SlideShare a Scribd company logo

Let's Encrypt: Better Security through Automation

APNIC
APNIC

Let's Encrypt: Better Security through Automation, by Paul Theriault. A presentation given at APRICOT 2016’s Securing Transport session on 23 February 2016.

Internet
1 of 20
Security is important Confidentiality: Prevent spying on what you're doing. Privacy: Prevent injected tracking cookies Integrity: Prevent injected advertising Authenticity: Ensure you're talking to the real site and not part of a DDoS
Security needs to be everywhere You use SSH and not telnet to log into your routers (right?) What about email servers, LDAP, IRC, Message Systems etc… (Pretty much anything with a FQDN) You’re using TLS for all those things ...right?
Security needs to be more ubiquitous 58% of Firefox pageviews are not secure 45% of inbound SMTP connections to Gmail are not secure Hundreds of thousands of routers with insecure web interfaces out there:
But setting up security is hard Usually the default settings are OK, but then you have to get a certificate First fill out a web form… … then pay for it ... ... then prove you own the domain If you're lucky, you might get to use a proprietary API If you’re unlucky, you’ll forget to renew
Let’s make it easy to be secure
Let’s Encrypt: A new certificate authority Let’s Encrypt is pioneering a new way to do certificates: Free of charge: Funded by the whole industry Automatic: No web forms, just a standard API Transparent: All of the certs are publicly logged Open source: All the code is in Github Major Sponsors: [[ your name here]]
Automating certificates The way you get a certificate is to use an HTTP-based API called ACME Two basic steps to the protocol: 1. Prove that you own some domains 2. Issue certificates for those domains Proving domain ownership is the complicated part
Proving domain ownership 1. Applicant asks to be authorized for example.com 2. CA challenges the applicant to do something that only the real owner of example.com can do: ○ Provision a DNS record at _acme-challenge.example.com ○ Provision a file at http://example.com/.well-known/acme-challenge/ 3. Applicant chooses a challenge and does what was asked 4. CA verifies that the applicant has completed the challenge ○ Look for the DNS record at _acme-challenge.example.com ○ Download the file at http://example.com/.well-known/acme-challenge/ If the applicant completed the challenge, the CA will now let him issue certificates for the domain
For example:
Issuing Certificates is easy Send in a Certificate Signing Request, get back a certificate Only for domains where you’ve proved ownership, of course!
Let’s look at a few case studies ● For a standalone server ● For hosting providers ● For network operators
Caddy Caddy is a new HTTP server, focused on modern web tech Caddy has a built-in ACME client that gets a certificate for any domain you configure it to serve
Dreamhost & Automattic Dreamhost built an ACME client into their HTTPS management system Users can ask for a Let’s Encrypt certificate when turning on HTTPS Dreamhost uses ACME to set up and renew the certificate Automattic / Wordpress.com did the same thing to turn on HTTPS for over 600,000 hosted sites
Free ● French ISP with more than 10 million customers ● Since 2009, their home gateways have had a web interface ● … but they couldn’t make it HTTPS ○ Too expensive to pay for a certificate per device ○ No way to automate the certificate issuance ○ Using a wildcard would have required sharing a key across devices ○ Using a self-signed certificate would have been a bad user experience ● With Let’s Encrypt, they can provision a certificate to each device, securely, automatically, and free of charge ● Around 30,000 customers have opted in so far
Lots of tools to customize to your needs People have made ACME clients with a variety of shapes and sizes: ● Python, Go, Ruby, Perl, PHP, PowerShell, … ● Fully-integrated vs. minimal libraries ● Even just a webpage: https://gethttpsforfree.com/ And of course, the ACME spec is an Internet-Draft, so you can write your own If you’re an Amazon Web Services customer, check out their new automated tool * It’s not Let’s Encrypt, but it is free and automated!
Better security through automation ● Almost 600,000 certificates issued so far ● More than 2,000,000 domains that never had a certificate before ● That’s more than 10% growth in secure domains in under 3 months
Look around your infrastructure -- what still offers a non-secure interface? Join the IETF ACME working group to make this more than just Let’s Encrypt Require that the services you use be secure Encourage the CAs you work with to use ACME Fork us on Github! What can you do?
Paul Theriault <pauljt@mozilla.com> Richard Barnes <rbarnes@mozilla.com>

Recommended

Securing your web infrastructure
Securing your web infrastructureSecuring your web infrastructure
Securing your web infrastructure
WP Engine
 
Serverless security: attack & defense
Serverless security: attack & defense Serverless security: attack & defense
Serverless security: attack & defense
SecuRing
 
