SlideShare a Scribd company logo
LET’S ENCRYPT!
WAIT. WHY? HOW?
WordCamp Pune | @NancyThanki
WHAT IS HTTPS
HTTP PROTOCOL + SECURITY
▸ SSL/TLS ( Secure Sockets Layer /
Transport Layer Security)
▸ keeps your passwords,
communications, and credit card
details safe between your computer
and the servers you’re
communicating with on the other
side.
▸ still speaking in HTTP, but the
communication is encrypted and
decrypted
HOW DOES IT WORK?
HELLO —> CERTIFICATE EXCHANGE —> KEY EXCHANGE
1. ClientHello message
▸ aka the information the server
needs to connect to the client via
SSL
▸ server will respond with a
ServerHello i.e. similar info including
the cipher suite and version of SSL
to be used
2.Certificate Exchange
▸ the server needs to prove its identity
via its SSL certificate*
▸ does it either (a) implicitly trust or
(b) is it verified by one of many CAs
3. Key Exchange
‣ Encryption via a symmetric
algorithm using a single key
* the client may also need to prove its identity, but not always
WHAT’S THE POINT?
▸ HTTP requests and responses can now be
sent through an encrypted plaintext
message
▸ i.e. verifies that you’re talking directly to
the the server you think you’re talking to
▸ But because only the other side knows how
to decrypt this message, Man In The Middle
Attackers are unable to read or modify any
requests that they may intercept.
▸ i.e. ensures that only that server can read
what you send and only you can read
what it sends
Diffie–Hellman Key Exchange
WHILST THE LITTLE GREEN PADLOCK
AND THE LETTERS “HTTPS” IN YOUR
ADDRESS BAR DON’T MEAN THAT THERE
ISN’T STILL AMPLE ROPE FOR BOTH YOU
AND THE WEBSITE YOU ARE VIEWING TO
HANG YOURSELVES ELSEWHERE, THEY
DO AT LEAST HELP YOU COMMUNICATE
SECURELY WHILST YOU DO SO.
Rob Heaton
SIGNIFICANCE OF SSL
▸ if you see encrypted traffic today,
you can generally assume there is a
reason.
▸ by encrypting everything you give
cover to those who need it
▸ for example political dissidents
SNOWDEN LEAKS
PRIVACY AS A
RIGHT
FREEDOM OF
SOFTWARE*
* well respected within the WordPress community
FREEDOM OF
PRIVACY
FREEDOM
TO USE
SOFTWARE
+
FREEDOM
TO USE IT
PRIVATELY
NEVER “JUST”
A BLOG
HOW DOES SSL WORK?
HOW DOES SSL WORK?
WHY DOES IT PROTECT SENSITIVE INFORMATION?
1. 2 key encryption
▸ private key and public key agree on a key for this exchange
▸ symmetric algorithm with asymmetric encryption
▸ anyone can encrypt using the public key, but only the
server can decrypt using the private key
2. digital signature is “signed” by another authority
3. self-signing
WHAT IS A “CA”?
(AKA CERTIFICATE AUTHORITY)
“A NOTARY
FOR THE WEB”
WHAT IS “LET’S
ENCRYPT”?
WHAT IS “LET’S ENCRYPT”?
SETUP OF A DOMAIN VALIDATION (DV) CERTIFICATE*
1. Download Let’s Encrypt on your server that has the address
www.oohshinywebsite.com:
sudo apt-get install lets-encrypt
2. You run it as sudo telling it you want to get a certificate for
your domain
lets-encrypt oohshinywebsite.com
* DV Certificate = “the CA checks the right of the applicant to use a specific domain name. No company identity information is vetted and no
information is displayed other than encryption information within the Secure Site Seal.” There are other types of certificates with varying requirements.
SO…HOW DO YOU
ENCRYPT YOUR
SITE?
SHARED HOSTING
‣ Bluehost
‣ GoDaddy
‣ SiteGround
‣ WP Engine
‣ DreamHost
‣ HostGator
‣ Big Rock
‣ Hosting Raja
‣ Hostripples
‣ Domain Racer
‣ InMotion Hosting
‣ LE’s community list
HOW TO ENCRYPT YOUR SITE
VPS AND OTHER SERVER SETUPS
