Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Let's Encrypt!

Let's Encrypt!

A brief introduction to Let's Encrypt, by Hugo Peixoto

Porto Codes

April 20, 2016
Tweet

More Decks by Porto Codes

Other Decks in Programming

Transcript

  1. Let’s encrypt!
    A brief introduction

    View full-size slide

  2. What
    Certificate Authority that provides TLS certificates

    View full-size slide

  3. What
    Certificate Authority that provides TLS certificates
    - Free of charge

    View full-size slide

  4. What
    Certificate Authority that provides TLS certificates
    - Free of charge
    - No human interaction required

    View full-size slide

  5. Why HTTPS?
    ● Security

    View full-size slide

  6. Why HTTPS?
    ● Security
    ● HTTP/2

    View full-size slide

  7. How does HTTPS work

    View full-size slide

  8. User Agent
    (browser)
    HTTPS server

    View full-size slide

  9. Owned by the site
    administrator
    Private key
    Public key
    Domain
    User Agent
    (browser)
    HTTPS server

    View full-size slide

  10. Owned by the site
    administrator
    Private key
    Public key
    Certificate
    Domain Subject
    Subject public
    key
    Issuer
    Signature
    User Agent
    (browser)
    HTTPS server

    View full-size slide

  11. Owned by the CA
    Owned by the site
    administrator
    Private key
    Public key
    Certificate
    Domain Subject
    Subject public
    key
    Issuer
    Signature
    Private key
    Public key
    User Agent
    (browser)
    HTTPS server

    View full-size slide

  12. Owned by the CA
    Owned by the site
    administrator
    Private key
    Public key
    Certificate
    Domain Subject
    Subject public
    key
    Issuer
    Signature
    Certificate
    Subject
    Subject public
    key
    Issuer
    Signature
    Private key
    Public key
    User Agent
    (browser)
    HTTPS server

    View full-size slide

  13. Owned by the CA
    Owned by the site
    administrator
    Private key
    Public key
    Certificate
    Domain Subject
    Subject public
    key
    Issuer
    Signature
    Certificate
    Subject
    Subject public
    key
    Issuer
    Signature
    Private key
    Public key
    User Agent
    (browser)
    HTTPS server
    Ow
    C
    Su
    Su
    ke
    Is
    Si
    Pr
    Pu

    View full-size slide

  14. Owned by the CA
    Owned by the site
    administrator
    Private key
    Public key
    Certificate
    Domain Subject
    Subject public
    key
    Issuer
    Signature
    Certificate
    Subject
    Subject public
    key
    Issuer
    Signature
    Private key
    Public key
    User Agent
    (browser)
    HTTPS server

    View full-size slide

  15. Owned by the CA
    Owned by the site
    administrator
    Private key
    Public key
    Certificate
    Domain Subject
    Subject public
    key
    Issuer
    Signature
    Certificate
    Subject
    Subject public
    key
    Issuer
    Signature
    Private key
    Public key
    User Agent
    (browser)
    HTTPS server

    View full-size slide

  16. Owned by the CA
    Owned by the site
    administrator
    Private key
    Public key
    Certificate
    Domain Subject
    Subject public
    key
    Issuer
    Signature
    Certificate
    Subject
    Subject public
    key
    Issuer
    Signature
    Private key
    Public key
    User Agent
    (browser)
    HTTPS server

    View full-size slide

  17. ACME protocol

    View full-size slide

  18. Client sends a request to the certificate authority with:
    - Domain name to validate
    - Public key
    - Validation method

    View full-size slide

  19. Client sends a request to the certificate authority with:
    - Domain name to validate
    - Public key
    - Validation method
    Certificate Authority replies with a challenge token

    View full-size slide

  20. Client sends a request to the certificate authority with:
    - Domain name to validate
    - Public key
    - Validation method
    Certificate Authority replies with a challenge token
    Client sets up the validation method with the given token

    View full-size slide

  21. Client sends a request to the certificate authority with:
    - Domain name to validate
    - Public key
    - Validation method
    Certificate Authority replies with a challenge token
    Client sets up the validation method with the given token
    Client notifies the authority

    View full-size slide

  22. Client sends a request to the certificate authority with:
    - Domain name to validate
    - Public key
    - Validation method
    Certificate Authority replies with a challenge token
    Client sets up the validation method with the given token
    Client notifies the authority
    Certificate Authority validates the domain name

    View full-size slide

  23. Client sends a request to the certificate authority with:
    - Domain name to validate
    - Public key
    - Validation method
    Certificate Authority replies with a challenge token
    Client sets up the validation method with the given token
    Client notifies the authority
    Certificate Authority validates the domain name
    If successful, sends back a certificate to the client for the validated domain

    View full-size slide

  24. Validation methods

    View full-size slide

  25. Validation methods
    - Simple HTTP request

    View full-size slide

  26. Validation methods
    - Simple HTTP request
    - DNS

    View full-size slide

  27. Validation methods
    - Simple HTTP request
    - DNS
    - Some other stuff, check the spec

    View full-size slide

  28. FAQ
    ● Wildcard certificate support?
    ○ Validation is a bit harder, not supported by the spec yet.
    ● Mitigation against MITM in the validation step?
    ○ ACME spec recommends checking the connection from multiple vantage points to reduce this
    risk
    ● nginx support?
    ○ Currently in experimental phase

    View full-size slide