Deception & AWS: Adding Fog to EC2 & S3
Deception & AWS: Adding Fog to EC2 & S3Deception & AWS: Adding Fog to EC2 & S3
Deception & AWS: Adding Fog to EC2 & S3
Cymmetria
 
Milton Keynes - Smart City
Milton Keynes - Smart CityMilton Keynes - Smart City
Milton Keynes - Smart City
Matthew Clifton
 
Reactive Feature Generation with Spark and MLlib by Jeffrey Smith (1)
Reactive Feature Generation with Spark and MLlib by Jeffrey Smith (1)Reactive Feature Generation with Spark and MLlib by Jeffrey Smith (1)
Reactive Feature Generation with Spark and MLlib by Jeffrey Smith (1)
Spark Summit
 
Mk smart gadgets and fieldwork
Mk smart gadgets and fieldworkMk smart gadgets and fieldwork
Mk smart gadgets and fieldwork
Open University
 
CSUProject
CSUProjectCSUProject
CSUProject
Aslam Diwan
 
Writing Usable REST APIs. Javier Ramirez
Writing Usable REST APIs. Javier RamirezWriting Usable REST APIs. Javier Ramirez
Writing Usable REST APIs. Javier Ramirez
Future Insights
 

Recommended

Securing your web infrastructure
Securing your web infrastructureSecuring your web infrastructure
Securing your web infrastructure
WP Engine
 
Serverless security: attack & defense
Serverless security: attack & defense Serverless security: attack & defense
Serverless security: attack & defense
SecuRing
 
Deception & AWS: Adding Fog to EC2 & S3
Deception & AWS: Adding Fog to EC2 & S3Deception & AWS: Adding Fog to EC2 & S3
Deception & AWS: Adding Fog to EC2 & S3
Cymmetria
 
Milton Keynes - Smart City
Milton Keynes - Smart CityMilton Keynes - Smart City
Milton Keynes - Smart City
Matthew Clifton
 
Reactive Feature Generation with Spark and MLlib by Jeffrey Smith (1)
Reactive Feature Generation with Spark and MLlib by Jeffrey Smith (1)Reactive Feature Generation with Spark and MLlib by Jeffrey Smith (1)
Reactive Feature Generation with Spark and MLlib by Jeffrey Smith (1)
Spark Summit
 
Mk smart gadgets and fieldwork
Mk smart gadgets and fieldworkMk smart gadgets and fieldwork
Mk smart gadgets and fieldwork
Open University
 
CSUProject
CSUProjectCSUProject
CSUProject
Aslam Diwan
 
Writing Usable REST APIs. Javier Ramirez
Writing Usable REST APIs. Javier RamirezWriting Usable REST APIs. Javier Ramirez
Writing Usable REST APIs. Javier Ramirez
Future Insights
 
Michael Widenius
Michael WideniusMichael Widenius
Michael Widenius
CodeFest
 
Glorium Technologies Highlights
Glorium Technologies HighlightsGlorium Technologies Highlights
Glorium Technologies Highlights
Anastasia Naumova ♕
 
Argyle CMO Summit 2015
Argyle CMO Summit 2015 Argyle CMO Summit 2015
Argyle CMO Summit 2015
Mathew Sweezey
 
Community in action leroy merlin case study - nuxeo world 2010
Community in action leroy merlin case study - nuxeo world 2010Community in action leroy merlin case study - nuxeo world 2010
Community in action leroy merlin case study - nuxeo world 2010
Nuxeo
 
MySQL Enterprise Edition Portfolio
MySQL Enterprise Edition PortfolioMySQL Enterprise Edition Portfolio
MySQL Enterprise Edition Portfolio
MySQL Brasil
 
Graphs as Streams: Rethinking Graph Processing in the Streaming Era
Graphs as Streams: Rethinking Graph Processing in the Streaming EraGraphs as Streams: Rethinking Graph Processing in the Streaming Era
Graphs as Streams: Rethinking Graph Processing in the Streaming Era
Vasia Kalavri
 
Gaining Time – Real-time Analysis of Big Medical Data
Gaining Time – Real-time Analysis of Big Medical Data Gaining Time – Real-time Analysis of Big Medical Data
Gaining Time – Real-time Analysis of Big Medical Data
SAP Technology
 
The Staging Server is Dead! Long Live the Staging Server!
The Staging Server is Dead! Long Live the Staging Server!The Staging Server is Dead! Long Live the Staging Server!
The Staging Server is Dead! Long Live the Staging Server!
LaunchDarkly
 