▸ nginx - https://www.digitalocean.com/community/tutorials/
how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04
▸ Apache - https://www.digitalocean.com/community/
tutorials/how-to-secure-apache-with-let-s-encrypt-on-
ubuntu-14-04
▸ Centos vs Debian/Ubuntu - https://www.linode.com/docs/
security/ssl/install-lets-encrypt-to-create-ssl-certificates
WORDPRESS.COM
It’s already done.
Learn more here and here.
Sign up here
COMMON ISSUES
THE BAD
▸ No wild cards, i.e. difficult in multi/
load-balanced setup
▸ Renewal every 90 days
THE GOOD
▸ Easy to setup
▸ Free to use
▸ Good for single server
setups
COMMON ISSUES
JETPACK
▸ change WordPress settings
▸ Dashboard > Settings > General
▸ site URL, WordPress URL
GOOGLE SEO
▸ your search rankings vs any modicum of care you have for
your audience
FAQS
FAQS
I SET IT ALL UP. DOES THIS MEAN I WON’T BE HACKED?
No. Absolutely not.
WILL IT MAKE MY SITE SLOWER?
Not really.
WHAT’S THE DIFFERENCE BETWEEN “LET’S ENCRYPT” AND PAID
SSL CERTIFICATES?
Nothing technically. But within things like PR or insurance…
kinda.
COMMON
MISCONCEPTIONS
COMMON MISCONCEPTIONS*
AUTHENTICATION
“A proper SSL certificate also provides authentication. This means you can be sure that you
are sending information to the right server and not to a criminal’s server.”
INTEGRITY
“because it’s now over HTTPS, and you’re protecting against MITM attacks you can be
assured that the information is in fact the information you’re meant to get.”
ENCRYPTION
“it encrypts the information as it’s being transferred from the browser to the web server.
This is known as encryption in transit, and talks to nothing about encryption at rest.”
* Read Tony Perez’s article :)
COMMON MISCONCEPTIONS*
PHISHING
if the website housing the phishing page has https, and it is verified, it will show the user
that lovely green padlock.
NATION STATE ATTACKS
“My advice, assume everything you do online — HTTPS or HTTP — is being monitored.
IN CONCLUSION
It’s definitely a critical piece of the overarching security wheel associated with website
security, but it’s not going to stop websites from getting hacked, the distribution of
malware or keep website owners safe.
* Read Tony Perez’s article :)
CROWDFUNDING
LET’S ENCRYPT
GITHUB
SOURCES
▸ http://robertheaton.com/2014/03/27/how-does-https-actually-work/
▸ http://security.stackexchange.com/questions/11464/getting-a-root-ca-accepted-in-systems-and-
browsers
▸ http://robertheaton.com/2015/04/06/the-ssl-freak-vulnerability/
▸ https://blog.hartleybrody.com/https-certificates/
▸ https://www.cryptologie.net/article/274/lets-encrypt-overview/
▸ https://letsencrypt.org/getting-started/
▸ https://www.youtube.com/watch?v=OZyXx8Ie4pA
▸ https://www.globalsign.com/en/ssl-information-center/types-of-ssl-certificate/
▸ https://medium.com/@kevinsimper/review-of-getting-free-https-with-let-s-encrypt-5515f74be5f6#.
5qzjv4bc8
▸ https://perezbox.com/2015/07/https-does-not-secure-your-website/
ऑटोमॅिटक येथे सामील व्हा
▸ अजर् पाठवा - http://automattic.com/work-with-us
▸ अिधक मािहती पािहजे का ?
▸ आमच्या काउंटर वर आपले स्वागत आहे
COME WORK WITH US!
▸ Be a part of products that power over 27% of the web
▸ Collaborate with and learn from over 500+ colleagues in 60+ countries
▸ Set work hours that are convenient for you and your family
▸ Earn a globally competitive salary while living in India
▸ Travel a few times a year to meet your team, and engage with the wider WordPress
community
▸ Apply at http://automattic.com/work-with-us
▸ Want to learn more?
▸ Come chat with us at our booth!

