Securing Your Website

With Let's Encrypt

(In Under 5 Minutes)

Jeremy Satterfield

http://jsatt.com

https://github.com/jsatt

@jsatt

jsatt@jsatt.com

Primer on Protocols

HTTP

SSL/TLS

HTTPS

HTTP/2

TLS Handshake

Short: negotiate tls version, trade some random numbers, encrypt messages to verify, start talking application protocol
Negotiation Phase
- ClientHello - client sends supported TLS Version, random number, supported ciphers and compression methods
- ServerHello - server sends chosen TLS Version, random number, chosen ciphers and compression methods (based on client's)
- Certificate - server send public key certificate
- ServerHelloDone - server indicates handshake done
- ClientKeyExchange - client sends PreMasterSecret encrypted using server pub key
- Client and server use random numbers and PreMasterSecret to calculate common "master secret"
ChangeCipherSpec
- client sends "I only talk encrpted now"
- client send encrypted Finished
- server decrypts Finished, if decrypt fails handshake fails and connection torn down
- server sencs "I only talk encrypted now"
- client decrypts Finished, if decrypt fails handshake fails and connection torn down
Application Phase - handshake done, application protocol (HTTP) enabled, application messages encrypted using same methods as Finished
Shutdown - after all messages sent, connection torndown

Obtaining a Certificate

The old way

Prepare for Validation
Generate CSR
Order Certificate $$$
Have domain validated

Obtaining a Certificate

The old way

Prepare for Validation
Generate CSR
Order Certificate $$$
Have domain validated
Receive and Install Certificate

Let's Encrypt

Pros

Free

Automatic

Secure

Transparent

Open

Cooperative

Cons

Short Validity Time

No Wildcard Certificates

No Extended Validation or
Organization Validation

ACME

Obtaining a Certificate

In the modern world

Certbot


wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
./certbot-auto certonly

Installing Your Certificate

https://mozilla.github.io/server-side-tls/ssl-config-generator/

nginx
Modern
nignx 1.4.6
openssl 1.0.1f

Wikipedia - Transport Layer Security

Let's Encrypt

ACME - Wikipedia GitHub

http://rebecca.meritz.com/ggm15/

Securing Your Website

With Let's Encrypt

(In Under 5 Minutes)

Jeremy Satterfield

Primer on Protocols

HTTP

SSL/TLS

HTTPS

HTTP/2

TLS Handshake

Obtaining a Certificate

The old way

Obtaining a Certificate

The old way

Let's Encrypt

Pros

Cons

ACME

Obtaining a Certificate

In the modern world

Certbot

Installing Your Certificate

More