iencrypt a work in progress
play

IEncrypt a work-in-progress open-source initiative to increase - PowerPoint PPT Presentation

Jul 09, 2023 •490 likes •769 views

IEncrypt a work-in-progress open-source initiative to increase encryption of traffic to and from .ie web sites, starting with newly registered second-level .ie domains. Developed by Tolerant Networks Limited Funded by IEDR Considered

  1. IEncrypt – a work-in-progress open-source initiative to increase encryption of traffic to and from .ie web sites, starting with newly registered second-level .ie domains. Developed by Tolerant Networks Limited Funded by IEDR Considered important by both:-) October 2015, ICANN54, Dublin, Ireland 1/27

  2. Aside... ● I'm doing this presentation on behalf of IEDR as I did the dev work:-) ● I'm not doing this as IETF security area director nor for Trinity College Dublin 2/27

  3. Contents ● Problem ● Initial Goals ● Benefits of Success ● Technical Approach ● Plan ● Proof-of-Concept ● Conclusion ● <Boring Extra Details as Backup> ● <Demo as we go, or later, or earlier> 3/27

  4. Problem ● 20 years on, only about 30% of web sites talk https – Precise figure not the point but the trajectory in particular for smaller web sites ● Cleartext => larger attack surface – For example: Firesheep, great-cannon – More attacks => more support/cost/trouble ● Getting certificates for domains and web-sites is too hard for an average registrant or site admin, or they don't care (enough) – or they don't even think of it 4/27

  5. Initial Goals ● “IEncrypt” check-box for registrants as they create a new .ie domain with associated web server hosting – We're providing proof-of-concept for what's behind that checkbox and happy to talk about providing more ● From the very first DNS query and the very first HTTP response, the hosted site will benefit from state of the art security protocols: – DNSSEC validating, chaining up to .ie and . – Web site gets an “A” from e.g. ssllabs site tester – WebPKI leveraging DNSSEC (at issuance time) using Letsencrypt.org ● Aim is medium level security, reliability and simplicity are more important goals – Opportunistic security design pattern (RFC7435) says that's a valid approach 5/27

  6. Benefits of Success ● Site visitors less likely to be hacked via bogus access point attacks (simple cookie theft) ● Site can make better use of “powerful features” that may no longer be available in browser via cleartext ● Fewer browser warnings (e.g. mixed content) to annoy visitors ● Fewer support calls to registrar as sites consider whether/how to setup TLS and as they (try) do that – note: that's a guess, feedback /facts welcome ● Common good – helping realise a better Internet [RFC7258] ● SEO ranking - https scores better! – http://googlewebmastercentral.blogspot.ie/2014/08/https-as-ranking-signal.html 6/27

  7. Technical Approach ● Registrant wants a new .ie domain and web-site hosting (e.g. apache via VIP), with all being provided by Registrar ● Either by default or via a checkbox, the “IEncrypt” option is selected – An “IEncrypt advanced” could allow client key gen and other options via CLI, with step-by-step guidance (later) ● Registrar uses DNSSEC and letsencrypt.org (LE) CA to get apache running on port 443 from the very start with no browser warnings and no registrant effort – Registrar → Registry gets DNSSEC setup – Registrar → LE web server certs setup based on DNSSEC signed zone 7/27

  8. DNSSEC Setup ● Registrar generates ZSK and KSK and submits DS to registry – Extend existing API hosted by Registry – Registry signs zone including DS ● Registrar populates zone with DNSSEC RRs ● DNSSEC rollover automation is very important – But actually much less so in this case! – A DNSSEC rollover-fail will not affect the web site (today) 8/27

  9. Web Server Cert Setup ● Registrar generates web server key pair (and initial content) ● Registrar sets up authorization for new domain with LE and is issued with a DNS-challenge ● Registrar includes response to DNS-challenge in signed zonefile for new domain ● Registrar instantiates VM image in hosting ● Registrar runs apache or nginx install with bettercrypto.org recommended settings and key pair ● Web site gets an “A” from ssllabs.com site tester from start 9/27

