SlideShare a Scribd company logo

Secure Your Website & Email with Free SSL/TLS

Wendy Knox Everette
Wendy Knox Everette

How do you give your personal domain a green "Secure" lock? Can you prevent your domain from being used for spam and phishing emails? This talk is a little different from most "crypto" talks - it's not about how some neat new encryption algorithm works, or writing code. Instead, it's about how to use the awesome crypto tools already available to make your online presence more secure. This talk came out of my frustration with tutorials online for setting up my personal website domain with TLS and my email domain with DMARC/DKIM/SPF. We'll walk through how to use free services to serve a website over TLS and how to configure a personal email domain to block it from being used to send spam and phishing emails.

Internet
1 of 53
Download to read offline
GREEN LOCKS FORYOU & ME Wendy Knox Everette Senior Security Advisor, Leviathan Security Group @wendyck Crypto & PrivacyVillage, Def Con 26
WEBSITES WITHOUT HTTPS Chrome now labels these as “not secure”
https://www.blog.google/products/chrome/milestone-chrome-security-marking-http-not-secure/
SITES WITH HTTPS Green lock indicating SSL
HOW DO I SECURE MY WEBSITE? • Lets Encrypt and Cloudflare are two of the services offering free certificates to websites • Both work well with Github pages, which is what this talk will demonstrate • There are lots of other hosting options like WordPress as well
CLOUDFLARE FREE ACCOUNT CERTIFICATE
SETTING UPTHE CERTIFICATE AND DOMAIN • Github PagesTLS with custom domains announcement: https://blog.github.com/ 2018-05-01-github-pages-custom-domains-https/ • Directions: https://help.github.com/articles/using-a- custom-domain-with-github-pages/
Create your repo: [USERNAME].github.io
Check out the repo to your local machine (I like GitHub Desktop) create a index.html (your homepage!) and any other webpage files
Create a new text file named CNAME at the root of the repo and put your domain name into it
Go to the Settings for your new repo and scroll down to custom domain
Apex Domain DNS Configuration: Create configure an ALIAS, ANAME, or A record at your DNS provider
Set the “A” record values to be the IP addresses that GitHub provides in their help pages (https://help.github.com/articles/setting-up-an-apex- domain/)
NEXT… SOYOU HAVE EMAIL ON YOUR PERSONAL DOMAIN: HOW DO PREVENT IT FROM BEING SPOOFED?
DO I NEEDTO DOTHIS? I'd assumed at first that since I was using Google Apps Gmail for my email that it couldn't be used to spoof.Turns out I was wrong
SPF - SENDER PERMITTED FROM • https://blog.returnpath.com/how-to-explain-spf-in- plain-english/ • Lets a domain owner specify the only IP addresses that can send email for that domain • Up to recipients to check for matches
DKIM - DOMAINKEYS IDENTIFIED MAIL • https://blog.returnpath.com/how-to-explain-dkim-in-plain- english-2/ • Allows us to cryptographically sign our emails! the elements of the email to be signed are encrypted with our private key. • Public key to decrypt is available in DNS • Unfortunately not really widely adopted yet - but GSuite supports it
