encrypt all the things with letsencrypt
play

Encrypt ALL the things with LetsEncrypt Created by : Justin W. - PowerPoint PPT Presentation

Nov 28, 2022 •114 likes •360 views

Encrypt ALL the things with LetsEncrypt Created by : Justin W. Flory Solomon Rubin License : CC-BY-SA 4.0 Introduction What is TLS and why do I need it? TLS stands for Transport Layer Security Difference between https and

  1. Encrypt ALL the things with LetsEncrypt Created by : Justin W. Flory ➔ Solomon Rubin ➔ License : CC-BY-SA 4.0

  2. Introduction

  3. What is TLS and why do I need it? ● TLS stands for Transport Layer Security ○ Difference between https and http ○ Encrypts communications with web servers on the fly Normally, purchase TLS certificate from Certificate Authority ●

  4. Old problems with getting certificates ● Basic encryption is expensive (especially with multiple subdomains) Most certificate authorities (CAs) focus on identity or organization ● verification ○ Most sites only need domain verification

  5. What is LetsEncrypt?! ● Imagine a world where encryption is everywhere and your online communications are always secure LetsEncrypt offers solution to increase security of the web ○ ● Free certificates ○ Providing only domain verification ■ At zero cost ○ Creates a safer Internet

  6. Key Principles ● Free for anyone who owns a domain Automatic cert issuance through CertBot (by EFF) on web server ● Secure : “LE will serve as a platform for advancing TLS security...” ● ● Transparent : All certs issued and revoked are publicly logged ● Open : Cert management process is published as open source software. Cooperative : Joint effort between multiple organizations and community ●

  7. Who made this happen? I want to see the proof! ● Linux Foundation Sponsored by many large organizations ● Mozilla, Cisco, EFF, Google Chrome, Facebook, SquareSpace, Shopify, Hewlett Packard… ○ ○ Many more

  8. How does it work (Root Cert Propagation) ● LE Root Certificate (ISRG Root 1X) ○ Kept safely offline ○ Propagated through Intermediates LE Intermediate Certificates (All IdentTrust cross-signed) ● X1, X2 - Original Intermediates ○ ○ X3 - Current generation Intermediate X4 - Disaster Recovery Intermediate ○

  9. Crazy Diagram!

  10. How does it work? (Domain Verification) ● Automatic verification via DNS Three modes ● Webroot : Domain verification service looks for file in the public web directory ○ ○ Standalone : Uses ports 80/443 to respond to request from domain verification service Automatic : Plugins for Apache and nginx ○ ● Uses URL / key pairs

  11. Verification Process ● Challenge Sets ○ Adding key to a specific, random URL ○ Verify from LE servers

  12. Getting your certificates

  13. Installation ( Certbot ) ● Nowadays, available in most Linux package repositories ○ If not : Compile from source and run it (all Python underneath) Debian / Ubuntu / Debian-based distributions ● ○ $ sudo apt-get install certbot Red Hat Enterprise Linux / CentOS (via EPEL) ● ○ $ sudo yum install certbot ● Fedora ○ $ sudo dnf install certbot ● Arch Linux ○ $ sudo pacman -S certbot

  14. Issuing certificates : Webroot method ● Webroot uses root directory of your domain to verify domain authenticity ○ Places files in root directory, LE servers check if files are present ○ Most useful when using a CDN or something else in between connections to your servers Run the following command to get your certificate(s): ● $ sudo certbot certonly -m me@example.com --webroot -w /var/www/example.com/public_html/ -d example.com

  15. Issuing certificates : Standlone method ● Standalone uses port 80 / 443 to verify domain authenticity ○ Requires ports 80 or 443 to not already be in use ● Run the following command to get your certificate(s): $ sudo certbot certonly -m me@example.com --standalone -d example.com --pre-hook=”systemctl stop nginx” --post-hook=”systemctl start nginx”

  16. Renewing certificates ● Renewing your certificates is… actually easy Run the following command to get your certificate(s): ● $ sudo certbot renew