More Related Content

What's hot

Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
Francois Marier
 
Cryptography - Overview
Cryptography - OverviewCryptography - Overview
Cryptography - Overview
Mohammed Adam
 
Https
HttpsHttps
HTTPS @Scale
HTTPS @ScaleHTTPS @Scale
HTTPS @Scale
Arvind Mani
 
Https
HttpsHttps
OWASP AppSecUSA Recap
OWASP AppSecUSA RecapOWASP AppSecUSA Recap
OWASP AppSecUSA Recap
Todd Grotenhuis
 
Https
HttpsHttps
Insecurity-In-Security version.2 (2011)
Insecurity-In-Security version.2 (2011)Insecurity-In-Security version.2 (2011)
Insecurity-In-Security version.2 (2011)
Abhishek Kumar
 
Puzzle Lock
Puzzle LockPuzzle Lock
Puzzle Lock
Senad Aruc
 
Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)
Abhishek Kumar
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) Protocol
Mohammed Adam
 
Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security Landscape
Prabath Siriwardena
 
Basics of ssl
Basics of sslBasics of ssl
Tls 1.3
Tls 1.3Tls 1.3
Tls 1.3
Kevin OBrien
 
Top 10 Web Hacks 2013
Top 10 Web Hacks 2013Top 10 Web Hacks 2013
Top 10 Web Hacks 2013
Matt Johansen
 
Mule security pgp with Example
Mule security pgp with ExampleMule security pgp with Example
Mule security pgp with Example
D.Rajesh Kumar
 
TLS v1.3
TLS v1.3TLS v1.3
TLS v1.3
Siddhartha Rao
 
Ssl
SslSsl
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)
Arun Shukla
 

What's hot (19)

Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016Security and Privacy on the Web in 2016
Security and Privacy on the Web in 2016
 
Cryptography - Overview
Cryptography - OverviewCryptography - Overview
Cryptography - Overview
 
Https
HttpsHttps
Https
 
HTTPS @Scale
HTTPS @ScaleHTTPS @Scale
HTTPS @Scale
 
Https
HttpsHttps
Https
 
OWASP AppSecUSA Recap
OWASP AppSecUSA RecapOWASP AppSecUSA Recap
OWASP AppSecUSA Recap
 
Https
HttpsHttps
Https
 
Insecurity-In-Security version.2 (2011)
Insecurity-In-Security version.2 (2011)Insecurity-In-Security version.2 (2011)
Insecurity-In-Security version.2 (2011)
 
Puzzle Lock
Puzzle LockPuzzle Lock
Puzzle Lock
 
Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) Protocol
 
Microservices Security Landscape
Microservices Security LandscapeMicroservices Security Landscape
Microservices Security Landscape
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssl
 
Tls 1.3
Tls 1.3Tls 1.3
Tls 1.3
 
Top 10 Web Hacks 2013
Top 10 Web Hacks 2013Top 10 Web Hacks 2013
Top 10 Web Hacks 2013
 
Mule security pgp with Example
Mule security pgp with ExampleMule security pgp with Example
Mule security pgp with Example
 
TLS v1.3
TLS v1.3TLS v1.3
TLS v1.3
 
Ssl
SslSsl
Ssl
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)
 

Viewers also liked

Certificados SSL e Let's Encrypt
Certificados SSL e Let's EncryptCertificados SSL e Let's Encrypt
Certificados SSL e Let's Encrypt
MOSS Open Source Services
 
Accessible Websites: What are they and why should I care?
Accessible Websites: What are they and why should I care?Accessible Websites: What are they and why should I care?
Accessible Websites: What are they and why should I care?
Nancy Thanki
 
Demystifying Accessible Websites - WCUS 2015
Demystifying Accessible Websites - WCUS 2015Demystifying Accessible Websites - WCUS 2015
Demystifying Accessible Websites - WCUS 2015
Nancy Thanki
 
The GPL: What It Means (And What It Doesn't) - WC Udaipur
The GPL: What It Means (And What It Doesn't) - WC UdaipurThe GPL: What It Means (And What It Doesn't) - WC Udaipur
The GPL: What It Means (And What It Doesn't) - WC Udaipur
Nancy Thanki
 