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wendyk.org; s=google; h=mime-version:from:date:message-id:subject:to; bh=J4wOdPKBCGKDJu2gipRt6L/Ys5LW5rWG1r1oeQZ/Woo=; b=dir909v+lNJ4mjzATO5fmgeXWdFzN6n+JNkPLtuxBcOeTF4JYYhMQR6s7JwN7k3/ou 67gPvacuG7ZZAn5v5aMv8TOI06XFCXv71CowSwfDz8rbF7B57RvoW5aog/vpy3s1/lPr hMT9Kk3MULXbJQF48Qv/LbpMRsJDzlIizpgIxxrgDjZyKH4oWxZlLfOl2g4FGBjNv5I3 wHmQu/Ewgm040IsC4kGvXyFEKG2Yvw6U5BV1auM0UCZKKk/MuncvQcKAVmEnfUPUarsS ioGBrncFJf4d2AEtGW18JXqnGNvfK2ZqB922hYLsxOcaMb6+tAWaXNUcBaym48xCgSpC k+FQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=J4wOdPKBCGKDJu2gipRt6L/Ys5LW5rWG1r1oeQZ/Woo=; b=G7F+urifcvii9E+0NH7fn86HjxzcpLkDtU6VFW/grlFM7v17RsMdGjb7JfIHujJzy4 sCywy2zRTodm5/erlaYBpvPlHNDZzKIJzOS+Ti/giwuRDd7usuybQdEFE+9FU+zO3xiL fwe2rSG0FsExe9LHR1arJaavE4oM12rKjC0BBuFgvcIyAnWEA3LIDK8BStXFD6F0OvvJ AftnZiR++4+zbBo0af9olLMVBIcdQD/Y1Z4F56CZu3nsozlTraRbd7P7ihgES+4EUueh gRjU02zfnIgXCR1XqG8UpLpDFNYN3KvNvxG96ppuNrxtVUM4Gfagc3s8LGfbSTNP/FQV O8mQ==
DMARC - DOMAIN-BASED MESSAGE AUTHENTICATION, REPORTING & CONFORMANCE • Builds on DKIM & SPF • Ensures spoofed emails are blocked
https://dmarc.org/overview/
SETTING UPYOUR DOMAIN • If you’re on GSuite: https://support.google.com/a/ answer/174124?hl=en • https://www.dmarcanalyzer.com/how-to-create-a- dmarc-record/
SET UP NAME SERVERS • If you’re using Cloudflare, point to their DNS servers, and configure there
CLOUDFLARE FREE PLAN • Once you’re signed up on Cloudflare, we will add some DNS records • We’re going to make 3TXT records to set up DMARC/ DKIM/SPF
GENERATE DKIM PUBLIC KEYS • This is will go into your DNS settings in aTXT record • For GSuite, go to the admin dashboard, then Apps (in the left sidebar) > Gmail > Authenticate email
CREATETXT RECORD • Name of theTXT record will be “google._domainkey” • Value will be the full contents of the string that starts with “v=DKIM1; k=rsa; p=…..”
CLOUDFLARE DNS ENTRY SelectTXT from the dropdown
DKIM DNS ENTRY ON CLOUDFLARE
DKIMTAGS https://us.dmarcian.com/dkim-inspector/
ENTER SPF SETTINGS Create an SPF record for your domain: https://support.google.com/a/answer/33786?hl=en
NOW WE’RE READYTO SET UP DMARC DOMAIN KEYS
SIGN UP FOR DMARCIAN https://dmarcian.com/register/
ADD DMARC SECTION
DMARC OPTIONS
POLICY SETTINGS • Directions: https://dmarcian.com/start-dmarc/ • Start with p=none - this will give you reporting with no action taken on emails. Important so you don’t block all your emails • once that works, move to p=quarantine • Can then move to p=reject
REPORTING DMARC DATA • This is where reports of failures are sent. Can be any valid email address. • If we send reporting to a DMarcian email, will show up in your DMarcian account • rua=mailto:ditp3aec@ag.dmarcian.com
This is complicated! How do I build this string? https://dmarcian.com/dmarc-record-wizard/
VIEWINGYOUR DMARC REPORTS
REPORTS • You could provide your own email in the “rua” tag to receive reports & crunch your own graphs…. • Or we can send reports to DMarcian and use their tools.You can see reports on DMarcian’s Monitor tab • Sources shows where email sent with your domain is from • Threat/Unknown are emails from servers that don’t match your SPF/DKIM settings
TROUBLESHOOTING • DMarcian’s Issues tab under “Monitor” is very helpful
IFYOU RUN YOUR OWN MAIL SERVER
MTA STRICTTRANSPORT SECURITY (MTA-STS) • Allows domains to require authentication andTLS encryption for SMTP
START-TLS • Allows your mail server to protect against downgrades • https://starttls-everywhere.org/ • Creating a list of email servers that useTLS
MORE RESOURCES • https://www.ftc.gov/news-events/blogs/business-blog/2017/03/ want-stop-phishers-use-email-authentication • https://blog.returnpath.com/how-to-explain-spf-in-plain-english/ • https://blog.returnpath.com/how-to-explain-dkim-in-plain-english-2/ • https://blog.returnpath.com/how-to-explain-dmarc-in-plain-english/ • https://zakird.com/papers/mail.pdf

Recommended

SeaSec East: Green Locks For You & Me
SeaSec East: Green Locks For You & MeSeaSec East: Green Locks For You & Me
SeaSec East: Green Locks For You & MeWendy Knox Everette
 
