Successfully reported this slideshow.
Your SlideShare is downloading. ×

Let's Encrypt! Wait. Why? How?

Dec. 03, 2016
0 likes 2,656 views
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Upcoming SlideShare
Let's Encrypt! Wait. Why? How? - WC Pune
Let's Encrypt! Wait. Why? How? - WC Pune
Loading in …3
×

Check these out next

Security and Privacy on the Web in 2016
Francois Marier
AWS SSH Bastion
Groots Software Technologies.
HTTPS @Scale
Arvind Mani
OWASP AppSecUSA Recap
Todd Grotenhuis
Cryptography - Overview
Mohammed Adam
Insecurity-In-Security version.2 (2011)
Abhishek Kumar
Insecurity-In-Security version.1 (2010)
Abhishek Kumar
Secure Developer Access at Decisiv
Teleport
1 of 35 Ad

Let's Encrypt! Wait. Why? How?

Dec. 03, 2016
0 likes 2,656 views

Download to read offline

Internet

On December 3rd, 2015 (one day before the inaugural WordCamp USA) a service called Let’s Encrypt entered its public beta. Backed by several major sponsors (including Automattic), the service caught on quickly. As of summer 2016, more than 5 million SSL certificates had been issued by Let’s Encrypt, nearly four million of which were active and unexpired.

If you are not familiar, Let’s Encrypt is a free, automated, open certificate authority that allows users to encrypt the data flowing to and from their websites easily and for free. The goal of Let’s Encrypt is to make data transfer over the internet secure by default. Towards that end, they have invested a considerable amount of time and energy in making it easy for users of all stripes to secure the data flowing in and out of their websites.

You may have already considered encrypting your website before — perhaps to perform better in search engines, or to gain the ability to accept payments on your website. Regardless of whether you’ve considered enabling SSL on your website or not, the goal of this talk is to demonstrate why encryption on your website matters. We will look at some practical examples and live demos of what data can be stolen from your website, even if you using an encrypted wifi connection. Likewise, we’ll talk about how encryption of all websites — whether they’re dealing with sensitive information or not — makes the web a safer place for all of us.

Last, of course, we will look at how you can get started with Let’s Encrypt on your website. We’ll review the options available to you on common hosting providers, as well as walk through the steps for how you can set this up for yourself, if you have administrative access to your server.

If you already have Let’s Encrypt enabled on your site, this talk may be basic for you (although we’ll do a few cool demos that make for great party tricks, so feel free to stop by).

If you’ve never accessed your hosting provider’s website admin area (CPanel, Plesk, etc), this talk might be a bit hard for you to follow (although you should totally come and ask questions both during the presentation and after).

If you have a WordPress website and you’ve thought about enabling SSL on it but you just haven’t gotten around to it yet, this talk will be perfect for you. By the end of this presentation, you should not only know how to enable encryption on your website, but you will understand why it’s so important that you do.

It sounds like an intimidating topic, but we can do this. Come on and let’s encrypt!

On December 3rd, 2015 (one day before the inaugural WordCamp USA) a service called Let’s Encrypt entered its public beta. Backed by several major sponsors (including Automattic), the service caught on quickly. As of summer 2016, more than 5 million SSL certificates had been issued by Let’s Encrypt, nearly four million of which were active and unexpired.

If you are not familiar, Let’s Encrypt is a free, automated, open certificate authority that allows users to encrypt the data flowing to and from their websites easily and for free. The goal of Let’s Encrypt is to make data transfer over the internet secure by default. Towards that end, they have invested a considerable amount of time and energy in making it easy for users of all stripes to secure the data flowing in and out of their websites.

You may have already considered encrypting your website before — perhaps to perform better in search engines, or to gain the ability to accept payments on your website. Regardless of whether you’ve considered enabling SSL on your website or not, the goal of this talk is to demonstrate why encryption on your website matters. We will look at some practical examples and live demos of what data can be stolen from your website, even if you using an encrypted wifi connection. Likewise, we’ll talk about how encryption of all websites — whether they’re dealing with sensitive information or not — makes the web a safer place for all of us.

Last, of course, we will look at how you can get started with Let’s Encrypt on your website. We’ll review the options available to you on common hosting providers, as well as walk through the steps for how you can set this up for yourself, if you have administrative access to your server.

