter.com, i.ethitter.com, etc.

Slide 29

Slide 29 text

Questions before I continue?

Slide 30

Slide 30 text

THIRD Certificate Authorities

Slide 31

Slide 31 text

Let’s Encrypt • Free • Certificates are valid for three (3) months • Simple command-line tools to issue certificates • Many services are adding free SSL support using this CA • Doesn’t support wildcard domains • Only allows domain validation

Slide 32

Slide 32 text

StartSSL • Also offers free certificates, along with paid certificates incorporating advanced features • Free certificates are valid for one (1) year • Paid certificates are valid for two (2) years • Wildcard domains are allowed with paid options • Paid certificates support organization and extended validation

Slide 33

Slide 33 text

Comodo, Symantec, GoDaddy, Digicert, etc • Offer paid certificates of various durations • Support all certificate types

Slide 34

Slide 34 text

FOURTH Obtaining a certificate

Slide 35

Slide 35 text

Let’s Encrypt • Provides command-line tool to request and renew certificates • API is also publicly-accessible • Uses new ACME protocol • More at: https://r.eth.pw/p/20/

Slide 36

Slide 36 text

Other providers 1. Generate a CSR for the domain(s) to secure 2. Submit CSR to certificate authority 3. Complete domain verification according to CA’s procedures 4. CA provides leaf certificate

Slide 37

Slide 37 text

FIFTH Installing a certificate

Slide 38

Slide 38 text

Let’s Encrypt • Tool can configure Apache automatically • nginx support is coming • Can also generate certificates for manual installation

Slide 39

Slide 39 text

All others • CA will provide intermediate and leaf certificates • Server software is manually configured • Comodo provides many installation guides: https://r.eth.pw/p/17/

Slide 40

Slide 40 text

Thanks Erick Hitter @ethitter https://ethitter.com/ https://ethitter.com/p/6677/