FOSDEM 2016 - After describing your infrastructure as code, reuse that to mon...
FOSDEM 2016 - After describing your infrastructure as code, reuse that to mon...FOSDEM 2016 - After describing your infrastructure as code, reuse that to mon...
FOSDEM 2016 - After describing your infrastructure as code, reuse that to mon...
Arthur Lutz
 
Streaming in the Wild with Apache Flink
Streaming in the Wild with Apache FlinkStreaming in the Wild with Apache Flink
Streaming in the Wild with Apache Flink
Kostas Tzoumas
 
Apache Apex: Stream Processing Architecture and Applications
Apache Apex: Stream Processing Architecture and ApplicationsApache Apex: Stream Processing Architecture and Applications
Apache Apex: Stream Processing Architecture and Applications
Thomas Weise
 
Microservices Architecture for Digital Platforms using Serverless AWS
Microservices Architecture for Digital Platforms using Serverless AWSMicroservices Architecture for Digital Platforms using Serverless AWS
Microservices Architecture for Digital Platforms using Serverless AWS
Mitoc Group
 
Building Chrome Extensions For Salesforce
Building Chrome Extensions For SalesforceBuilding Chrome Extensions For Salesforce
Building Chrome Extensions For Salesforce
Abhinav Gupta
 
How Enterprises are Using NoSQL for Mission-Critical Applications
How Enterprises are Using NoSQL for Mission-Critical ApplicationsHow Enterprises are Using NoSQL for Mission-Critical Applications
How Enterprises are Using NoSQL for Mission-Critical Applications
DATAVERSITY
 
DOAG - Oracle Database Locking Mechanism Demystified
DOAG - Oracle Database Locking Mechanism Demystified DOAG - Oracle Database Locking Mechanism Demystified
DOAG - Oracle Database Locking Mechanism Demystified
Pini Dibask
 
Make Tools
Make ToolsMake Tools
Make Tools
Victor Lombardi
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
BU
 
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFSecure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Amazon Web Services
 
#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2
Olle E Johansson
 
SSL certificates
SSL certificatesSSL certificates
SSL certificates
Kevin OBrien
 
Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec
Secure Gate / Reverse Proxy - WAF 1ere génération / DatelecSecure Gate / Reverse Proxy - WAF 1ere génération / Datelec
Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec
Sylvain Maret
 
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFSecure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Amazon Web Services
 

More Related Content

Viewers also liked

Graphs as Streams: Rethinking Graph Processing in the Streaming Era
Graphs as Streams: Rethinking Graph Processing in the Streaming EraGraphs as Streams: Rethinking Graph Processing in the Streaming Era
Graphs as Streams: Rethinking Graph Processing in the Streaming Era
Vasia Kalavri
 
Gaining Time – Real-time Analysis of Big Medical Data
Gaining Time – Real-time Analysis of Big Medical Data Gaining Time – Real-time Analysis of Big Medical Data
Gaining Time – Real-time Analysis of Big Medical Data
SAP Technology
 
FOSDEM 2016 - After describing your infrastructure as code, reuse that to mon...
FOSDEM 2016 - After describing your infrastructure as code, reuse that to mon...FOSDEM 2016 - After describing your infrastructure as code, reuse that to mon...
FOSDEM 2016 - After describing your infrastructure as code, reuse that to mon...
Arthur Lutz
 
Streaming in the Wild with Apache Flink
Streaming in the Wild with Apache FlinkStreaming in the Wild with Apache Flink
Streaming in the Wild with Apache Flink
Kostas Tzoumas
 
Apache Apex: Stream Processing Architecture and Applications
Apache Apex: Stream Processing Architecture and ApplicationsApache Apex: Stream Processing Architecture and Applications
Apache Apex: Stream Processing Architecture and Applications
Thomas Weise
 
Microservices Architecture for Digital Platforms using Serverless AWS
Microservices Architecture for Digital Platforms using Serverless AWSMicroservices Architecture for Digital Platforms using Serverless AWS
Microservices Architecture for Digital Platforms using Serverless AWS
Mitoc Group
 
How Enterprises are Using NoSQL for Mission-Critical Applications
How Enterprises are Using NoSQL for Mission-Critical ApplicationsHow Enterprises are Using NoSQL for Mission-Critical Applications
How Enterprises are Using NoSQL for Mission-Critical Applications
DATAVERSITY
 

Viewers also liked (16)