  10. Reliability ● Critical goal: don't make things worse ● Need key rolling for DNSSEC to work seamlessly with no registrar effort – dnssec-tools 'rollerd' does this – New RFCs coming on automating DS rollover ● Web server cert update will be seamless – letsencrypt.org client does this – Can be independent of DNSSEC after 1 st keys done 10/27

  11. Plan 1) IEDR and TN demo a Proof-of-Concept (PoC) 2) Discuss details with Registrars/Hosters 3) Implement DNSSEC authorization with LE 4) Incorporate registrar/LE feedback into code 5) Implement and deploy in registry 6) Registrars who want to play can test 7) All code/tooling will be open-source, BSD license 11/27

  12. PoC Status ● https://testbed.ie proof-of-concept – Plays the role of the ccTLD in the PoC – testbed.ie pretends to be .ie ● PoC allows one to create a new child domain that is DNSSEC signed and with web server cert issued by LE – Working now, runs asynchronously (~5min cycle) – Screen-shots + details in backup slides ● Implementation available, all BSD license – https://basil.dsg.cs.tcd.ie/code/tcd/iencrypt ● Mercurial repo, bogus TLS cert:-) – May move to github, soon's I get a chance ● If so, look below https://github.com/sftcd/ 12/27

  13. PoC Hosts request staging https://testbed.ie web server virtual hosts htps://<foo>.testbed.ie web server config & keygen (webcfg) (hoba.ie) LE client (after DNSSEC done) request staging Child - zone signing, KSK & ZSK generation NS1 Parent – add child to named.conf.local, add DS to (jell.ie) zonefile, zone signing request staging Re-configure named.conf.local to add slaves NS2 Secondary DNS server (down.dsg.cs.tcd.ie) 13/27

  14. PoC Pictures 14/27

  15. PoC Pictures 15/27

  16. Conclusion ● It is entirely possible to make DNSSEC useful and easy (actually invisible) to help more web sites use HTTPS today automatically and for free ● Invisible security like this should become the norm ● Once ubiquitous, similar automation can be done for other things (SMTP/DANE) ● Registrars who are hosters and (esp. ccTLD) registries are well positioned to help and be key to success 16/27

  17. Thanks! Questions? Contact stephen@tolerantnetworks.com 17/27

  18. Backup Slides 18/27

  19. Future Goals ● Handle more kinds of hosting ● Help existing domains to use TLS at renewal time ● SMTP/STARTTLS with DANE 19/27

  20. PoC Software ● Off-the-shelf: – Ubuntu 14.04, Bind (9.9.5), Apache (2.4.7) – dnssec-tools (2.0.0, zonesigner, rollerd) – letsencrypt client (0.1) – openssl (1.01f), curl (7.35.0), php (5.5.9), bash (4.3.11) ● Chewing gum and string: – IEncrypt scripts, some via cron, some as root 20/27

  21. PoC repos ● Chewing gum, string and docs (this mainly) – https://basil.dsg.cs.tcd.ie/code/tcd/iencrypt ● Letsencrypt client – https://github.com/letsencrypt/letsencrypt 21/27

  22. PoC Workflow - Registrant ● Registrant requests foo.testbed.ie at testbed.ie – If invalid, error – If being processed – say to wait else foo.testbed.ie added to “inwork” list ● If not ready, return esimated seconds until ready – If ready, return link to https://foo.testbed.ie ● Non-error HTML response pages autorefresh every N seconds – N = uniform random between 5 and 15 22/27