  17. Run it in prod!

  18. Writing an nginx conf for ex.io (1/3) server { listen 443 ssl; server_name ex.io; root /var/www/ex.io/public_html; access_log /var/www/ex.io/logs/ex.io_access.log; error_log /var/www/ex.io/logs/ex.io_error.log error;

  19. Writing an nginx conf for ex.io (2/3) ssl on; ssl_certificate /etc/ssl/certs/ex_io/ex_io-fullchain.pem; ssl_certificate_key /etc/ssl/certs/ex_io/ex_io-privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "SSLv3:TLSv1:+HIGH:!SSLv2:!MD5:!MEDIUM:!LOW:!EXP:!ADH:!eNU LL:!aNULL"; ssl_prefer_server_ciphers on;

  20. Writing an nginx conf for ex.io (3/3) location / { index index.html index.htm; server_tokens off; } } server { listen 80; server_name ex.io; rewrite ^ https://$server_name$request_uri? permanent; }

  21. Just like that!

  22. Live Demo : nginx Completely and totally unrehearsed. brokenencryptionmakesmecry.jwf.io

  23. Questions? Comments? Suggestions? Justin W. Flory ➔ Solomon Rubin ➔ License : CC-BY-SA 4.0

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Encrypt All The Things: Implementing App Mobile Security Nathan Freitas @n8fr8 @guardianproject

Encrypt All The Things: Implementing App Mobile Security Nathan Freitas @n8fr8 @guardianproject

Encrypt All The Things: Implementing App Mobile Security Nathan Freitas @n8fr8 @guardianproject https://guardianproject.info INTENTION vs. EXECUTION The Guardian Project https://guardianproject.info Secure Your Mobile Life Apps &

816 views • 60 slides
Several possibilities for combination: So far: had cryptographic algorithms to achieve

Several possibilities for combination: So far: had cryptographic algorithms to achieve

Several possibilities for combination: So far: had cryptographic algorithms to achieve Encrypt-then MAC: encrypt message, then compute MAC of Privacy: use encryption ciphertext. Integrity: use MAC MAC-then-encrypt: First compute MAC, and then

203 views • 3 slides
Close lid to encrypt Hard disk encryption in Linux suspend mode Tim Dittler FOSDEM, 02.02.2020

Close lid to encrypt Hard disk encryption in Linux suspend mode Tim Dittler FOSDEM, 02.02.2020

Close lid to encrypt Hard disk encryption in Linux suspend mode Tim Dittler FOSDEM, 02.02.2020 Whats Close lid to encrypt? Project by Jonas Meurer and me Freelancing systems engineers living in Germany Full-disk encryption

397 views • 16 slides
Why Encrypt Data? We have already discussed authentication and access control as means to

Why Encrypt Data? We have already discussed authentication and access control as means to

Security in Outsourced Databases II Outsourced Databases II (Query Processing on Encrypted Data) Disks replaced Data worthless if encrypted Customer Credit for maintenance Card Number Laptops stolen Backups lost p 1 Why Encrypt Data?

759 views • 19 slides
Why (Special Agent) Johnny (Still) Cant Encrypt: A Security Analysis of the APCO Project 25

Why (Special Agent) Johnny (Still) Cant Encrypt: A Security Analysis of the APCO Project 25

Why (Special Agent) Johnny (Still) Cant Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio System Sandy Clark | Travis Goodspeed | Perry Metzger Zachary Wasserman | Kevin Xu | Matt Blaze Usenix 2011 P25 Modulates voice

147 views • 14 slides
Exercise: Encrypting and Decrypting with RSA In this exercise, you will encrypt and decrypt

Exercise: Encrypting and Decrypting with RSA In this exercise, you will encrypt and decrypt

Exercise: Encrypting and Decrypting with RSA In this exercise, you will encrypt and decrypt numbers using a simple version of the RSA algorithm. Each team should have two members. Each team-member should complete the exercise as Bob, then pass

228 views • 4 slides
No domain left behind is Lets Encrypt democratizing encryption? M. Aertsen 1 , M. Korzyski 2

No domain left behind is Lets Encrypt democratizing encryption? M. Aertsen 1 , M. Korzyski 2