Website Design with UX in Mind
Website Design with UX in MindWebsite Design with UX in Mind
Website Design with UX in Mind
Melissa Eggleston
 
The Goldilocks Zone: Finding the Perfect Length for Blog Posts
The Goldilocks Zone: Finding the Perfect Length for Blog PostsThe Goldilocks Zone: Finding the Perfect Length for Blog Posts
The Goldilocks Zone: Finding the Perfect Length for Blog Posts
Sarah Giavedoni
 
Staying Connected: Securing Your WordPress Website
Staying Connected: Securing Your WordPress WebsiteStaying Connected: Securing Your WordPress Website
Staying Connected: Securing Your WordPress Website
Raymund Mitchell
 
Resources and lessons for using WordPress in your business
Resources and lessons for using WordPress in your businessResources and lessons for using WordPress in your business
Resources and lessons for using WordPress in your business
Steven Slack
 
Creating a Promo Video using Your iPad and Editing with iMovie for iPad
Creating a Promo Video using Your iPad and Editing with iMovie for iPadCreating a Promo Video using Your iPad and Editing with iMovie for iPad
Creating a Promo Video using Your iPad and Editing with iMovie for iPad
New Tricks
 
WordCamp Birmingham 2014: SEO Workshop: Best Practices for Better Website Tra...
WordCamp Birmingham 2014: SEO Workshop: Best Practices for Better Website Tra...WordCamp Birmingham 2014: SEO Workshop: Best Practices for Better Website Tra...
WordCamp Birmingham 2014: SEO Workshop: Best Practices for Better Website Tra...
Mickey Mellen
 
Empathetc Development
Empathetc DevelopmentEmpathetc Development
Empathetc Development
Kyle Evans
 
SEO goes Local
SEO goes LocalSEO goes Local
SEO goes Local
Rich Owings
 
Building Accessible Websites in WordPress - Birmingham WordCamp 2014
Building Accessible Websites in WordPress - Birmingham WordCamp 2014Building Accessible Websites in WordPress - Birmingham WordCamp 2014
Building Accessible Websites in WordPress - Birmingham WordCamp 2014
Nancy Thanki
 
Sanitizing, Validating and Escaping in WordPress Themes and Plugins
Sanitizing, Validating and Escaping in WordPress Themes and PluginsSanitizing, Validating and Escaping in WordPress Themes and Plugins
Sanitizing, Validating and Escaping in WordPress Themes and Plugins
Micah Wood
 
Typography and User Experience in Web Design
Typography and User Experience in Web DesignTypography and User Experience in Web Design
Typography and User Experience in Web Design
Sara Cannon
 
WordCamp Asheville 2015 - Connections
WordCamp Asheville 2015 - ConnectionsWordCamp Asheville 2015 - Connections
WordCamp Asheville 2015 - Connections
Carrie Dils
 
Why we publish -- WordCamp Birmingham 2014
Why we publish -- WordCamp Birmingham 2014Why we publish -- WordCamp Birmingham 2014
Why we publish -- WordCamp Birmingham 2014
Brian Krogsgard
 

Viewers also liked (17)

Certificados SSL e Let's Encrypt
Certificados SSL e Let's EncryptCertificados SSL e Let's Encrypt
Certificados SSL e Let's Encrypt
 
Accessible Websites: What are they and why should I care?
Accessible Websites: What are they and why should I care?Accessible Websites: What are they and why should I care?
Accessible Websites: What are they and why should I care?
 
Demystifying Accessible Websites - WCUS 2015
Demystifying Accessible Websites - WCUS 2015Demystifying Accessible Websites - WCUS 2015
Demystifying Accessible Websites - WCUS 2015
 
The GPL: What It Means (And What It Doesn't) - WC Udaipur
The GPL: What It Means (And What It Doesn't) - WC UdaipurThe GPL: What It Means (And What It Doesn't) - WC Udaipur
The GPL: What It Means (And What It Doesn't) - WC Udaipur
 
Website Design with UX in Mind
Website Design with UX in MindWebsite Design with UX in Mind
Website Design with UX in Mind
 
