Slide 1
Slide 1 text
ethitter.com
Getting Started with SSL
Erick Hitter
@ethitter
https://ethitter.com/
Slide 2
Slide 2 text
FIRST
Why Bother?
Slide 3
Slide 3 text
Why?
• Protects data submitted in forms, including the
WordPress login.
• Much harder to “snoop” on secure traffic.
• Google gives a bit of consideration to a site’s use
of SSL, and will likely increase its importance.
• New technologies largely negate performance
concerns.
Slide 4
Slide 4 text
Why Not?
• Mixed-content warnings from items that don’t
support SSL
• Ad providers have been slow to adopt
• Performance
Slide 5
Slide 5 text
SECOND
Terminology
Slide 6
Slide 6 text
Encrypted versus unencrypted
• Unencrypted data is plainly readable by
humans and anything else that can access
it
• Encrypted data must be processed before
it can be read
Slide 7
Slide 7 text
Cipher Suites
• Define how a browser establishes a
secure connection with a server
• Specify several components of a secure
connection, including encryption type
Slide 8
Slide 8 text
Three things that all mean the same thing*
• HTTPS
• SSL
• TLS
* Not quite, but we’ll get to that; https://vimeo.com/88500528
Slide 9
Slide 9 text
HTTPS
• Secure Hypertext Transfer Protocol
• aka HTTP over TLS, HTTP over SSL, or HTTP
Secure
• Web traffic delivered with some type of
encryption
Slide 10
Slide 10 text
SSL
• Secure Sockets Layer
• Used synonymously with HTTPS
• Actually the name of a type of security
used for data communications
• Technology isn’t (shouldn’t be) used
anymore, but the term persists
Slide 11
Slide 11 text
TLS
• Transport Layer Security
• Modern encryption approach used in
place of SSL
• More often than not, when someone says
SSL, they really mean TLS
Slide 12
Slide 12 text
Aside: Protocol Versions
• Multiple versions of both SSL and TLS
exist
• No versions of SSL are considered secure
• TLSv1 was, essentially, SSLv4
• Only TLS v1.1 and v1.2 are secure
Slide 13
Slide 13 text
Certificate
• An cryptographic convention that:
• confirms domain control,
• provides some “ownership” information
to the browser, and
• plays a role in encrypting traffic.
Slide 14
Slide 14 text
Seriously, what is a certificate?
• A collection of information used to secure
communications
• Involves multiple parties, as part of trust
model
• Uses public-key infrastructure (PKI)
Slide 15
Slide 15 text
Certificate Authority (CA)
• Independent organization that provides
certificates
• Verifies some information to ensure a
level of trust
• Relies on browsers trusting CAs
• Examples include: Comodo, Verisign,
GoDaddy, StartSSL, and Let’s Encrypt
Slide 16
Slide 16 text
Certificate issuance also comes in threes
• Certificate signing request
• Private key
• Leaf certificate
Slide 17
Slide 17 text
CSR
• Certificate signing request
• An entity that needs a certificate provides
basic biographic data
• Most importantly, lists which domains are
to be secured
• Signed with a private key
Slide 18
Slide 18 text
Private key
• Encrypted string used to unlock the
certificate provided by the CA
• The CSR produces, or uses an existing,
private key
• The key is never shared, and should never
leave the server it’s used on (generally)
Slide 19
Slide 19 text
Leaf certificate
• Issued by a certificate authority
• Expire with some frequency
• Generated using the CSR
• Unlocked using the private key
Slide 20
Slide 20 text
Certificate trust types
• Depend on how a domain confirmed
• Advanced types generally only needed by
large, significant organizations
Slide 21
Slide 21 text
Domain Validation (DV)
• Ownership confirmed using:
• WHOIS email records,
• DNS entries, or
• A file added to the server.
• Also known as “domain-control validated”
Slide 22
Slide 22 text
Organization Validation (OV)
• CA performs domain-control verification
• CA also validates organization per its
requirements
Slide 23
Slide 23 text
Extended Validation (EV)
• Considerably more-thorough version of
organization validation
• Doesn’t support wildcard certificates
• Only way to display organization name in
address bar
Slide 24
Slide 24 text
Certificate components
• Root certificate
• Intermediate certificate
• Leaf certificate
Slide 25
Slide 25 text
Root certificate
• Certificate that browsers and devices trust
• Specific to the CA that issues a certificate
Slide 26
Slide 26 text
Intermediate certificate
• Provided by the CA
• Associates the domain certificate with the
root certificate
• CAs often have multiple
Slide 27
Slide 27 text
Leaf certificate
• Specific to the domains listed in the CSR
• Contains organization information
Slide 28
Slide 28 text
Wildcard certificate
• Rather than listing every subdomain, a
certificate covers any subdomain
• *.ethitter.com versus ethitter.com,
www.ethitter.com, i.ethitter.com, etc.
Slide 29
Slide 29 text
Questions before I continue?
Slide 30
Slide 30 text
THIRD
Certificate Authorities
Slide 31
Slide 31 text
Let’s Encrypt
• Free
• Certificates are valid for three (3) months
• Simple command-line tools to issue certificates
• Many services are adding free SSL support using
this CA
• Doesn’t support wildcard domains
• Only allows domain validation
Slide 32
Slide 32 text
StartSSL
• Also offers free certificates, along with paid
certificates incorporating advanced features
• Free certificates are valid for one (1) year
• Paid certificates are valid for two (2) years
• Wildcard domains are allowed with paid options
• Paid certificates support organization and
extended validation
Slide 33
Slide 33 text
Comodo, Symantec, GoDaddy,
Digicert, etc
• Offer paid certificates of various
durations
• Support all certificate types
Slide 34
Slide 34 text
FOURTH
Obtaining a certificate
Slide 35
Slide 35 text
Let’s Encrypt
• Provides command-line tool to request
and renew certificates
• API is also publicly-accessible
• Uses new ACME protocol
• More at: https://r.eth.pw/p/20/
Slide 36
Slide 36 text
Other providers
1. Generate a CSR for the domain(s) to
secure
2. Submit CSR to certificate authority
3. Complete domain verification according to
CA’s procedures
4. CA provides leaf certificate
Slide 37
Slide 37 text
FIFTH
Installing a certificate
Slide 38
Slide 38 text
Let’s Encrypt
• Tool can configure Apache automatically
• nginx support is coming
• Can also generate certificates for manual
installation
Slide 39
Slide 39 text
All others
• CA will provide intermediate and leaf
certificates
• Server software is manually configured
• Comodo provides many installation
guides: https://r.eth.pw/p/17/
Slide 40
Slide 40 text
Thanks
Erick Hitter
@ethitter
https://ethitter.com/
https://ethitter.com/p/6677/