  23. PoC Workflow - DNSSEC ● (every 5 mins) NS1/children grabs list of new children from testbed.ie – Via mutually-authenticated (client-cert) TLS and “hidden” SNI – If valid, generates new zonefile, KSK/ZSK and DS – Signs Zonefile ● (every 5 mins) NS1/parent grabs list of new children (via file system) – Adds DS to parent zone and re-signs – Add children to named.conf.local – Pushes child to NS2/parent via mutually-authenticated (client-cert) TLS and “hidden” SNI ● Ready to add new slave – Pushes child to testbed.ie via mutually-authenticated (client-cert) TLS and “hidden” SNI ● Ready to start webcfg client processing (next slide) – Re-starts BIND ● (every 5 mins) NS2/parent grabs list of new children from file system – Via mutually-authenticated (client-cert) TLS and “hidden” SNI – Add children as new slaves to named.conf.local – Re-starts BIND 23/27

  24. PoC Workflow - ACME ● ACME is the protocol used between LE client and CA service, implemented by letsencrypt client, so once DNSSEC is done... ● (Every 5 minutes) webcfg checks what children to process ● LE client generates key pair for authorization and account handling (for foo.testbed.ie) ● LE client authorizes itself to LE service for foo.testbed.ie – Currently via “standalone” option ● Requires IEncrypt briefly stopping apache on testbed.ie – LE client generates new key pair for foo.testbed.ie web server and requests certificate – LE service issues certificate ● IEncrypt re-starts apache and sets status of foo.testbed.ie to ready ● Registrant 24/27

  25. PoC Restrictions ● LE service today uses fake CA, “happy hacker fake CA” ● https://basil.dsg.cs.tcd.ie/code/tcd/iencrypt/file/1af04b181fea/testbed.ie/acme/ happy-hacker-fake-CA.pem ● Standalone authoritzation used – No DNS, or DNSSEC, DNS is on the way from LE though – We'll be signing anyway, we may need to help them verify that the DNS challenge response is from a signed zone – Means testbed.ie web server is done now and then for a few seconds ● No port 80 for testbed.ie or <foo>.testbed.ie just due to sharing the same apache install with hoba.ie, hence no HSTS etc. PoC children only ever run on 443 25/27

  26. PoC Pictures 26/27

  27. PoC pictures 27/27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Fault Tree Represent at ion of Securit y Requirement s 0 Work in progress Work in progress

Fault Tree Represent at ion of Securit y Requirement s 0 Work in progress Work in progress

Fault Tree Represent at ion of Securit y Requirement s 0 Work in progress Work in progress One Picture is Worth a Thousand Words Couple Dozen Connectives I liano Cer vesat o iliano@itd.nrl.navy.mil I TT I ndust r ies, inc @ NRL Washingt

618 views • 23 slides
GO TO MENTI.COM 25 81 27 Work-in-progress Presentation DickersonRoadStudy.nashville.gov

GO TO MENTI.COM 25 81 27 Work-in-progress Presentation DickersonRoadStudy.nashville.gov

GO TO MENTI.COM 25 81 27 Work-in-progress Presentation DickersonRoadStudy.nashville.gov DICKERSON CORRIDOR PHASE 1 STUDY Work-in-progress Presentation DickersonRoadStudy.nashville.gov THANK YOU!!! Steering Committee Members Trinity

589 views • 37 slides
WORK IN PROGRESS July 2011 AUBURN HIGH SCHOOL AUTO SHOP IMPROVEMENTS PROGRESS: Construction

WORK IN PROGRESS July 2011 AUBURN HIGH SCHOOL AUTO SHOP IMPROVEMENTS PROGRESS: Construction

A UBURN S CHOOL D ISTRICT N O . 408 CAPITAL PROJECTS DEPARTMENT WORK IN PROGRESS July 2011 AUBURN HIGH SCHOOL AUTO SHOP IMPROVEMENTS PROGRESS: Construction work substantially completed March 22, 2011. PERCENT COMPLETE: 99% Auburn High

1.02k views • 68 slides
Work In Progress Formally beginning in January 2020, projects that are funded and entering

Work In Progress Formally beginning in January 2020, projects that are funded and entering