If you already have Let’s Encrypt enabled on your site, this talk may be basic for you (although we’ll do a few cool demos that make for great party tricks, so feel free to stop by).

If you’ve never accessed your hosting provider’s website admin area (CPanel, Plesk, etc), this talk might be a bit hard for you to follow (although you should totally come and ask questions both during the presentation and after).

If you have a WordPress website and you’ve thought about enabling SSL on it but you just haven’t gotten around to it yet, this talk will be perfect for you. By the end of this presentation, you should not only know how to enable encryption on your website, but you will understand why it’s so important that you do.

It sounds like an intimidating topic, but we can do this. Come on and let’s encrypt!

Internet
Advertisement

Recommended

Let's Encrypt! Wait. Why? How? - WC Pune
Nancy Thanki
1.9k views
37 slides
WPNYC: Moving your site to HTTPS
Paul Schreiber
690 views
121 slides
HTTPS, Here and Now
Philippe De Ryck
1.7k views
90 slides
What Every Software Engineer Should Know About Security and Encryption
All Things Open
340 views
91 slides
HTTPS and YOU
Eric Lewis
785 views
34 slides
Ssl certificate in internet world
jamesbarns729
16 views
6 slides
Passwords
Kevin OBrien
929 views
46 slides
SSL certificates
Kevin OBrien
814 views
50 slides
Advertisement

More Related Content

Slideshows for you (15)

Security and Privacy on the Web in 2016
Francois Marier
670 views
AWS SSH Bastion
Groots Software Technologies.
71 views
HTTPS @Scale
Arvind Mani
497 views
OWASP AppSecUSA Recap
Todd Grotenhuis
483 views
Cryptography - Overview
Mohammed Adam
341 views
Insecurity-In-Security version.2 (2011)
Abhishek Kumar
767 views
Insecurity-In-Security version.1 (2010)
Abhishek Kumar
768 views
Secure Developer Access at Decisiv
Teleport
408 views
Microservices Security Landscape
Prabath Siriwardena
1.2k views
Basics of ssl
n|u - The Open Security Community
2.5k views
What is SSL ? The Secure Sockets Layer (SSL) Protocol
Mohammed Adam
620 views
Tls 1.3
Kevin OBrien
786 views
Top 10 Web Hacks 2013
Matt Johansen
2.8k views
Mule security pgp with Example
D.Rajesh Kumar
1k views
TLS v1.3
Siddhartha Rao
421 views
Security and Privacy on the Web in 2016
Francois Marier
670 views
116 slides
AWS SSH Bastion
Groots Software Technologies.
71 views
6 slides
HTTPS @Scale
Arvind Mani
497 views
32 slides
OWASP AppSecUSA Recap
Todd Grotenhuis
483 views
28 slides
Cryptography - Overview
Mohammed Adam
341 views
45 slides
Insecurity-In-Security version.2 (2011)
Abhishek Kumar
767 views
23 slides

Viewers also liked (8)

So You've Released A WordPress Product... Now What?
Ines van Essen - van Dijk
686 views
Internationalizing The New York Times
Scott Taylor
1.9k views
From Shadows to Limelight: How women found their voice at WordCamp Montreal
Kathryn Presner
34.3k views
WordCamp US 2016 - How to Talk Content: A Guide for Developers
Lisa Melegari
434 views
Iceberg.Life
Cory Miller
1.3k views
State of the Word 2014
photomatt
137.4k views
State of the Word 2015, WordCamp US
photomatt
366.2k views
Open Source Creativity
Sara Cannon
172.5k views
So You've Released A WordPress Product... Now What?
Ines van Essen - van Dijk
686 views
16 slides
Internationalizing The New York Times
Scott Taylor
1.9k views
53 slides
From Shadows to Limelight: How women found their voice at WordCamp Montreal
Kathryn Presner
34.3k views
56 slides
WordCamp US 2016 - How to Talk Content: A Guide for Developers
Lisa Melegari
434 views
20 slides
Iceberg.Life
Cory Miller
1.3k views
23 slides
State of the Word 2014
photomatt
137.4k views
70 slides
Advertisement

Similar to Let's Encrypt! Wait. Why? How? (20)

