Let's Encrypt

View Github Repository Open presentation in a new window

devpaul

See all presentation from devpaul

Let's Encrypt

0 0

LE-present

Let's Encrypt presentation for Iterate.PHX

On Github devpaul / LE-present

Let's Encrypt

Hello There

Paul Shannon / @developerPaul

Workshop Overview

  • About Let's Encrypt
  • Demo
  • Questions and hands-on

HTTPS in Brief

Why Encrypt?

It's good security

  • Secures open wifi hotspots
  • Prevents session hijacking
  • Prevents man-in-the-middle attacks

It's good for privacy

  • Governments are listening
  • ISPs are listening
  • Verizon adds tracking cookies
  • Comcast injects ads
Government like the US and China Years ago it would have been considered a tin-foil hat conspiracy if I said the government collects metadata on all communication. Now it's fact. The NSA used geolocation and marketing cookies to track people

It's good for you

  • Google uses https as a ranking signal
  • Chrome and Firefox will deprecate http

Barriers to Encrypting

  • Certificates cost money
  • Certificates expire
  • Editing server configurations is hard
  • TLS lowers performance
  • Inhibits load balancing
  • Mixed mode
Non-technical companies let certificates expire and don't know it until people start seeing a certificate warning. It takes time, a PO, sometimes a contractor to update certs. FREAK happened due to difficult to configure servers. More than 30% of servers supported Export RSA encryption.

So... Let's Encrypt

Let's Encrypt is a free, automated, and open certificate authority

Comprised of 3 components

Let's Encrypt Client

  • Get a new certificate
  • Install certificate in Nginx or Apache
  • Renew certificates
  • Revoke certificates

How does it work?

Domain Registration

client contacts ACME CA server says: Put [text] at <domain>/[location] sign [nonce]

Domain Validation

Certificate Issuance

Demo Time!

letsencrypt --server http://devpaul.xyz/acme/new-reg auth

docker run -it --rm -p 443:443 --name letsencrypt -v `pwd`/etc:/etc/letsencrypt -v `pwd`/lib:/var/lib/letsencrypt quay.io/letsencrypt/letsencrypt --server http://devpaul.xyz/acme/new-reg auth docker run -it --rm --name letsencrypt --entrypoint /bin/bash quay.io/letsencrypt/letsencrypt:latest

Sponsors

Coming Soon

Limited Rollout: September 7

General Availability: November 16

Get Involved

Let's Encrypt is the full time effort of only a handful of people.

Needed:

  • better Nginx support
  • Apache & Nginx modules
https://github.com/letsencrypt