Bronx Community College Work In Progress Formally beginning in January 2020, projects that are funded and entering the Work In Progress stage, as agreed by CUCF and BCC, and all projects in construction will be required to have a poster

483 views • 13 slides
Implementing Partial Evaluator Via Symbolic Execution (Work in Progress) Ran Ji Joint work with

Implementing Partial Evaluator Via Symbolic Execution (Work in Progress) Ran Ji Joint work with

Implementing Partial Evaluator Via Symbolic Execution (Work in Progress) Ran Ji Joint work with Reiner H ahnle and Richard Bubel Department of Computer Science and Engineering Chalmers University of Technology May 26, 2010

1.04k views • 90 slides
Work in Progress of Record Update Project Data capture, cross-reference, consolidation &amp;

Work in Progress of Record Update Project Data capture, cross-reference, consolidation &amp;

Work in Progress of Record Update Project Data capture, cross-reference, consolidation &amp; analysis Disclaimer: This will remain a work in progress with applicable margins for error as it is based on data collected by various people over many

768 views • 42 slides
PgBench Work in Progress Fabien Coelho MINES ParisTech, PSL Research University PostgreSQL

PgBench Work in Progress Fabien Coelho MINES ParisTech, PSL Research University PostgreSQL

PgBench Work in Progress Fabien Coelho MINES ParisTech, PSL Research University PostgreSQL Session #9, Paris November 17, 2017 1 / 29 PgBench Work in Progress Talk Outline 1 PgBench History Capabilities Caveats 2 Performance

323 views • 29 slides
Crisis and liaison psychiatry 2 2 DRAFT WORK IN PROGRESS Dr Fareedoon Ahmed Consultant

Crisis and liaison psychiatry 2 2 DRAFT WORK IN PROGRESS Dr Fareedoon Ahmed Consultant

1 1 DRAFT WORK IN PROGRESS Crisis and liaison psychiatry 2 2 DRAFT WORK IN PROGRESS Dr Fareedoon Ahmed Consultant Psychiatrist KMPT Mental health crisis Who will help Where can I go This person is unwell There is

275 views • 24 slides
Property-Based Testing via Proof Reconstruction Work-in-progress Alberto Momigliano joint work

Property-Based Testing via Proof Reconstruction Work-in-progress Alberto Momigliano joint work

Property-Based Testing via Proof Reconstruction Work-in-progress Alberto Momigliano joint work with Rob Blanco and Dale Miller LFMTP17 Sept. 8, 2017 Off the record After almost 20 years of formal verification with Twelf, Isabelle/HOL,

438 views • 25 slides
Ticket to Work Program Timely Progress Review Basics 1 Objectives Discuss Timely Progress

Ticket to Work Program Timely Progress Review Basics 1 Objectives Discuss Timely Progress

Ticket to Work Program Timely Progress Review Basics 1 Objectives Discuss Timely Progress Review (TPR) fundamentals Discuss how the Ticket to Work Program impacts Continuing Disability Reviews (CDR) Discuss TPR requirements

994 views • 29 slides
Generative Models and Optimal Transport Marco Cuturi Joint work / work in progress with G.

Generative Models and Optimal Transport Marco Cuturi Joint work / work in progress with G.

Generative Models and Optimal Transport Marco Cuturi Joint work / work in progress with G. Peyr, A. Genevay (ENS) , F. Bach (INRIA), G. Montavon, K-R Mller (TU Berlin) Statistics 0.1 : Density Fitting We collect data N data = 1 X x

1.55k views • 139 slides
Graphs with three eigenvalues Jack Koolen Joint work with Ximing Cheng and it is work in progress

Graphs with three eigenvalues Jack Koolen Joint work with Ximing Cheng and it is work in progress

Introduction Theory Our results Graphs with three eigenvalues Jack Koolen Joint work with Ximing Cheng and it is work in progress School of Mathematical Sciences, University of Science and Technology of China Villanova University, June 2,