. . . . . . . . . . . . . . No domain left behind is Lets Encrypt democratizing encryption? M. Aertsen 1 , M. Korzyski 2 , G. Moura 3 1 National Cyber Security Centre The Netherlands 2 Delft University of Technology The

292 views • 18 slides
POST-QUANTUM CRYPTOGRAPHY HOW WILL WE ENCRYPT TOMORROW? Hanno Bck https://hboeck.de 1

POST-QUANTUM CRYPTOGRAPHY HOW WILL WE ENCRYPT TOMORROW? Hanno Bck https://hboeck.de 1

POST-QUANTUM CRYPTOGRAPHY HOW WILL WE ENCRYPT TOMORROW? Hanno Bck https://hboeck.de 1 INTRODUCTION Hanno Bck, freelance journalist and hacker. Writing for Golem.de and others. Fuzzing Project , funded by Linux Foundation's Core

1.09k views • 46 slides
Revelation 1:19 Write the things which you have seen, and the things which are, and the

Revelation 1:19 Write the things which you have seen, and the things which are, and the

Revelation 1:19 Write the things which you have seen, and the things which are, and the things which will take place after this. Revelation 4:1 After these things I looked, and behold, a door standing open in heaven. And the

438 views • 30 slides
No domain left behind: is Lets Encrypt democratizing encryption? Maarten Aertsen 1 , Maciej

No domain left behind: is Lets Encrypt democratizing encryption? Maarten Aertsen 1 , Maciej

No domain left behind: is Lets Encrypt democratizing encryption? Maarten Aertsen 1 , Maciej Korczy nski 2 , Giovane C. M. Moura 3 , Samaneh Tajalizadehkhoob 2 , Jan van den Berg 2 1 National Cyber Security Centre The Netherlands 2 Delft

423 views • 21 slides
Lets Encrypt as a Startup Success Story Security and Ops and Encrypting the web Daniel

Lets Encrypt as a Startup Success Story Security and Ops and Encrypting the web Daniel

Lets Encrypt as a Startup Success Story Security and Ops and Encrypting the web Daniel Jeffery Linux Foundation Why HTTPS? As our dependency on the internet has grown, the risk to users' privacy and safety has grown along with it.

746 views • 40 slides
tcpcrypt Mark Handley What would it take to encrypt all the traffic on the Internet, by

tcpcrypt Mark Handley What would it take to encrypt all the traffic on the Internet, by

tcpcrypt Mark Handley What would it take to encrypt all the traffic on the Internet, by default, all the time? Crypto 101: Encryption without authentication is useless. Encryption without authentication is like meeting a stranger in a

813 views • 31 slides
Securing the Web of Things Andrei Sabelfeld @asabelfeld Web of Things Internet of Things (IoT)

Securing the Web of Things Andrei Sabelfeld @asabelfeld Web of Things Internet of Things (IoT)

Securing the Web of Things Andrei Sabelfeld @asabelfeld Web of Things Internet of Things (IoT) Incompatible standards, platforms, technologies World Wide Web Consortium (W3C) is in a unique position to create the royalty-free and

273 views • 15 slides
On the (In)Security of IPsec in MAC-then-Encrypt Configurations Jean Paul Degabriele Kenneth G.

On the (In)Security of IPsec in MAC-then-Encrypt Configurations Jean Paul Degabriele Kenneth G.

Motivation The Attacks Concluding Remarks On the (In)Security of IPsec in MAC-then-Encrypt Configurations Jean Paul Degabriele Kenneth G. Paterson Information Security Group Royal Holloway, University of London CCS 2010 Jean Paul

930 views • 68 slides
Why Can't Online Social Networks Encrypt? Ero Balsa , Filipe Beato, Seda Grses KU Leuven NYU

Why Can't Online Social Networks Encrypt? Ero Balsa , Filipe Beato, Seda Grses KU Leuven NYU

Why Can't Online Social Networks Encrypt? Ero Balsa , Filipe Beato, Seda Grses KU Leuven NYU W3C Workshop on Privacy and UserCentric Controls 1 20-21 November 2014, Berlin << Facebook has been able to deploy end-to-end encryption