Migrating Your WordPress Site to HTTPS - Getting it right the first time Word...
Migrating Your WordPress Site to HTTPS - Getting it right the first time Word...Migrating Your WordPress Site to HTTPS - Getting it right the first time Word...
Migrating Your WordPress Site to HTTPS - Getting it right the first time Word...Paul Thompson
 
How to send or share a ginormous 1GB file to clients without sweating using D...
How to send or share a ginormous 1GB file to clients without sweating using D...How to send or share a ginormous 1GB file to clients without sweating using D...
How to send or share a ginormous 1GB file to clients without sweating using D...Rachel Lim
 
How to migrate your blog from Wordpress to HubSpot
How to migrate your blog from Wordpress to HubSpotHow to migrate your blog from Wordpress to HubSpot
How to migrate your blog from Wordpress to HubSpotVu Long Tran
 
How to connect your subdomains to HubSpot
How to connect your subdomains to HubSpotHow to connect your subdomains to HubSpot
How to connect your subdomains to HubSpotVu Long Tran
 
How to use slide share
How to use slide shareHow to use slide share
How to use slide shareRachel Lim
 
Connect Google Drive Account with Yahoo Mail.
Connect Google Drive Account with Yahoo Mail.Connect Google Drive Account with Yahoo Mail.
Connect Google Drive Account with Yahoo Mail.anabela8900
 
An Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsAn Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsGabriella Davis
 

Recommended

SeaSec East: Green Locks For You & Me
SeaSec East: Green Locks For You & MeSeaSec East: Green Locks For You & Me
SeaSec East: Green Locks For You & MeWendy Knox Everette
 
Migrating Your WordPress Site to HTTPS - Getting it right the first time Word...
Migrating Your WordPress Site to HTTPS - Getting it right the first time Word...Migrating Your WordPress Site to HTTPS - Getting it right the first time Word...
Migrating Your WordPress Site to HTTPS - Getting it right the first time Word...Paul Thompson
 
How to send or share a ginormous 1GB file to clients without sweating using D...
How to send or share a ginormous 1GB file to clients without sweating using D...How to send or share a ginormous 1GB file to clients without sweating using D...
How to send or share a ginormous 1GB file to clients without sweating using D...Rachel Lim
 
How to migrate your blog from Wordpress to HubSpot
How to migrate your blog from Wordpress to HubSpotHow to migrate your blog from Wordpress to HubSpot
How to migrate your blog from Wordpress to HubSpotVu Long Tran
 
How to connect your subdomains to HubSpot
How to connect your subdomains to HubSpotHow to connect your subdomains to HubSpot
How to connect your subdomains to HubSpotVu Long Tran
 
How to use slide share
How to use slide shareHow to use slide share
How to use slide shareRachel Lim
 
Connect Google Drive Account with Yahoo Mail.
Connect Google Drive Account with Yahoo Mail.Connect Google Drive Account with Yahoo Mail.
Connect Google Drive Account with Yahoo Mail.anabela8900
 
An Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsAn Introduction To The DMARC SMTP Validation Requirements
An Introduction To The DMARC SMTP Validation RequirementsGabriella Davis
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
 
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...DTM Security
 
Massive emailing with Linux, Postfix and Ruby on Rails
Massive emailing with Linux, Postfix and Ruby on RailsMassive emailing with Linux, Postfix and Ruby on Rails
Massive emailing with Linux, Postfix and Ruby on Railsibelmonte
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beau Bullock
 
B2B Email Deliverability - Getting to the Inbox
B2B Email Deliverability - Getting to the InboxB2B Email Deliverability - Getting to the Inbox
B2B Email Deliverability - Getting to the InboxB2BCamp
 
Responsible [digital] Home Ownership
Responsible [digital] Home OwnershipResponsible [digital] Home Ownership
Responsible [digital] Home OwnershipDenise (Dee) Teal
 
Protect your domain with DMARC
Protect your domain with DMARCProtect your domain with DMARC
Protect your domain with DMARCContactlab
 
Subdomain Takeover
Subdomain TakeoverSubdomain Takeover
Subdomain TakeoverAkshayPandurangi
 
Fighting Email Abuse with DMARC
Fighting Email Abuse with DMARCFighting Email Abuse with DMARC
Fighting Email Abuse with DMARCKurt Andersen
 