The Goldilocks Zone: Finding the Perfect Length for Blog Posts
The Goldilocks Zone: Finding the Perfect Length for Blog PostsThe Goldilocks Zone: Finding the Perfect Length for Blog Posts
The Goldilocks Zone: Finding the Perfect Length for Blog Posts
 
Staying Connected: Securing Your WordPress Website
Staying Connected: Securing Your WordPress WebsiteStaying Connected: Securing Your WordPress Website
Staying Connected: Securing Your WordPress Website
 
Resources and lessons for using WordPress in your business
Resources and lessons for using WordPress in your businessResources and lessons for using WordPress in your business
Resources and lessons for using WordPress in your business
 
Creating a Promo Video using Your iPad and Editing with iMovie for iPad
Creating a Promo Video using Your iPad and Editing with iMovie for iPadCreating a Promo Video using Your iPad and Editing with iMovie for iPad
Creating a Promo Video using Your iPad and Editing with iMovie for iPad
 
WordCamp Birmingham 2014: SEO Workshop: Best Practices for Better Website Tra...
WordCamp Birmingham 2014: SEO Workshop: Best Practices for Better Website Tra...WordCamp Birmingham 2014: SEO Workshop: Best Practices for Better Website Tra...
WordCamp Birmingham 2014: SEO Workshop: Best Practices for Better Website Tra...
 
Empathetc Development
Empathetc DevelopmentEmpathetc Development
Empathetc Development
 
SEO goes Local
SEO goes LocalSEO goes Local
SEO goes Local
 
Building Accessible Websites in WordPress - Birmingham WordCamp 2014
Building Accessible Websites in WordPress - Birmingham WordCamp 2014Building Accessible Websites in WordPress - Birmingham WordCamp 2014
Building Accessible Websites in WordPress - Birmingham WordCamp 2014
 
Sanitizing, Validating and Escaping in WordPress Themes and Plugins
Sanitizing, Validating and Escaping in WordPress Themes and PluginsSanitizing, Validating and Escaping in WordPress Themes and Plugins
Sanitizing, Validating and Escaping in WordPress Themes and Plugins
 
Typography and User Experience in Web Design
Typography and User Experience in Web DesignTypography and User Experience in Web Design
Typography and User Experience in Web Design
 
WordCamp Asheville 2015 - Connections
WordCamp Asheville 2015 - ConnectionsWordCamp Asheville 2015 - Connections
WordCamp Asheville 2015 - Connections
 
Why we publish -- WordCamp Birmingham 2014
Why we publish -- WordCamp Birmingham 2014Why we publish -- WordCamp Birmingham 2014
Why we publish -- WordCamp Birmingham 2014
 

Similar to Let's Encrypt! Wait. Why? How? - WC Pune

Geek Guide: Apache Web Servers and SSL Authentication
Geek Guide: Apache Web Servers and SSL AuthenticationGeek Guide: Apache Web Servers and SSL Authentication
Geek Guide: Apache Web Servers and SSL Authentication
RapidSSLOnline.com
 
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
Peter LaFond
 
HTTP VS. HTTPS: WHICH IS BETTER??
HTTP VS. HTTPS: WHICH IS BETTER??HTTP VS. HTTPS: WHICH IS BETTER??
HTTP VS. HTTPS: WHICH IS BETTER??
SEONetsolITSolutions
 
HTTP vs HTTPS, Do You Really Need HTTPS?
HTTP vs HTTPS, Do You Really Need HTTPS?HTTP vs HTTPS, Do You Really Need HTTPS?
HTTP vs HTTPS, Do You Really Need HTTPS?
CheapSSLsecurity
 
Getting started with HTTPS | LumoSpark webinar
Getting started with HTTPS | LumoSpark webinar Getting started with HTTPS | LumoSpark webinar
Getting started with HTTPS | LumoSpark webinar
LumoSpark
 
Https presentation
Https presentationHttps presentation
Https presentation
patel jatin
 
White paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSLWhite paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSL
GlobalSign
 
TLS - Transport Layer Security
TLS - Transport Layer SecurityTLS - Transport Layer Security
TLS - Transport Layer Security
ByronKimani
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
BU
 
Introduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & SecureIntroduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & Secure
Brian Ritchie
 
Safe netizens
Safe netizensSafe netizens
Safe netizens
Rohit Srivastwa
 
Http vs Https
Http vs HttpsHttp vs Https
Http vs Https
shikherwalia
 
Demystfying secure certs
Demystfying secure certsDemystfying secure certs
Demystfying secure certs
Gary Williams
 
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
Wilco Alsemgeest
 
HTTPS
HTTPSHTTPS
SSL certificates
SSL certificatesSSL certificates
SSL certificates
Kevin OBrien
 
HTTPS Explained Through Fairy Tales
HTTPS Explained Through Fairy TalesHTTPS Explained Through Fairy Tales
HTTPS Explained Through Fairy Tales
OVHcloud
 
Identity On The Internet
Identity On The InternetIdentity On The Internet
Identity On The Internet
Jon Spriggs
 
Details about the SSL Certificate
Details about the SSL CertificateDetails about the SSL Certificate
Details about the SSL Certificate
CheapSSLUSA
 
jquerySF: https://<your>
jquerySF: https://<your>jquerySF: https://<your>
jquerySF: https://<your>
Emily Stark
 

Similar to Let's Encrypt! Wait. Why? How? - WC Pune (20)

Geek Guide: Apache Web Servers and SSL Authentication
Geek Guide: Apache Web Servers and SSL AuthenticationGeek Guide: Apache Web Servers and SSL Authentication
Geek Guide: Apache Web Servers and SSL Authentication
 
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
 
HTTP VS. HTTPS: WHICH IS BETTER??
HTTP VS. HTTPS: WHICH IS BETTER??HTTP VS. HTTPS: WHICH IS BETTER??
HTTP VS. HTTPS: WHICH IS BETTER??
 
HTTP vs HTTPS, Do You Really Need HTTPS?
HTTP vs HTTPS, Do You Really Need HTTPS?HTTP vs HTTPS, Do You Really Need HTTPS?
HTTP vs HTTPS, Do You Really Need HTTPS?
 
Getting started with HTTPS | LumoSpark webinar
Getting started with HTTPS | LumoSpark webinar Getting started with HTTPS | LumoSpark webinar
Getting started with HTTPS | LumoSpark webinar
 
Https presentation
Https presentationHttps presentation
Https presentation
 
White paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSLWhite paper - Full SSL automation with OneClickSSL
White paper - Full SSL automation with OneClickSSL
 
TLS - Transport Layer Security
TLS - Transport Layer SecurityTLS - Transport Layer Security
TLS - Transport Layer Security
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
 
Introduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & SecureIntroduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & Secure
 
Safe netizens
Safe netizensSafe netizens
Safe netizens
 
Http vs Https
Http vs HttpsHttp vs Https
Http vs Https
 
Demystfying secure certs
Demystfying secure certsDemystfying secure certs
Demystfying secure certs
 
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
JoomlaDay Austria 2016 - Presentation Why and how to use HTTPS on your website!
 
HTTPS
HTTPSHTTPS
HTTPS
 
SSL certificates
SSL certificatesSSL certificates
SSL certificates
 
HTTPS Explained Through Fairy Tales
HTTPS Explained Through Fairy TalesHTTPS Explained Through Fairy Tales
HTTPS Explained Through Fairy Tales
 
Identity On The Internet
Identity On The InternetIdentity On The Internet
Identity On The Internet
 
Details about the SSL Certificate
Details about the SSL CertificateDetails about the SSL Certificate
Details about the SSL Certificate
 
jquerySF: https://<your>
jquerySF: https://<your>jquerySF: https://<your>
jquerySF: https://<your>
 

Recently uploaded

[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
hackersuli
 
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
bseovas
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
Trish Parr
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
keoku
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
vmemo1
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
eutxy
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
CIOWomenMagazine
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Brad Spiegel Macon GA
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
ysasp1
 
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
cuobya
 
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
bseovas
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
Paul Walk
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
fovkoyb
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
uehowe
 
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
ukwwuq
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
cuobya
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
ufdana
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
zoowe
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
SEO Article Boost
 

Recently uploaded (20)