Michael Widenius
Michael WideniusMichael Widenius
Michael Widenius
 
Glorium Technologies Highlights
Glorium Technologies HighlightsGlorium Technologies Highlights
Glorium Technologies Highlights
 
Argyle CMO Summit 2015
Argyle CMO Summit 2015 Argyle CMO Summit 2015
Argyle CMO Summit 2015
 
Community in action leroy merlin case study - nuxeo world 2010
Community in action leroy merlin case study - nuxeo world 2010Community in action leroy merlin case study - nuxeo world 2010
Community in action leroy merlin case study - nuxeo world 2010
 
MySQL Enterprise Edition Portfolio
MySQL Enterprise Edition PortfolioMySQL Enterprise Edition Portfolio
MySQL Enterprise Edition Portfolio
 
Graphs as Streams: Rethinking Graph Processing in the Streaming Era
Graphs as Streams: Rethinking Graph Processing in the Streaming EraGraphs as Streams: Rethinking Graph Processing in the Streaming Era
Graphs as Streams: Rethinking Graph Processing in the Streaming Era
 
Gaining Time – Real-time Analysis of Big Medical Data
Gaining Time – Real-time Analysis of Big Medical Data Gaining Time – Real-time Analysis of Big Medical Data
Gaining Time – Real-time Analysis of Big Medical Data
 
The Staging Server is Dead! Long Live the Staging Server!
The Staging Server is Dead! Long Live the Staging Server!The Staging Server is Dead! Long Live the Staging Server!
The Staging Server is Dead! Long Live the Staging Server!
 
FOSDEM 2016 - After describing your infrastructure as code, reuse that to mon...
FOSDEM 2016 - After describing your infrastructure as code, reuse that to mon...FOSDEM 2016 - After describing your infrastructure as code, reuse that to mon...
FOSDEM 2016 - After describing your infrastructure as code, reuse that to mon...
 
Streaming in the Wild with Apache Flink
Streaming in the Wild with Apache FlinkStreaming in the Wild with Apache Flink
Streaming in the Wild with Apache Flink
 
Apache Apex: Stream Processing Architecture and Applications
Apache Apex: Stream Processing Architecture and ApplicationsApache Apex: Stream Processing Architecture and Applications
Apache Apex: Stream Processing Architecture and Applications
 
Microservices Architecture for Digital Platforms using Serverless AWS
Microservices Architecture for Digital Platforms using Serverless AWSMicroservices Architecture for Digital Platforms using Serverless AWS
Microservices Architecture for Digital Platforms using Serverless AWS
 
Building Chrome Extensions For Salesforce
Building Chrome Extensions For SalesforceBuilding Chrome Extensions For Salesforce
Building Chrome Extensions For Salesforce
 
How Enterprises are Using NoSQL for Mission-Critical Applications
How Enterprises are Using NoSQL for Mission-Critical ApplicationsHow Enterprises are Using NoSQL for Mission-Critical Applications
How Enterprises are Using NoSQL for Mission-Critical Applications
 
DOAG - Oracle Database Locking Mechanism Demystified
DOAG - Oracle Database Locking Mechanism Demystified DOAG - Oracle Database Locking Mechanism Demystified
DOAG - Oracle Database Locking Mechanism Demystified
 
Make Tools
Make ToolsMake Tools
Make Tools
 

Similar to Let's Encrypt: Better Security through Automation

Secure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFSecure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Amazon Web Services
 
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFSecure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Amazon Web Services
 
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFSecure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Amazon Web Services
 

Similar to Let's Encrypt: Better Security through Automation (20)

Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
 
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFSecure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAF
 
#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2#Morecrypto (with tis) - version 2.2
#Morecrypto (with tis) - version 2.2
 
SSL certificates
SSL certificatesSSL certificates
SSL certificates
 
Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec
Secure Gate / Reverse Proxy - WAF 1ere génération / DatelecSecure Gate / Reverse Proxy - WAF 1ere génération / Datelec
Secure Gate / Reverse Proxy - WAF 1ere génération / Datelec
 
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFSecure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAF
 
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
 
Secure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAFSecure Content Delivery Using Amazon CloudFront and AWS WAF
Secure Content Delivery Using Amazon CloudFront and AWS WAF
 
Certificates and Web of Trust
Certificates and Web of TrustCertificates and Web of Trust
Certificates and Web of Trust
 
(STG205) Secure Content Delivery Using Amazon CloudFront
(STG205) Secure Content Delivery Using Amazon CloudFront(STG205) Secure Content Delivery Using Amazon CloudFront
(STG205) Secure Content Delivery Using Amazon CloudFront
 
