Tweet
Tweet

Slide 1

Slide 1 text

No content

Slide 2

Slide 2 text

Let’s Encrypt All The Things HTTPS At Scale Philip Sharp @philipsharp PHPDetroit Conference 2018

Slide 3

Slide 3 text

Why HTTPS? Why HTTPS? “why?” by Art Poskanzer (https://www.flickr.com/photos/posk/8333973575/)

Slide 4

Slide 4 text

Security “Locks and Lockers” by AL.Eyad (https://www.flickr.com/photos/linda_lila/23303173449/)

Slide 5

Slide 5 text

Privacy “security camera” by CWCS Managed Hosting (https://www.flickr.com/photos/122969584@N07/13844066275/)

Slide 6

Slide 6 text

https://webmasters.googleblog.com/2014/08/https-as-ranking-signal.html

Slide 7

Slide 7 text

No content

Slide 8

Slide 8 text

Your Twitter Handle Here

Slide 9

Slide 9 text

HTTP/2 Your Twitter Handle Here

Slide 10

Slide 10 text

What does HTTPS mean? “Double Rainbow” by Sharada Prasad (https://www.flickr.com/photos/sharadaprasad/9397813949/)

Slide 11

Slide 11 text

“keys” by drea fournier (https://www.flickr.com/photos/dreafournier/42880176712/) Encryption

Slide 12

Slide 12 text

Authentication “Purple Envelope with Gold Sealing Wax” by sk (https://www.flickr.com/photos/irisphotos/27135391951/)

Slide 13

Slide 13 text

Certificate X.509 in PEM format

Slide 14

Slide 14 text

1. Public Key 2. Subject 3. Signature There’s no outline view...

Slide 15

Slide 15 text

Web of Trust “Web” by AJ Cann (https://www.flickr.com/photos/ajc1/15491327276)

Slide 16

Slide 16 text

Authority “Queen” by Ovidiu Borlean (https://www.flickr.com/photos/ovidiu_borlean/3878029087/)

Slide 17

Slide 17 text

Getting Certificates “Paperwork” by Camilo Rueda López (https://www.flickr.com/photos/kozumel/2228603119/)

Slide 18

Slide 18 text

Your Twitter Handle Here

Slide 19

Slide 19 text

ACME “coyote at sunrise” by Jared Tarbell (https://www.flickr.com/photos/generated/5375935769/)

Slide 20

Slide 20 text

Automated “teeth” by artethgray (https://www.flickr.com/photos/36397453@N00/4857336929/)

Slide 21

Slide 21 text

sudo certbot --apache Your Twitter Handle Here

Slide 22

Slide 22 text

12 6,18 * * * certbot renew -q Your Twitter Handle Here

Slide 23

Slide 23 text

Scaling “Diving Maldives: Large school of Kashmir Snapper” by Mal B (https://www.flickr.com/photos/mal-b/6834470100/)

Slide 24

Slide 24 text

Distinguished Name Your Twitter Handle Here

Slide 25

Slide 25 text

CN = www.microsoft.com OU = Microsoft Corporation O = Microsoft Corporation L = Redmond ST = WA C = US Your Twitter Handle Here

Slide 26

Slide 26 text

Subject Alternative Name Your Twitter Handle Here

Slide 27

Slide 27 text

Common Name Your Twitter Handle Here

Slide 28

Slide 28 text

4 2 2 NaN 2

Slide 29

Slide 29 text

Tooling “old vintage stuff” by spline splinson (https://www.flickr.com/photos/splinson/28062883398/)

Slide 30

Slide 30 text

Acme PHP Your Twitter Handle Here

Slide 31

Slide 31 text

[photos.kerzap.com, ...] ↓ new-cert ↓ authz ↓ complete Your Twitter Handle Here

Slide 32

Slide 32 text

[photos.kerzap.com, ...] ↓ new-authz ↓ new-cert Your Twitter Handle Here

Slide 33

Slide 33 text

No content

Slide 34

Slide 34 text

Challenges Domain Queue Acme PHP Certificate Queue Issuance

Slide 35

Slide 35 text

Renewals ‘Rebuilding” by Jo Elphick (https://www.flickr.com/photos/joelphick/27132941018/)

Slide 36

Slide 36 text

1 5 9 13 17 21 25 29 33 37 41 45 49 53 57 61 65 69 73 77 81 85 89 93 97 101 105 109 113 117 0 2000 4000 6000 8000 10000 12000 Day Domains

Slide 37

Slide 37 text

Rate Limits “southbound I-15 – speed limit 80 mph” by Garrett (https://www.flickr.com/photos/countylemonade/5916416464/)

Slide 38

Slide 38 text

The Gotchas “Cliffs of Moher, Liscannor, Ireland” by Giuseppe Milo (https://www.flickr.com/photos/giuseppemilo/13972911980/)

Slide 39

Slide 39 text

All The Things That Can Go Wrong When Trying To Get A Certificate For Someone Else’s Domain “Cliffs of Moher, Liscannor, Ireland” by Giuseppe Milo (https://www.flickr.com/photos/giuseppemilo/13972911980/)

Slide 40

Slide 40 text

Chekhov “Portrait of Anton Pavlovich Chekhov” (1898) by Osip Braz

Slide 41

Slide 41 text

invalid_hostname.kerzap.com Your Twitter Handle Here

Slide 42

Slide 42 text

$ host photos.kerzap.com photos.kerzap.com is an alias for domains.example.com. domains.example.com has address 18.234.20.125 domains.example.com has address 18.234.20.121 domains.example.com has address 18.234.20.119 Your Twitter Handle Here

Slide 43

Slide 43 text

Certificate Authority Authorization Your Twitter Handle Here

Slide 44

Slide 44 text

photos.kerzap.com CNAME domains.example.com kerzap.com CAA 0 issue "legacyca.com" domains.example.com A 18.234.20.119 CAA 0 issue "letsencrypt.org"

Slide 45

Slide 45 text

DNSSEC Your Twitter Handle Here

Slide 46

Slide 46 text

photos.kerzap.com DNSKEY [public key] kerzap.com DS [signature for photos.kerzap.com] DNSKEY [public key] com DS [signature for kerzap.com] DNSKEY [public key]

Slide 47

Slide 47 text

Google safe browsing

Slide 48

Slide 48 text

unboundtest.com letsdebug.net Your Twitter Handle Here

Slide 49

Slide 49 text

- Me https://twitter.com/philipsharp/status/959536858488287234

Slide 50

Slide 50 text

What’s Next “Falcon Heavy Demo Mission” by Official SpaceX Photos (https://www.flickr.com/photos/spacex/40126461851)

Slide 51

Slide 51 text

Recap “Snow Capped” by Richard Walker (https://www.flickr.com/photos/richardwalkerphotography/8550310861/)

Slide 52

Slide 52 text

Lessons 1. Scaling means different problems. 2. Custom hostnames are user input.

Slide 53

Slide 53 text

Thank You https://joind.in/talk/2f870 Image Credit goes here Let’s Encrypt All The Things HTTPS At Scale Philip Sharp @philipsharp www.philipsharp.com Slide design based on “A white-label slide deck” by Alice Bartlett (http://alicebartlett.co.uk/blog/how-to-do-ok-at-slides). Fonts: Source Sans Pro, Source Code Pro All photos public domain or licensed under Creative Commons. See individual photos for credits.