[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
 
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
 
Search Result Showing My Post is Now Buried
Search Result Showing My Post is Now BuriedSearch Result Showing My Post is Now Buried
Search Result Showing My Post is Now Buried
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
 
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
制作毕业证书(ANU毕业证)莫纳什大学毕业证成绩单官方原版办理
 
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
 
Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?Should Repositories Participate in the Fediverse?
Should Repositories Participate in the Fediverse?
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
 
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
 
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
国外证书(Lincoln毕业证)新西兰林肯大学毕业证成绩单不能毕业办理
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
 

Let's Encrypt! Wait. Why? How? - WC Pune

  • 1. LET’S ENCRYPT! WAIT. WHY? HOW? WordCamp Pune | @NancyThanki
  • 2.
  • 4. HTTP PROTOCOL + SECURITY ▸ SSL/TLS ( Secure Sockets Layer / Transport Layer Security) ▸ keeps your passwords, communications, and credit card details safe between your computer and the servers you’re communicating with on the other side. ▸ still speaking in HTTP, but the communication is encrypted and decrypted
  • 5. HOW DOES IT WORK? HELLO —> CERTIFICATE EXCHANGE —> KEY EXCHANGE 1. ClientHello message ▸ aka the information the server needs to connect to the client via SSL ▸ server will respond with a ServerHello i.e. similar info including the cipher suite and version of SSL to be used 2.Certificate Exchange ▸ the server needs to prove its identity via its SSL certificate* ▸ does it either (a) implicitly trust or (b) is it verified by one of many CAs 3. Key Exchange ‣ Encryption via a symmetric algorithm using a single key * the client may also need to prove its identity, but not always
  • 6. WHAT’S THE POINT? ▸ HTTP requests and responses can now be sent through an encrypted plaintext message ▸ i.e. verifies that you’re talking directly to the the server you think you’re talking to ▸ But because only the other side knows how to decrypt this message, Man In The Middle Attackers are unable to read or modify any requests that they may intercept. ▸ i.e. ensures that only that server can read what you send and only you can read what it sends Diffie–Hellman Key Exchange
  • 7. WHILST THE LITTLE GREEN PADLOCK AND THE LETTERS “HTTPS” IN YOUR ADDRESS BAR DON’T MEAN THAT THERE ISN’T STILL AMPLE ROPE FOR BOTH YOU AND THE WEBSITE YOU ARE VIEWING TO HANG YOURSELVES ELSEWHERE, THEY DO AT LEAST HELP YOU COMMUNICATE SECURELY WHILST YOU DO SO. Rob Heaton
  • 9. ▸ if you see encrypted traffic today, you can generally assume there is a reason. ▸ by encrypting everything you give cover to those who need it ▸ for example political dissidents
  • 12. FREEDOM OF SOFTWARE* * well respected within the WordPress community
  • 16. HOW DOES SSL WORK?
  • 17. HOW DOES SSL WORK? WHY DOES IT PROTECT SENSITIVE INFORMATION? 1. 2 key encryption ▸ private key and public key agree on a key for this exchange ▸ symmetric algorithm with asymmetric encryption ▸ anyone can encrypt using the public key, but only the server can decrypt using the private key 2. digital signature is “signed” by another authority 3. self-signing
  • 18. WHAT IS A “CA”? (AKA CERTIFICATE AUTHORITY)
  • 21. WHAT IS “LET’S ENCRYPT”? SETUP OF A DOMAIN VALIDATION (DV) CERTIFICATE* 1. Download Let’s Encrypt on your server that has the address www.oohshinywebsite.com: sudo apt-get install lets-encrypt 2. You run it as sudo telling it you want to get a certificate for your domain lets-encrypt oohshinywebsite.com * DV Certificate = “the CA checks the right of the applicant to use a specific domain name. No company identity information is vetted and no information is displayed other than encryption information within the Secure Site Seal.” There are other types of certificates with varying requirements.