2010 5 xpg collaboration
2010 5 xpg collaboration2010 5 xpg collaboration
2010 5 xpg collaborationGuus Disselkoen
 
Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015Darren Duke
 
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac DawsonCODE BLUE
 
Ubuntu And Parental Controls
Ubuntu And Parental ControlsUbuntu And Parental Controls
Ubuntu And Parental Controlsjasonholtzapple
 
Moving from Wordpress.com to Wordpress.org - Wordcamp Toronto 2011
Moving from Wordpress.com to Wordpress.org - Wordcamp Toronto 2011Moving from Wordpress.com to Wordpress.org - Wordcamp Toronto 2011
Moving from Wordpress.com to Wordpress.org - Wordcamp Toronto 2011Georgiana Laudi
 
Http to Https Get your WordPress website Compliant!
Http to Https Get your WordPress website Compliant!Http to Https Get your WordPress website Compliant!
Http to Https Get your WordPress website Compliant!Lynn Dye
 
Listening to social signals to adjust your marketing campaigns
Listening to social signals to adjust your marketing campaignsListening to social signals to adjust your marketing campaigns
Listening to social signals to adjust your marketing campaignsDigital Megaphone
 
So you want to be a security expert
So you want to be a security expertSo you want to be a security expert
So you want to be a security expertRoyce Davis
 
Kamaelia Grey
Kamaelia GreyKamaelia Grey
Kamaelia Greykamaelian
 
Securing Network Access with Open Source solutions
Securing Network Access with Open Source solutionsSecuring Network Access with Open Source solutions
Securing Network Access with Open Source solutionsNick Owen
 
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...Meghan Weinreich
 
FedRAMP Is Broken (And here's how to fix it)
FedRAMP Is Broken (And here's how to fix it)FedRAMP Is Broken (And here's how to fix it)
FedRAMP Is Broken (And here's how to fix it)Wendy Knox Everette
 
Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...
Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...
Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...Wendy Knox Everette
 

More Related Content

Similar to Secure Your Website & Email with Free SSL/TLS

MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
 
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...DTM Security
 
Massive emailing with Linux, Postfix and Ruby on Rails
Massive emailing with Linux, Postfix and Ruby on RailsMassive emailing with Linux, Postfix and Ruby on Rails
Massive emailing with Linux, Postfix and Ruby on Railsibelmonte
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beau Bullock
 
B2B Email Deliverability - Getting to the Inbox
B2B Email Deliverability - Getting to the InboxB2B Email Deliverability - Getting to the Inbox
B2B Email Deliverability - Getting to the InboxB2BCamp
 
Responsible [digital] Home Ownership
Responsible [digital] Home OwnershipResponsible [digital] Home Ownership
Responsible [digital] Home OwnershipDenise (Dee) Teal
 
Protect your domain with DMARC
Protect your domain with DMARCProtect your domain with DMARC
Protect your domain with DMARCContactlab
 
Fighting Email Abuse with DMARC
Fighting Email Abuse with DMARCFighting Email Abuse with DMARC
Fighting Email Abuse with DMARCKurt Andersen
 
2010 5 xpg collaboration
2010 5 xpg collaboration2010 5 xpg collaboration
2010 5 xpg collaborationGuus Disselkoen
 
Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015Darren Duke
 
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac DawsonCODE BLUE
 
Ubuntu And Parental Controls
Ubuntu And Parental ControlsUbuntu And Parental Controls
Ubuntu And Parental Controlsjasonholtzapple
 
Moving from Wordpress.com to Wordpress.org - Wordcamp Toronto 2011
Moving from Wordpress.com to Wordpress.org - Wordcamp Toronto 2011Moving from Wordpress.com to Wordpress.org - Wordcamp Toronto 2011
Moving from Wordpress.com to Wordpress.org - Wordcamp Toronto 2011Georgiana Laudi
 
Http to Https Get your WordPress website Compliant!
Http to Https Get your WordPress website Compliant!Http to Https Get your WordPress website Compliant!
Http to Https Get your WordPress website Compliant!Lynn Dye
 
Listening to social signals to adjust your marketing campaigns
Listening to social signals to adjust your marketing campaignsListening to social signals to adjust your marketing campaigns
Listening to social signals to adjust your marketing campaignsDigital Megaphone
 
So you want to be a security expert
So you want to be a security expertSo you want to be a security expert
So you want to be a security expertRoyce Davis
 
Kamaelia Grey
Kamaelia GreyKamaelia Grey
Kamaelia Greykamaelian
 
Securing Network Access with Open Source solutions
Securing Network Access with Open Source solutionsSecuring Network Access with Open Source solutions
Securing Network Access with Open Source solutionsNick Owen
 
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...Meghan Weinreich
 

Similar to Secure Your Website & Email with Free SSL/TLS (20)

MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
 
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
@dtmsecurity Mitre ATT&CKcon - Playing Devil's Advocate to Security Initiativ...
 
