Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Let's Encrypt!

Let's Encrypt!

A brief introduction to Let's Encrypt, by Hugo Peixoto

Porto Codes

April 20, 2016
Tweet

More Decks by Porto Codes

Other Decks in Programming

Transcript

  1. Let’s encrypt!
    A brief introduction

    View Slide

  2. What
    Certificate Authority that provides TLS certificates

    View Slide

  3. What
    Certificate Authority that provides TLS certificates
    - Free of charge

    View Slide

  4. What
    Certificate Authority that provides TLS certificates
    - Free of charge
    - No human interaction required

    View Slide

  5. Why HTTPS?
    ● Security

    View Slide

  6. Why HTTPS?
    ● Security
    ● HTTP/2

    View Slide

  7. How does HTTPS work

    View Slide

  8. User Agent
    (browser)
    HTTPS server

    View Slide

  9. Owned by the site
    administrator
    Private key
    Public key
    Domain
    User Agent
    (browser)
    HTTPS server

    View Slide

  10. Owned by the site
    administrator
    Private key
    Public key
    Certificate
    Domain Subject
    Subject public
    key
    Issuer
    Signature
    User Agent
    (browser)
    HTTPS server

    View Slide

  11. Owned by the CA
    Owned by the site
    administrator
    Private key
    Public key
    Certificate
    Domain Subject
    Subject public
    key
    Issuer
    Signature
    Private key
    Public key
    User Agent
    (browser)
    HTTPS server

    View Slide

  12. Owned by the CA
    Owned by the site
    administrator
    Private key
    Public key
    Certificate
    Domain Subject
    Subject public
    key
    Issuer
    Signature
    Certificate
    Subject
    Subject public
    key
    Issuer
    Signature
    Private key
    Public key
    User Agent
    (browser)
    HTTPS server

    View Slide

  13. Owned by the CA
    Owned by the site
    administrator
    Private key
    Public key
    Certificate
    Domain Subject
    Subject public
    key
    Issuer
    Signature
    Certificate
    Subject
    Subject public
    key
    Issuer
    Signature
    Private key
    Public key
    User Agent
    (browser)
    HTTPS server
    Ow
    C
    Su
    Su
    ke
    Is
    Si
    Pr
    Pu

    View Slide

  14. Owned by the CA
    Owned by the site
    administrator
    Private key
    Public key
    Certificate
    Domain Subject
    Subject public
    key
    Issuer
    Signature
    Certificate
    Subject
    Subject public
    key
    Issuer
    Signature
    Private key
    Public key
    User Agent
    (browser)
    HTTPS server

    View Slide

  15. Owned by the CA
    Owned by the site
    administrator
    Private key
    Public key
    Certificate
    Domain Subject
    Subject public
    key
    Issuer
    Signature
    Certificate
    Subject
    Subject public
    key
    Issuer
    Signature
    Private key
    Public key
    User Agent
    (browser)
    HTTPS server

    View Slide

  16. Owned by the CA
    Owned by the site
    administrator
    Private key
    Public key
    Certificate
    Domain Subject
    Subject public
    key
    Issuer
    Signature
    Certificate
    Subject
    Subject public
    key
    Issuer
    Signature
    Private key
    Public key
    User Agent
    (browser)
    HTTPS server

    View Slide

  17. ACME protocol

    View Slide

  18. Client sends a request to the certificate authority with:
    - Domain name to validate
    - Public key
    - Validation method

    View Slide

  19. Client sends a request to the certificate authority with:
    - Domain name to validate
    - Public key
    - Validation method
    Certificate Authority replies with a challenge token

    View Slide

  20. Client sends a request to the certificate authority with:
    - Domain name to validate
    - Public key
    - Validation method
    Certificate Authority replies with a challenge token
    Client sets up the validation method with the given token

    View Slide

  21. Client sends a request to the certificate authority with:
    - Domain name to validate
    - Public key
    - Validation method
    Certificate Authority replies with a challenge token
    Client sets up the validation method with the given token
    Client notifies the authority

    View Slide

  22. Client sends a request to the certificate authority with:
    - Domain name to validate
    - Public key
    - Validation method
    Certificate Authority replies with a challenge token
    Client sets up the validation method with the given token
    Client notifies the authority
    Certificate Authority validates the domain name

    View Slide

  23. Client sends a request to the certificate authority with:
    - Domain name to validate
    - Public key
    - Validation method
    Certificate Authority replies with a challenge token
    Client sets up the validation method with the given token
    Client notifies the authority
    Certificate Authority validates the domain name
    If successful, sends back a certificate to the client for the validated domain

    View Slide

  24. Validation methods

    View Slide

  25. Validation methods
    - Simple HTTP request

    View Slide

  26. Validation methods
    - Simple HTTP request
    - DNS

    View Slide

  27. Validation methods
    - Simple HTTP request
    - DNS
    - Some other stuff, check the spec

    View Slide

  28. Tools

    View Slide

  29. Drawbacks

    View Slide

  30. FAQ

    View Slide

  31. FAQ
    ● Wildcard certificate support?
    ○ Validation is a bit harder, not supported by the spec yet.
    ● Mitigation against MITM in the validation step?
    ○ ACME spec recommends checking the connection from multiple vantage points to reduce this
    risk
    ● nginx support?
    ○ Currently in experimental phase

    View Slide