Secure socket layer
BU
768 views
The world of encryption
Mohammad Yousri
794 views
3441355 ln motileng_ssl_report
Lavius Nkateko Motileng
188 views
Secure sockets layer, ssl presentation
Amjad Bhutto
88 views
Details about the SSL Certificate
CheapSSLUSA
534 views
Paid vs Free SSL Certificates: Which One Should You Pick in 2021?
RonanMarco1
46 views
Demystfying secure certs
Gary Williams
882 views
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
Peter LaFond
93 views
White paper - Full SSL automation with OneClickSSL
GlobalSign
563 views
ssl's guide
Shakil Malik
52 views
Demonstration of secure socket layer(synopsis)
Mumbai Academisc
527 views
Certificate pinning in android applications
Arash Ramez
670 views
SSL Certificate: Stamp of Web Security
HTS Hosting
69 views
Firewalls
Gajendra Saini
379 views
Https
Billa Kota Sriram
396 views
SSL Primer
Mahadev Gaonkar
160 views
How does ssl work
Dana Tierney
125 views
presentation2-151203145018-lva1-app6891.pdf
GumanSingh10
3 views
SSL
Badrul Alam bulon
7.8k views
Beginners Guide to SSL | SSL Tutorial
William hendric
316 views
Secure socket layer
BU
768 views
31 slides
The world of encryption
Mohammad Yousri
794 views
24 slides
3441355 ln motileng_ssl_report
Lavius Nkateko Motileng
188 views
3 slides
Secure sockets layer, ssl presentation
Amjad Bhutto
88 views
13 slides
Details about the SSL Certificate
CheapSSLUSA
534 views
22 slides
Paid vs Free SSL Certificates: Which One Should You Pick in 2021?
RonanMarco1
46 views
17 slides

More from Nancy Thanki (6)

The GPL: What It Means (And What It Doesn't) - WC Udaipur
Nancy Thanki
2.2k views
Accessible Websites: What are they and why should I care?
Nancy Thanki
2.2k views
Demystifying Accessible Websites - WCUS 2015
Nancy Thanki
3.5k views
Best Practices for Building Accessible Websites in Wordpress
Nancy Thanki
2.3k views
Building Accessible Websites in WordPress - Birmingham WordCamp 2014
Nancy Thanki
2.9k views
Images for Wordpress - WordCamp Seattle 2014 - Nancy Thanki
Nancy Thanki
1.9k views
The GPL: What It Means (And What It Doesn't) - WC Udaipur
Nancy Thanki
2.2k views
66 slides
Accessible Websites: What are they and why should I care?
Nancy Thanki
2.2k views
31 slides
Demystifying Accessible Websites - WCUS 2015
Nancy Thanki
3.5k views
35 slides
Best Practices for Building Accessible Websites in Wordpress
Nancy Thanki
2.3k views
22 slides
Building Accessible Websites in WordPress - Birmingham WordCamp 2014
Nancy Thanki
2.9k views
22 slides
Images for Wordpress - WordCamp Seattle 2014 - Nancy Thanki
Nancy Thanki
1.9k views
17 slides
Advertisement

Recently uploaded (20)

Chapter 4 Project Integration Management.ppt
AhmadTawfigAlRadaide
1 view
Fire Presentation.pptx
Prabin Pandit
2 views
Treatment of diabetes.docx
write31
0 views
presentation1-160505114853.pdf
JaydeepPrajapati33
0 views
Use either the first derivative test or the second derivative.docx
write5
0 views
readmission penalties Discussion.docx
write4
0 views
Cyber Espionage.pptx
AyushKushwaha39
2 views
Recommended dosage of herbal supplements.docx
write22
3 views
how_to_migrate_from_universal_anaytics_to_google_analytics_4_ga4_a_definitive...
sarah david
0 views
Ashok Prasad (Abhishek)
hephziraj
5 views
November 202222
DanielAzraie2
0 views
Datasheet_Product_Comparison(EN)_836610.pdf
LeningNajera
1 view
atma.pptx
Muadalaghbri
2 views
Internet Safety.pptx
JonAntonio1
3 views
Variable and Arguments_4.pptx
Rohit Radhakrishnan
407 views
Chapter 1 Introduction to Project Management.ppt
AhmadTawfigAlRadaide
2 views
how_to_migrate_from_universal_anaytics_to_google_analytics_4_ga4_a_definitive...
sarah david
0 views
$750 paypal giveaway
MichelleRobinson778000
0 views
Public Health 101 Series from.docx
write4
0 views
DSA - Array.pptx
11STEM2PGROUP1
0 views
Chapter 4 Project Integration Management.ppt
AhmadTawfigAlRadaide
1 view
54 slides
Fire Presentation.pptx
Prabin Pandit
2 views
17 slides
Treatment of diabetes.docx
write31
0 views
1 slide
presentation1-160505114853.pdf
JaydeepPrajapati33
0 views
11 slides
Use either the first derivative test or the second derivative.docx
write5
0 views
2 slides
readmission penalties Discussion.docx
write4
0 views
2 slides