Massive emailing with Linux, Postfix and Ruby on Rails
Massive emailing with Linux, Postfix and Ruby on RailsMassive emailing with Linux, Postfix and Ruby on Rails
Massive emailing with Linux, Postfix and Ruby on Rails
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
 
B2B Email Deliverability - Getting to the Inbox
B2B Email Deliverability - Getting to the InboxB2B Email Deliverability - Getting to the Inbox
B2B Email Deliverability - Getting to the Inbox
 
Responsible [digital] Home Ownership
Responsible [digital] Home OwnershipResponsible [digital] Home Ownership
Responsible [digital] Home Ownership
 
Protect your domain with DMARC
Protect your domain with DMARCProtect your domain with DMARC
Protect your domain with DMARC
 
Subdomain Takeover
Subdomain TakeoverSubdomain Takeover
Subdomain Takeover
 
Fighting Email Abuse with DMARC
Fighting Email Abuse with DMARCFighting Email Abuse with DMARC
Fighting Email Abuse with DMARC
 
2010 5 xpg collaboration
2010 5 xpg collaboration2010 5 xpg collaboration
2010 5 xpg collaboration
 
Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015Domino Security - not knowing is not an option - MWLUG 2015
Domino Security - not knowing is not an option - MWLUG 2015
 
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
[CB16] 80時間でWebを一周:クロムミウムオートメーションによるスケーラブルなフィンガープリント by Isaac Dawson
 
Ubuntu And Parental Controls
Ubuntu And Parental ControlsUbuntu And Parental Controls
Ubuntu And Parental Controls
 
Moving from Wordpress.com to Wordpress.org - Wordcamp Toronto 2011
Moving from Wordpress.com to Wordpress.org - Wordcamp Toronto 2011Moving from Wordpress.com to Wordpress.org - Wordcamp Toronto 2011
Moving from Wordpress.com to Wordpress.org - Wordcamp Toronto 2011
 
Http to Https Get your WordPress website Compliant!
Http to Https Get your WordPress website Compliant!Http to Https Get your WordPress website Compliant!
Http to Https Get your WordPress website Compliant!
 
Listening to social signals to adjust your marketing campaigns
Listening to social signals to adjust your marketing campaignsListening to social signals to adjust your marketing campaigns
Listening to social signals to adjust your marketing campaigns
 
So you want to be a security expert
So you want to be a security expertSo you want to be a security expert
So you want to be a security expert
 
Kamaelia Grey
Kamaelia GreyKamaelia Grey
Kamaelia Grey
 
Securing Network Access with Open Source solutions
Securing Network Access with Open Source solutionsSecuring Network Access with Open Source solutions
Securing Network Access with Open Source solutions
 
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
Don't Get Schooled: Performance and Security Tips from a Leading Education Sa...
 

More from Wendy Knox Everette

FedRAMP Is Broken (And here's how to fix it)
FedRAMP Is Broken (And here's how to fix it)FedRAMP Is Broken (And here's how to fix it)
FedRAMP Is Broken (And here's how to fix it)Wendy Knox Everette
 
Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...
Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...
Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...Wendy Knox Everette
 
Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Wendy Knox Everette
 
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Wendy Knox Everette
 
BSidesPDX "An update from the crypto wars 2.0"
BSidesPDX "An update from the crypto wars 2.0"BSidesPDX "An update from the crypto wars 2.0"
BSidesPDX "An update from the crypto wars 2.0"Wendy Knox Everette
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherWendy Knox Everette
 
Incident Response and the Attorney Client Privilege - ShmooCon 2019
Incident Response and the Attorney Client Privilege - ShmooCon 2019Incident Response and the Attorney Client Privilege - ShmooCon 2019
Incident Response and the Attorney Client Privilege - ShmooCon 2019Wendy Knox Everette
 