Aws training in bangalore
Aws training in bangalore Aws training in bangalore
Aws training in bangalore
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applications
 
Securing Network Access with Open Source solutions
Securing Network Access with Open Source solutionsSecuring Network Access with Open Source solutions
Securing Network Access with Open Source solutions
 
Tietoturvallisuuden_kevatseminaari_2013_Jarno_Niemela
Tietoturvallisuuden_kevatseminaari_2013_Jarno_NiemelaTietoturvallisuuden_kevatseminaari_2013_Jarno_Niemela
Tietoturvallisuuden_kevatseminaari_2013_Jarno_Niemela
 
Learn to Add an SSL Certificate Boost Your Site's Security.pdf
Learn to Add an SSL Certificate Boost Your Site's Security.pdfLearn to Add an SSL Certificate Boost Your Site's Security.pdf
Learn to Add an SSL Certificate Boost Your Site's Security.pdf
 
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
 
Secure Content Delivery Using Amazon CloudFront
Secure Content Delivery Using Amazon CloudFrontSecure Content Delivery Using Amazon CloudFront
Secure Content Delivery Using Amazon CloudFront
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
Operations: Security
Operations: SecurityOperations: Security
Operations: Security
 
Operations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your CompanyOperations: Security Crash Course — Best Practices for Securing your Company
Operations: Security Crash Course — Best Practices for Securing your Company
 

More from APNIC

More from APNIC (20)

APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27APNIC Updates presented by Paul Wilson at CaribNOG 27
APNIC Updates presented by Paul Wilson at CaribNOG 27
 
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
APNIC Policy Roundup presented by Sunny Chendi at TWNOG 5.0
 
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
 

Recently uploaded

一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
pxcywzqs
 
Independent Escorts & Call Girls In Aerocity Delhi - 9758998899 - Escortgram ...
Independent Escorts & Call Girls In Aerocity Delhi - 9758998899 - Escortgram ...Independent Escorts & Call Girls In Aerocity Delhi - 9758998899 - Escortgram ...
Independent Escorts & Call Girls In Aerocity Delhi - 9758998899 - Escortgram ...
Escortgram India
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
ydyuyu
 
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
c6eb683559b3
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Monica Sydney
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
ydyuyu
 
Dubai Call Girls First Class O525547819 Call Girls Dubai Hot New Girlfriend
Dubai Call Girls First Class O525547819 Call Girls Dubai Hot New GirlfriendDubai Call Girls First Class O525547819 Call Girls Dubai Hot New Girlfriend
Dubai Call Girls First Class O525547819 Call Girls Dubai Hot New Girlfriend
kajalvid75
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Monica Sydney
 
一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理
F
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
F
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
kumargunjan9515
 
一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书
F
 

Recently uploaded (20)

[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
[Hackersuli] Élő szövet a fémvázon: Python és gépi tanulás a Zeek platformon
 
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrStory Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
Story Board.pptxrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr
 
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
一比一原版(Offer)康考迪亚大学毕业证学位证靠谱定制
 
Independent Escorts & Call Girls In Aerocity Delhi - 9758998899 - Escortgram ...
Independent Escorts & Call Girls In Aerocity Delhi - 9758998899 - Escortgram ...Independent Escorts & Call Girls In Aerocity Delhi - 9758998899 - Escortgram ...
Independent Escorts & Call Girls In Aerocity Delhi - 9758998899 - Escortgram ...
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
 
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
哪里办理美国迈阿密大学毕业证(本硕)umiami在读证明存档可查
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency""Boost Your Digital Presence: Partner with a Leading SEO Agency"
"Boost Your Digital Presence: Partner with a Leading SEO Agency"
 
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
一比一原版(NYU毕业证书)美国纽约大学毕业证学位证书
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 
Dubai Call Girls First Class O525547819 Call Girls Dubai Hot New Girlfriend
Dubai Call Girls First Class O525547819 Call Girls Dubai Hot New GirlfriendDubai Call Girls First Class O525547819 Call Girls Dubai Hot New Girlfriend
Dubai Call Girls First Class O525547819 Call Girls Dubai Hot New Girlfriend
 
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi EscortsIndian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
Indian Escort in Abu DHabi 0508644382 Abu Dhabi Escorts
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理一比一原版犹他大学毕业证如何办理
一比一原版犹他大学毕业证如何办理
 
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
call girls in Anand Vihar (delhi) call me [🔝9953056974🔝] escort service 24X7
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
 
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
Local Call Girls in Seoni 9332606886 HOT & SEXY Models beautiful and charmin...
 