Let's Encrypt! Wait. Why? How?

  1. 1. LET’S ENCRYPT! WAIT. WHY? HOW? @NancyThanki
  2. 2. WHAT IS HTTPS
  3. 3. HTTP PROTOCOL + SECURITY ▸ SSL/TLS ( Secure Sockets Layer / Transport Layer Security) ▸ keeps your passwords, communications, and credit card details safe between your computer and the servers you’re communicating with on the other side. ▸ still speaking in HTTP, but the communication is encrypted and decrypted
  4. 4. HOW DOES IT WORK? HELLO —> CERTIFICATE EXCHANGE —> KEY EXCHANGE 1. ClientHello message ▸ aka the information the server needs to connect to the client via SSL ▸ server will respond with a ServerHello i.e. similar info including the cipher suite and version of SSL to be used 2.Certificate Exchange ▸ the server needs to prove its identity via its SSL certificate* ▸ does it either (a) implicitly trust or (b) is it verified by one of many CAs 3. Key Exchange ‣ Encryption via a symmetric algorithm using a single key * the client may also need to prove its identity, but not always
  5. 5. WHAT’S THE POINT? ▸ HTTP requests and responses can now be sent through an encrypted plaintext message ▸ i.e. verifies that you’re talking directly to the the server you think you’re talking to ▸ But because only the other side knows how to decrypt this message, Man In The Middle Attackers are unable to read or modify any requests that they may intercept. ▸ i.e. ensures that only that server can read what you send and only you can read what it sends Diffie–Hellman Key Exchange
  6. 6. WHILST THE LITTLE GREEN PADLOCK AND THE LETTERS “HTTPS” IN YOUR ADDRESS BAR DON’T MEAN THAT THERE ISN’T STILL AMPLE ROPE FOR BOTH YOU AND THE WEBSITE YOU ARE VIEWING TO HANG YOURSELVES ELSEWHERE, THEY DO AT LEAST HELP YOU COMMUNICATE SECURELY WHILST YOU DO SO. Rob Heaton
  7. 7. SIGNIFICANCE OF SSL
  8. 8. ▸ if you see encrypted traffic today, you can generally assume there is a reason. ▸ by encrypting everything you give cover to those who need it ▸ for example political dissidents
  9. 9. SNOWDEN LEAKS
  10. 10. PRIVACY AS A RIGHT
  11. 11. FREEDOM OF SOFTWARE* * well respected within the WordPress community
  12. 12. FREEDOM OF PRIVACY
  13. 13. FREEDOM TO USE SOFTWARE + FREEDOM TO USE IT PRIVATELY
  14. 14. NEVER “JUST” A BLOG
  15. 15. HOW DOES SSL WORK?
  16. 16. HOW DOES SSL WORK? WHY DOES IT PROTECT SENSITIVE INFORMATION? 1. 2 key encryption ▸ private key and public key agree on a key for this exchange ▸ symmetric algorithm with asymmetric encryption ▸ anyone can encrypt using the public key, but only the server can decrypt using the private key 2. digital signature is “signed” by another authority 3. self-signing
  17. 17. WHAT IS A “CA”? (AKA CERTIFICATE AUTHORITY)
  18. 18. “A NOTARY FOR THE WEB”
  19. 19. WHAT IS “LET’S ENCRYPT”?
  20. 20. WHAT IS “LET’S ENCRYPT”? SETUP OF A DOMAIN VALIDATION (DV) CERTIFICATE* 1. Download Let’s Encrypt on your server that has the address www.oohshinywebsite.com: sudo apt-get install lets-encrypt 2. You run it as sudo telling it you want to get a certificate for your domain lets-encrypt oohshinywebsite.com * DV Certificate = “the CA checks the right of the applicant to use a specific domain name. No company identity information is vetted and no information is displayed other than encryption information within the Secure Site Seal.” There are other types of certificates with varying requirements.