Meet the hackers: Seattle Tech Law CLE December 2018
Meet the hackers: Seattle Tech Law CLE December 2018Meet the hackers: Seattle Tech Law CLE December 2018
Meet the hackers: Seattle Tech Law CLE December 2018Wendy Knox Everette
 
Fingerprints, Passcodes, and Self Incrimination - BSides Nova
Fingerprints, Passcodes, and Self Incrimination - BSides NovaFingerprints, Passcodes, and Self Incrimination - BSides Nova
Fingerprints, Passcodes, and Self Incrimination - BSides NovaWendy Knox Everette
 
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017Wendy Knox Everette
 
Security Vulnerabilities, the Current State of Consumer Protection Law, & how...
Security Vulnerabilities, the Current State of Consumer Protection Law, & how...Security Vulnerabilities, the Current State of Consumer Protection Law, & how...
Security Vulnerabilities, the Current State of Consumer Protection Law, & how...Wendy Knox Everette
 

More from Wendy Knox Everette (12)

FedRAMP Is Broken (And here's how to fix it)
FedRAMP Is Broken (And here's how to fix it)FedRAMP Is Broken (And here's how to fix it)
FedRAMP Is Broken (And here's how to fix it)
 
Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...
Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...
Weaponizing Your Fitness Tracker Against You_ Health, Fitness, & Location Tra...
 
Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021Lets talk about soc2s, baby! BSidesLV 2021
Lets talk about soc2s, baby! BSidesLV 2021
 
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
Vendors, and Risk, and Tigers, and Bears, Oh My: How to Create a Vendor Revie...
 
BSidesPDX "An update from the crypto wars 2.0"
BSidesPDX "An update from the crypto wars 2.0"BSidesPDX "An update from the crypto wars 2.0"
BSidesPDX "An update from the crypto wars 2.0"
 
Security engineering 101 when good design & security work together
Security engineering 101 when good design & security work togetherSecurity engineering 101 when good design & security work together
Security engineering 101 when good design & security work together
 
Incident Response and the Attorney Client Privilege - ShmooCon 2019
Incident Response and the Attorney Client Privilege - ShmooCon 2019Incident Response and the Attorney Client Privilege - ShmooCon 2019
Incident Response and the Attorney Client Privilege - ShmooCon 2019
 
Meet the hackers: Seattle Tech Law CLE December 2018
Meet the hackers: Seattle Tech Law CLE December 2018Meet the hackers: Seattle Tech Law CLE December 2018
Meet the hackers: Seattle Tech Law CLE December 2018
 
An Encyclopedia of Wiretaps
An Encyclopedia of WiretapsAn Encyclopedia of Wiretaps
An Encyclopedia of Wiretaps
 
Fingerprints, Passcodes, and Self Incrimination - BSides Nova
Fingerprints, Passcodes, and Self Incrimination - BSides NovaFingerprints, Passcodes, and Self Incrimination - BSides Nova
Fingerprints, Passcodes, and Self Incrimination - BSides Nova
 
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
Regulatory Nets vs the Fishing Hook of Litigation - BSides Las Vegas 2017
 
Security Vulnerabilities, the Current State of Consumer Protection Law, & how...
Security Vulnerabilities, the Current State of Consumer Protection Law, & how...Security Vulnerabilities, the Current State of Consumer Protection Law, & how...
Security Vulnerabilities, the Current State of Consumer Protection Law, & how...
 

Recently uploaded

DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024APNIC
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Delhi Call girls
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersDamian Radcliffe
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Roomgirls4nights
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts servicevipmodelshub1
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girladitipandeya
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...aditipandeya
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Servicesexy call girls service in goa
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirtrahman018755
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Roomdivyansh0kumar0
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607dollysharma2066
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Callshivangimorya083
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Radiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsRadiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsstephieert
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 

Recently uploaded (20)

DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
Best VIP Call Girls Noida Sector 75 Call Me: 8448380779
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
 
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With RoomVIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
VIP Kolkata Call Girls Salt Lake 8250192130 Available With Room
 
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts serviceChennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
Chennai Call Girls Alwarpet Phone 🍆 8250192130 👅 celebrity escorts service
 
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call GirlVIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
VIP 7001035870 Find & Meet Hyderabad Call Girls LB Nagar high-profile Call Girl
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
 
