Let's Encrypt: Better Security through Automation, by Paul Theriault.
A presentation given at APRICOT 2016’s Securing Transport session on 23 February 2016.
2. Security is important
Confidentiality: Prevent spying on what you're doing.
Privacy: Prevent injected tracking cookies
Integrity: Prevent injected advertising
Authenticity: Ensure you're talking to the real site and not part of a DDoS
3. Security needs to be everywhere
You use SSH and not telnet to log into your routers (right?)
What about email servers, LDAP, IRC, Message Systems etc…
(Pretty much anything with a FQDN)
You’re using TLS for all those things ...right?
4. Security needs to be more ubiquitous
58% of Firefox pageviews are not secure
45% of inbound SMTP connections to
Gmail are not secure
Hundreds of thousands of routers with
insecure web interfaces out there:
5. But setting up security is hard
Usually the default settings are OK, but then you have to get a certificate
First fill out a web form…
… then pay for it ...
... then prove you own the domain
If you're lucky, you might get to use
a proprietary API
If you’re unlucky, you’ll forget to renew
7. Let’s Encrypt: A new certificate authority
Let’s Encrypt is pioneering a new way to do certificates:
Free of charge: Funded by the whole industry
Automatic: No web forms, just a standard API
Transparent: All of the certs are publicly logged
Open source: All the code is in Github
Major Sponsors:
[[ your name here]]
8. Automating certificates
The way you get a certificate is to use an HTTP-based API called ACME
Two basic steps to the protocol:
1. Prove that you own some domains
2. Issue certificates for those domains
Proving domain ownership is the complicated part
9. Proving domain ownership
1. Applicant asks to be authorized for example.com
2. CA challenges the applicant to do something that only the real owner of
example.com can do:
○ Provision a DNS record at _acme-challenge.example.com
○ Provision a file at http://example.com/.well-known/acme-challenge/
3. Applicant chooses a challenge and does what was asked
4. CA verifies that the applicant has completed the challenge
○ Look for the DNS record at _acme-challenge.example.com
○ Download the file at http://example.com/.well-known/acme-challenge/
If the applicant completed the challenge, the CA will now let him issue certificates
for the domain
11. Issuing Certificates is easy
Send in a Certificate Signing Request, get back a certificate
Only for domains where you’ve proved ownership, of course!
12. Let’s look at a few case studies
● For a standalone server
● For hosting providers
● For network operators
13. Caddy
Caddy is a new HTTP server,
focused on modern web tech
Caddy has a built-in ACME client
that gets a certificate for any
domain you configure it to serve
14. Dreamhost & Automattic
Dreamhost built an ACME client into
their HTTPS management system
Users can ask for a Let’s Encrypt
certificate when turning on HTTPS
Dreamhost uses ACME to set up and
renew the certificate
Automattic / Wordpress.com did the
same thing to turn on HTTPS for over
600,000 hosted sites
15. Free
● French ISP with more than 10 million customers
● Since 2009, their home gateways have had a web interface
● … but they couldn’t make it HTTPS
○ Too expensive to pay for a certificate per device
○ No way to automate the certificate issuance
○ Using a wildcard would have required sharing a key across devices
○ Using a self-signed certificate would have been a bad user experience
● With Let’s Encrypt, they can provision a certificate to each device, securely,
automatically, and free of charge
● Around 30,000 customers have opted in so far
16.
17. Lots of tools to customize to your needs
People have made ACME clients with a variety of shapes and sizes:
● Python, Go, Ruby, Perl, PHP, PowerShell, …
● Fully-integrated vs. minimal libraries
● Even just a webpage: https://gethttpsforfree.com/
And of course, the ACME spec is an Internet-Draft, so you can write your own
If you’re an Amazon Web Services customer, check out their new automated tool
* It’s not Let’s Encrypt, but it is free and automated!
18. Better security through automation
● Almost 600,000 certificates issued so far
● More than 2,000,000 domains that never had a certificate before
● That’s more than 10% growth in secure domains in under 3 months
19. Look around your infrastructure -- what still offers a non-secure interface?
Join the IETF ACME working group to make this more than just Let’s Encrypt
Require that the services you use be secure
Encourage the CAs you work with to use ACME
Fork us on Github!
What can you do?