  21. 21. SO…HOW DO YOU ENCRYPT YOUR SITE?
  22. 22. SHARED HOSTING ‣ Bluehost ‣ GoDaddy ‣ Pantheon ‣ LiteSpeed ‣ SiteGround ‣ Media Temple ‣ Flywheel ‣ WP Engine ‣ DreamHost ‣ LE’s community list
  23. 23. HOW TO ENCRYPT YOUR SITE VPS AND OTHER SERVER SETUPS ▸ nginx - https://www.digitalocean.com/community/tutorials/ how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04 ▸ Apache - https://www.digitalocean.com/community/ tutorials/how-to-secure-apache-with-let-s-encrypt-on- ubuntu-14-04 ▸ Centos vs Debian/Ubuntu - https://www.linode.com/docs/ security/ssl/install-lets-encrypt-to-create-ssl-certificates
  24. 24. WORDPRESS.COM It’s already done. Learn more here and here. Sign up here
  25. 25. COMMON ISSUES
  26. 26. THE BAD ▸ No wild cards, i.e. difficult in multi/ load-balanced setup ▸ Renewal every 90 days THE GOOD ▸ Easy to setup ▸ Free to use ▸ Good for single server setups
  27. 27. COMMON ISSUES JETPACK ▸ change WordPress settings ▸ Dashboard > Settings > General ▸ site URL, WordPress URL GOOGLE SEO ▸ your search rankings vs any modicum of care you have for your audience
  28. 28. FAQS
  29. 29. FAQS I SET IT ALL UP. DOES THIS MEAN I WON’T BE HACKED? No. Absolutely not. WILL IT MAKE MY SITE SLOWER? Not really. WHAT’S THE DIFFERENCE BETWEEN “LET’S ENCRYPT” AND PAID SSL CERTIFICATES? Nothing technically. But within things like PR or insurance… kinda.
  30. 30. COMMON MISCONCEPTIONS
  31. 31. COMMON MISCONCEPTIONS* AUTHENTICATION “A proper SSL certificate also provides authentication. This means you can be sure that you are sending information to the right server and not to a criminal’s server.” INTEGRITY “because it’s now over HTTPS, and you’re protecting against MITM attacks you can be assured that the information is in fact the information you’re meant to get.” ENCRYPTION “it encrypts the information as it’s being transferred from the browser to the web server. This is known as encryption in transit, and talks to nothing about encryption at rest.” * Read Tony Perez’s article :)
  32. 32. COMMON MISCONCEPTIONS* PHISHING if the website housing the phishing page has https, and it is verified, it will show the user that lovely green padlock. NATION STATE ATTACKS “My advice, assume everything you do online — HTTPS or HTTP — is being monitored. IN CONCLUSION It’s definitely a critical piece of the overarching security wheel associated with website security, but it’s not going to stop websites from getting hacked, the distribution of malware or keep website owners safe. * Read Tony Perez’s article :)
  33. 33. CROWDFUNDING LET’S ENCRYPT GITHUB
  34. 34. SOURCES ▸ http://robertheaton.com/2014/03/27/how-does-https-actually-work/ ▸ http://security.stackexchange.com/questions/11464/getting-a-root-ca-accepted-in-systems-and- browsers ▸ http://robertheaton.com/2015/04/06/the-ssl-freak-vulnerability/ ▸ https://blog.hartleybrody.com/https-certificates/ ▸ https://www.cryptologie.net/article/274/lets-encrypt-overview/ ▸ https://letsencrypt.org/getting-started/ ▸ https://www.youtube.com/watch?v=OZyXx8Ie4pA ▸ https://www.globalsign.com/en/ssl-information-center/types-of-ssl-certificate/ ▸ https://medium.com/@kevinsimper/review-of-getting-free-https-with-let-s-encrypt-5515f74be5f6#. 5qzjv4bc8 ▸ https://perezbox.com/2015/07/https-does-not-secure-your-website/

×