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
 
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No AdvanceRohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
 
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya ShirtChallengers I Told Ya Shirt
Challengers I Told Ya ShirtChallengers I Told Ya Shirt
 
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With RoomVIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
 
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
FULL ENJOY Call Girls In Mayur Vihar Delhi Contact Us 8377087607
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip CallDelhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
 
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Model Towh Delhi 💯Call Us 🔝8264348440🔝
 
Radiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girlsRadiant Call girls in Dubai O56338O268 Dubai Call girls
Radiant Call girls in Dubai O56338O268 Dubai Call girls
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 

Secure Your Website & Email with Free SSL/TLS

  • 1. GREEN LOCKS FORYOU & ME Wendy Knox Everette Senior Security Advisor, Leviathan Security Group @wendyck Crypto & PrivacyVillage, Def Con 26
  • 2. WEBSITES WITHOUT HTTPS Chrome now labels these as “not secure”
  • 4. SITES WITH HTTPS Green lock indicating SSL
  • 5.
  • 6. HOW DO I SECURE MY WEBSITE? • Lets Encrypt and Cloudflare are two of the services offering free certificates to websites • Both work well with Github pages, which is what this talk will demonstrate • There are lots of other hosting options like WordPress as well
  • 8. SETTING UPTHE CERTIFICATE AND DOMAIN • Github PagesTLS with custom domains announcement: https://blog.github.com/ 2018-05-01-github-pages-custom-domains-https/ • Directions: https://help.github.com/articles/using-a- custom-domain-with-github-pages/
  • 9. Create your repo: [USERNAME].github.io
  • 10. Check out the repo to your local machine (I like GitHub Desktop) create a index.html (your homepage!) and any other webpage files
  • 11. Create a new text file named CNAME at the root of the repo and put your domain name into it
  • 12. Go to the Settings for your new repo and scroll down to custom domain
  • 13. Apex Domain DNS Configuration: Create configure an ALIAS, ANAME, or A record at your DNS provider
  • 14. Set the “A” record values to be the IP addresses that GitHub provides in their help pages (https://help.github.com/articles/setting-up-an-apex- domain/)
  • 15.
  • 16. NEXT… SOYOU HAVE EMAIL ON YOUR PERSONAL DOMAIN: HOW DO PREVENT IT FROM BEING SPOOFED?
  • 17. DO I NEEDTO DOTHIS? I'd assumed at first that since I was using Google Apps Gmail for my email that it couldn't be used to spoof.Turns out I was wrong
  • 18. SPF - SENDER PERMITTED FROM • https://blog.returnpath.com/how-to-explain-spf-in- plain-english/ • Lets a domain owner specify the only IP addresses that can send email for that domain • Up to recipients to check for matches
  • 19. DKIM - DOMAINKEYS IDENTIFIED MAIL • https://blog.returnpath.com/how-to-explain-dkim-in-plain- english-2/ • Allows us to cryptographically sign our emails! the elements of the email to be signed are encrypted with our private key. • Public key to decrypt is available in DNS • Unfortunately not really widely adopted yet - but GSuite supports it
