Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SBA Live Academy - Using HTTPS by Default: How Web Servers Can Make the Web More Secure by Matthew Holt

Target Group: Developers, IT operations, DevOps
Focus: technical
Language: English

Abstract
*********
Eventually, browsers and other Web clients will require all sites to use TLS. But turning on properly-configured TLS is not as simple as flipping a switch… unless your server does it automatically and by default. This talk briefly goes over how that is possible and what kind of usable security we should expect from all web servers in this decade.

About the Speaker:
*********************
Matt Holt (B.S. & M.S. Computer Science, Brigham Young University) is a software engineer with special expertise in TLS deployment and automation. He is the author of the Caddy web server, the only server to use HTTPS by default, which has over 25 million downloads and has secured and served trillions of HTTPS requests since 2014. When he's not coding stuff with his bare hands, you can find him rock climbing or bicycling.

  • Login to see the comments

  • Be the first to like this

SBA Live Academy - Using HTTPS by Default: How Web Servers Can Make the Web More Secure by Matthew Holt

  1. 1. HTTPS by Default How Caddy Makes the Web More Secure Matt Holt Go Gopher by Renee French, derivative works by Deise Misiuk
  2. 2. ACME Automated Certificate Management Environment
  3. 3. Transport Layer Security Confidentiality A guarantee that the data stays private in transit. Integrity A guarantee that the data is not modified in transit. Authenticity A guarantee that your connection is with the intended party. ✔ self-signed ✔ self-signed ✖ self-signed✔ third-party
  4. 4. Generate private key Generate CSR Secure key Order SSL certificate Paste CSR into online form Choose an email address Wait for email Click link in email Wait for another email Download certificate Concat into bundle Upload bundle to server Configure server to use cert and key Reload configuration Don't forget to renew it... and don't mess up
  5. 5. Generate private key Generate CSR Secure key Order SSL certificate Paste CSR into online form Choose an email address Wait for email Click link in email Wait for another email Download certificate Concat into bundle Upload bundle to server Configure server to use cert and key Reload configuration Non-automatable
  6. 6. Generate private key Generate CSR Secure key Order SSL certificate Paste CSR into online form Choose an email address Wait for email Click link in email Wait for another email Download certificate Concat into bundle Upload bundle to server Configure server to use cert and key Reload configuration Extra attack/error surface
  7. 7. Generate private key Generate CSR Solve ACME challenge Download certificate bundle Use cert and key ACME: simpler and automated
  8. 8. The 3 ACME Challenges HTTP :80 TLS-ALPN :443 DNS 1 2 3 ACME server (CA) DNS server Your server
  9. 9. HTTP Challenge HTTP :80 Serves resource at special URI on host ● Requires port 80 ● Must be accessible from outside ● Can be done manually ✔ No config required (usually)
  10. 10. TLS-ALPN Challenge Negotiates special TLS handshake ● Requires port 443 ● Must be accessible from outside ● Tedious to perform manually TLS-ALPN :443 ✔ No config required (usually)
  11. 11. DNS Challenge Sets special TXT record in zone file ● No open listeners; works behind proxies & LB ● Can be done manually ● Can be automated with DNS provider's API ● Some providers are slow to apply changes ✖ Requires DNS provider credentials (easy) DNS 1 2 3
  12. 12. Minimum Required Config Required inputs ● Domain name Optional inputs ● Email address ● A few crypto details
  13. 13. Enough talking More live demoing
  14. 14. ✅ Rate limiting ✅ Failed validations ✅ Revocations ✅ Infrastructure outages ✅ Customer domains Production Challenges ✅ OCSP problems ✅ Misconfigured storage ✅ Fleet coordination ✅ Millions of domains ✅ = Caddy handles it (external scripts/tools… don't)
  15. 15. Next Monday, probably Thank you! :) https://caddyserver.com

×