429 views • 10 slides
Cybersecurity Considerations for Telework Security for Enterprises Enterprise Planning Plan

Cybersecurity Considerations for Telework Security for Enterprises Enterprise Planning Plan

Cybersecurity Considerations for Telework Security for Enterprises Enterprise Planning Plan telework-related security policies and controls based on a zero-trust model. Encrypt client devices storage, encrypt all sensitive data stored on

371 views • 9 slides
Web Security, Summer Term 2012 Secure HyperText Transfer Protocol Dr. E. Benoist Sommer Semester

Web Security, Summer Term 2012 Secure HyperText Transfer Protocol Dr. E. Benoist Sommer Semester

IIG University of Freiburg Web Security, Summer Term 2012 Secure HyperText Transfer Protocol Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 3 Secure HyperText Transfer Protocol 1 Table of Contents Attacks using HTTP

486 views • 25 slides
GUESS THE CORRECT LOG CT INSIGHTS 1 2 3 4 5 Content TLS + Vulnerabilities CA +

GUESS THE CORRECT LOG CT INSIGHTS 1 2 3 4 5 Content TLS + Vulnerabilities CA +

create your own exercise Berkay Kozan, Jan Krol Group 202 GUESS THE CORRECT LOG CT INSIGHTS 1 2 3 4 5 Content TLS + Vulnerabilities CA + Black Tulip How Certificate Transparency Works SCT delivering methods Merkle

729 views • 55 slides
Certificates Noah Zani, Tim Strasser, Andrs Baumeler Overview Motivation Introduction

Certificates Noah Zani, Tim Strasser, Andrs Baumeler Overview Motivation Introduction

Certificates Noah Zani, Tim Strasser, Andrs Baumeler Overview Motivation Introduction Public Key Infrastructure (PKI) Economic Aspects Motivation Need for secure, trusted communication Growing certificate market

777 views • 49 slides
Computer Security HKUST, Hong Kong Computer Security Cunsheng Ding, HKUST COMP4631

Computer Security HKUST, Hong Kong Computer Security Cunsheng Ding, HKUST COMP4631

CUNSHENG DING Computer Security HKUST, Hong Kong Computer Security Cunsheng Ding, HKUST COMP4631 CUNSHENG DING Computer Security HKUST, Hong Kong Lecture 11: Public-Key Infrastructure Main Topics of this Lecture 1. Digital

433 views • 25 slides
Web Security HTTPS Certificates Summary ITS335: IT Security Sirindhorn International Institute

Web Security HTTPS Certificates Summary ITS335: IT Security Sirindhorn International Institute

ITS335 Web Security Browsing Applications Web Security HTTPS Certificates Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 2 February 2014 its335y13s2l09,

446 views • 31 slides
CS 683 - Security and Privacy Spring 2018 Instructor: Karim Eldefrawy University of San

CS 683 - Security and Privacy Spring 2018 Instructor: Karim Eldefrawy University of San

CS 683 - Security and Privacy Spring 2018 Instructor: Karim Eldefrawy University of San Francisco http://www.cs.usfca.edu/~keldefrawy/teaching /spring2018/cs683/cs683_main.htm (https://goo.gl/t396Fw) 1 Le Lect cture 14 14 Public Key

857 views • 47 slides
CSCI E-170 October 17, 2005 L04: Public Key Cryptography 1 Todays Outline 1. LJ Nonsense

CSCI E-170 October 17, 2005 L04: Public Key Cryptography 1 Todays Outline 1. LJ Nonsense

CSCI E-170 October 17, 2005 L04: Public Key Cryptography 1 Todays Outline 1. LJ Nonsense 2. HW2 - Graded and returned. 3. HW3 - How are things going? 4. Review of L03 (hash functions & ciphers) 5. Public Key Cryptography 6.

757 views • 43 slides
Kerberos & X.509 11

Kerberos & X.509 11

Kerberos & X.509 11 Network Security, Principles and Practice,2nd Ed. :

767 views • 51 slides

More recommend