一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书一比一原版贝德福特大学毕业证学位证书
一比一原版贝德福特大学毕业证学位证书
 

Let's Encrypt: Better Security through Automation

  • 1.
  • 2. Security is important Confidentiality: Prevent spying on what you're doing. Privacy: Prevent injected tracking cookies Integrity: Prevent injected advertising Authenticity: Ensure you're talking to the real site and not part of a DDoS
  • 3. Security needs to be everywhere You use SSH and not telnet to log into your routers (right?) What about email servers, LDAP, IRC, Message Systems etc… (Pretty much anything with a FQDN) You’re using TLS for all those things ...right?
  • 4. Security needs to be more ubiquitous 58% of Firefox pageviews are not secure 45% of inbound SMTP connections to Gmail are not secure Hundreds of thousands of routers with insecure web interfaces out there:
  • 5. But setting up security is hard Usually the default settings are OK, but then you have to get a certificate First fill out a web form… … then pay for it ... ... then prove you own the domain If you're lucky, you might get to use a proprietary API If you’re unlucky, you’ll forget to renew
  • 6. Let’s make it easy to be secure
  • 7. Let’s Encrypt: A new certificate authority Let’s Encrypt is pioneering a new way to do certificates: Free of charge: Funded by the whole industry Automatic: No web forms, just a standard API Transparent: All of the certs are publicly logged Open source: All the code is in Github Major Sponsors: [[ your name here]]
  • 8. Automating certificates The way you get a certificate is to use an HTTP-based API called ACME Two basic steps to the protocol: 1. Prove that you own some domains 2. Issue certificates for those domains Proving domain ownership is the complicated part
  • 9. Proving domain ownership 1. Applicant asks to be authorized for example.com 2. CA challenges the applicant to do something that only the real owner of example.com can do: ○ Provision a DNS record at _acme-challenge.example.com ○ Provision a file at http://example.com/.well-known/acme-challenge/ 3. Applicant chooses a challenge and does what was asked 4. CA verifies that the applicant has completed the challenge ○ Look for the DNS record at _acme-challenge.example.com ○ Download the file at http://example.com/.well-known/acme-challenge/ If the applicant completed the challenge, the CA will now let him issue certificates for the domain
  • 11. Issuing Certificates is easy Send in a Certificate Signing Request, get back a certificate Only for domains where you’ve proved ownership, of course!
  • 12. Let’s look at a few case studies ● For a standalone server ● For hosting providers ● For network operators
  • 13. Caddy Caddy is a new HTTP server, focused on modern web tech Caddy has a built-in ACME client that gets a certificate for any domain you configure it to serve
  • 14. Dreamhost & Automattic Dreamhost built an ACME client into their HTTPS management system Users can ask for a Let’s Encrypt certificate when turning on HTTPS Dreamhost uses ACME to set up and renew the certificate Automattic / Wordpress.com did the same thing to turn on HTTPS for over 600,000 hosted sites
  • 15. Free ● French ISP with more than 10 million customers ● Since 2009, their home gateways have had a web interface ● … but they couldn’t make it HTTPS ○ Too expensive to pay for a certificate per device ○ No way to automate the certificate issuance ○ Using a wildcard would have required sharing a key across devices ○ Using a self-signed certificate would have been a bad user experience ● With Let’s Encrypt, they can provision a certificate to each device, securely, automatically, and free of charge ● Around 30,000 customers have opted in so far
  • 16.
  • 17. Lots of tools to customize to your needs People have made ACME clients with a variety of shapes and sizes: ● Python, Go, Ruby, Perl, PHP, PowerShell, … ● Fully-integrated vs. minimal libraries ● Even just a webpage: https://gethttpsforfree.com/ And of course, the ACME spec is an Internet-Draft, so you can write your own If you’re an Amazon Web Services customer, check out their new automated tool * It’s not Let’s Encrypt, but it is free and automated!
  • 18. Better security through automation ● Almost 600,000 certificates issued so far ● More than 2,000,000 domains that never had a certificate before ● That’s more than 10% growth in secure domains in under 3 months
  • 19. Look around your infrastructure -- what still offers a non-secure interface? Join the IETF ACME working group to make this more than just Let’s Encrypt Require that the services you use be secure Encourage the CAs you work with to use ACME Fork us on Github! What can you do?
  • 20. Paul Theriault <pauljt@mozilla.com> Richard Barnes <rbarnes@mozilla.com>