  • 20. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=wendyk.org; s=google; h=mime-version:from:date:message-id:subject:to; bh=J4wOdPKBCGKDJu2gipRt6L/Ys5LW5rWG1r1oeQZ/Woo=; b=dir909v+lNJ4mjzATO5fmgeXWdFzN6n+JNkPLtuxBcOeTF4JYYhMQR6s7JwN7k3/ou 67gPvacuG7ZZAn5v5aMv8TOI06XFCXv71CowSwfDz8rbF7B57RvoW5aog/vpy3s1/lPr hMT9Kk3MULXbJQF48Qv/LbpMRsJDzlIizpgIxxrgDjZyKH4oWxZlLfOl2g4FGBjNv5I3 wHmQu/Ewgm040IsC4kGvXyFEKG2Yvw6U5BV1auM0UCZKKk/MuncvQcKAVmEnfUPUarsS ioGBrncFJf4d2AEtGW18JXqnGNvfK2ZqB922hYLsxOcaMb6+tAWaXNUcBaym48xCgSpC k+FQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=J4wOdPKBCGKDJu2gipRt6L/Ys5LW5rWG1r1oeQZ/Woo=; b=G7F+urifcvii9E+0NH7fn86HjxzcpLkDtU6VFW/grlFM7v17RsMdGjb7JfIHujJzy4 sCywy2zRTodm5/erlaYBpvPlHNDZzKIJzOS+Ti/giwuRDd7usuybQdEFE+9FU+zO3xiL fwe2rSG0FsExe9LHR1arJaavE4oM12rKjC0BBuFgvcIyAnWEA3LIDK8BStXFD6F0OvvJ AftnZiR++4+zbBo0af9olLMVBIcdQD/Y1Z4F56CZu3nsozlTraRbd7P7ihgES+4EUueh gRjU02zfnIgXCR1XqG8UpLpDFNYN3KvNvxG96ppuNrxtVUM4Gfagc3s8LGfbSTNP/FQV O8mQ==
  • 21. DMARC - DOMAIN-BASED MESSAGE AUTHENTICATION, REPORTING & CONFORMANCE • Builds on DKIM & SPF • Ensures spoofed emails are blocked
  • 23. SETTING UPYOUR DOMAIN • If you’re on GSuite: https://support.google.com/a/ answer/174124?hl=en • https://www.dmarcanalyzer.com/how-to-create-a- dmarc-record/
  • 24. SET UP NAME SERVERS • If you’re using Cloudflare, point to their DNS servers, and configure there
  • 25. CLOUDFLARE FREE PLAN • Once you’re signed up on Cloudflare, we will add some DNS records • We’re going to make 3TXT records to set up DMARC/ DKIM/SPF
  • 26. GENERATE DKIM PUBLIC KEYS • This is will go into your DNS settings in aTXT record • For GSuite, go to the admin dashboard, then Apps (in the left sidebar) > Gmail > Authenticate email
  • 27.
  • 28. CREATETXT RECORD • Name of theTXT record will be “google._domainkey” • Value will be the full contents of the string that starts with “v=DKIM1; k=rsa; p=…..”
  • 29. CLOUDFLARE DNS ENTRY SelectTXT from the dropdown
  • 30. DKIM DNS ENTRY ON CLOUDFLARE
  • 32. ENTER SPF SETTINGS Create an SPF record for your domain: https://support.google.com/a/answer/33786?hl=en
  • 33. NOW WE’RE READYTO SET UP DMARC DOMAIN KEYS
  • 34. SIGN UP FOR DMARCIAN https://dmarcian.com/register/
  • 37.
  • 38. POLICY SETTINGS • Directions: https://dmarcian.com/start-dmarc/ • Start with p=none - this will give you reporting with no action taken on emails. Important so you don’t block all your emails • once that works, move to p=quarantine • Can then move to p=reject
  • 39. REPORTING DMARC DATA • This is where reports of failures are sent. Can be any valid email address. • If we send reporting to a DMarcian email, will show up in your DMarcian account • rua=mailto:ditp3aec@ag.dmarcian.com
  • 40. This is complicated! How do I build this string? https://dmarcian.com/dmarc-record-wizard/
  • 42. REPORTS • You could provide your own email in the “rua” tag to receive reports & crunch your own graphs…. • Or we can send reports to DMarcian and use their tools.You can see reports on DMarcian’s Monitor tab • Sources shows where email sent with your domain is from • Threat/Unknown are emails from servers that don’t match your SPF/DKIM settings
  • 43.
  • 44.
  • 45.
  • 46.
  • 47.
  • 48.
  • 49. TROUBLESHOOTING • DMarcian’s Issues tab under “Monitor” is very helpful
  • 50. IFYOU RUN YOUR OWN MAIL SERVER
  • 51. MTA STRICTTRANSPORT SECURITY (MTA-STS) • Allows domains to require authentication andTLS encryption for SMTP
  • 52. START-TLS • Allows your mail server to protect against downgrades • https://starttls-everywhere.org/ • Creating a list of email servers that useTLS
  • 53. MORE RESOURCES • https://www.ftc.gov/news-events/blogs/business-blog/2017/03/ want-stop-phishers-use-email-authentication • https://blog.returnpath.com/how-to-explain-spf-in-plain-english/ • https://blog.returnpath.com/how-to-explain-dkim-in-plain-english-2/ • https://blog.returnpath.com/how-to-explain-dmarc-in-plain-english/ • https://zakird.com/papers/mail.pdf