  • 23. SHARED HOSTING ‣ Bluehost ‣ GoDaddy ‣ SiteGround ‣ WP Engine ‣ DreamHost ‣ HostGator ‣ Big Rock ‣ Hosting Raja ‣ Hostripples ‣ Domain Racer ‣ InMotion Hosting ‣ LE’s community list
  • 24. HOW TO ENCRYPT YOUR SITE VPS AND OTHER SERVER SETUPS ▸ nginx - https://www.digitalocean.com/community/tutorials/ how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04 ▸ Apache - https://www.digitalocean.com/community/ tutorials/how-to-secure-apache-with-let-s-encrypt-on- ubuntu-14-04 ▸ Centos vs Debian/Ubuntu - https://www.linode.com/docs/ security/ssl/install-lets-encrypt-to-create-ssl-certificates
  • 25. WORDPRESS.COM It’s already done. Learn more here and here. Sign up here
  • 27. THE BAD ▸ No wild cards, i.e. difficult in multi/ load-balanced setup ▸ Renewal every 90 days THE GOOD ▸ Easy to setup ▸ Free to use ▸ Good for single server setups
  • 28. COMMON ISSUES JETPACK ▸ change WordPress settings ▸ Dashboard > Settings > General ▸ site URL, WordPress URL GOOGLE SEO ▸ your search rankings vs any modicum of care you have for your audience
  • 29. FAQS
  • 30. FAQS I SET IT ALL UP. DOES THIS MEAN I WON’T BE HACKED? No. Absolutely not. WILL IT MAKE MY SITE SLOWER? Not really. WHAT’S THE DIFFERENCE BETWEEN “LET’S ENCRYPT” AND PAID SSL CERTIFICATES? Nothing technically. But within things like PR or insurance… kinda.
  • 32. COMMON MISCONCEPTIONS* AUTHENTICATION “A proper SSL certificate also provides authentication. This means you can be sure that you are sending information to the right server and not to a criminal’s server.” INTEGRITY “because it’s now over HTTPS, and you’re protecting against MITM attacks you can be assured that the information is in fact the information you’re meant to get.” ENCRYPTION “it encrypts the information as it’s being transferred from the browser to the web server. This is known as encryption in transit, and talks to nothing about encryption at rest.” * Read Tony Perez’s article :)
  • 33. COMMON MISCONCEPTIONS* PHISHING if the website housing the phishing page has https, and it is verified, it will show the user that lovely green padlock. NATION STATE ATTACKS “My advice, assume everything you do online — HTTPS or HTTP — is being monitored. IN CONCLUSION It’s definitely a critical piece of the overarching security wheel associated with website security, but it’s not going to stop websites from getting hacked, the distribution of malware or keep website owners safe. * Read Tony Perez’s article :)
  • 35. SOURCES ▸ http://robertheaton.com/2014/03/27/how-does-https-actually-work/ ▸ http://security.stackexchange.com/questions/11464/getting-a-root-ca-accepted-in-systems-and- browsers ▸ http://robertheaton.com/2015/04/06/the-ssl-freak-vulnerability/ ▸ https://blog.hartleybrody.com/https-certificates/ ▸ https://www.cryptologie.net/article/274/lets-encrypt-overview/ ▸ https://letsencrypt.org/getting-started/ ▸ https://www.youtube.com/watch?v=OZyXx8Ie4pA ▸ https://www.globalsign.com/en/ssl-information-center/types-of-ssl-certificate/ ▸ https://medium.com/@kevinsimper/review-of-getting-free-https-with-let-s-encrypt-5515f74be5f6#. 5qzjv4bc8 ▸ https://perezbox.com/2015/07/https-does-not-secure-your-website/
  • 36. ऑटोमॅिटक येथे सामील व्हा ▸ अजर् पाठवा - http://automattic.com/work-with-us ▸ अिधक मािहती पािहजे का ? ▸ आमच्या काउंटर वर आपले स्वागत आहे
  • 37. COME WORK WITH US! ▸ Be a part of products that power over 27% of the web ▸ Collaborate with and learn from over 500+ colleagues in 60+ countries ▸ Set work hours that are convenient for you and your family ▸ Earn a globally competitive salary while living in India ▸ Travel a few times a year to meet your team, and engage with the wider WordPress community ▸ Apply at http://automattic.com/work-with-us ▸ Want to learn more? ▸ Come chat with us at our booth!