600 views • 43 slides
Learning to Find Bugs (Work in progress) Michael Pradel TU Darmstadt 1 Joint work with Koushik

Learning to Find Bugs (Work in progress) Michael Pradel TU Darmstadt 1 Joint work with Koushik

Learning to Find Bugs (Work in progress) Michael Pradel TU Darmstadt 1 Joint work with Koushik Sen and Rohan Bavishi Automated Bug Detection Hundreds of bug Thousands of bug detectors patterns One analysis for each Existing bug

647 views • 38 slides
Measures of Academic Progress (MAP) What is MAP? MAP - Measures of Academic Progress

Measures of Academic Progress (MAP) What is MAP? MAP - Measures of Academic Progress

Measures of Academic Progress (MAP) What is MAP? MAP - Measures of Academic Progress Achievement tests Delivered by computer How does MAP work? Questions appear on your computer screen Use the mouse or keyboard to

242 views • 11 slides
Discounted Duration Calculus Work in Progress H. Ody Joint work with M. Frnzle and M. R.

Discounted Duration Calculus Work in Progress H. Ody Joint work with M. Frnzle and M. R.

Discounted Duration Calculus Work in Progress H. Ody Joint work with M. Frnzle and M. R. Hansen October 19, 2015 Ody Discounted DC October 19, 2015 1 / 12 Motivation Discounting in Temporal Logics Eventually properties are common

646 views • 26 slides
Annual Progress Report Joint City Council and Planning Commission Work Session October 8, 2019

Annual Progress Report Joint City Council and Planning Commission Work Session October 8, 2019

Annual Progress Report Joint City Council and Planning Commission Work Session October 8, 2019 Work Session Intent Annual Progress What has the community accomplished? What remains to be done? Overview of planned activity for 2020

1.41k views • 16 slides
The Ethical Community Charter School PBL Themes, Field Trips, and Assemblies What does

The Ethical Community Charter School PBL Themes, Field Trips, and Assemblies What does

The Ethical Community Charter School PBL Themes, Field Trips, and Assemblies What does PBL mean? PBL stands for Project Based Learning. According to the Buck Institute of Education, Project Based Learning is a teaching method in which

457 views • 13 slides
Basil Grand Vert Mint Purple Basil Spicy Mint Basil Latino Persil

Basil Grand Vert Mint Purple Basil Spicy Mint Basil Latino Persil

Dill Coriander Basil Grand Vert Mint Purple Basil Spicy Mint Basil Latino Persil Chives Thyme Tomatoes Beef tomatoes Roma Q1 Tomatoes Roma Q2 Tomatoes Cherry Tomatoes Cherry Tomatoes

392 views • 12 slides
Source 1 Direct Sourcing | Manufacturing | Quality Agenda About Pakistan About the

Source 1 Direct Sourcing | Manufacturing | Quality Agenda About Pakistan About the

Source 1 Direct Sourcing | Manufacturing | Quality Agenda About Pakistan About the company About the Top Team Company Turnover Product Range 3 rd . Party Testing Clients List About Pakistan Pakistan is the 4 th

448 views • 17 slides
RI C C YCLE YCLE H H YDROPONIC YDROPONIC G REENHOUSE REENHOUSE A Market Analysis and Sustainable

RI C C YCLE YCLE H H YDROPONIC YDROPONIC G REENHOUSE REENHOUSE A Market Analysis and Sustainable

T RI RI C C YCLE YCLE H H YDROPONIC YDROPONIC G REENHOUSE REENHOUSE A Market Analysis and Sustainable Supply Chain Plan P ROJECT S COPE Initial Market Analysis Initial Market Analysis Working with Sara Gould and Laura Gray We stet our

926 views • 8 slides
LN LNG as as a a fue fuel l - Regulatory Framework &amp; SGMFs Guidelines 20th February

LN LNG as as a a fue fuel l - Regulatory Framework &amp; SGMFs Guidelines 20th February

LNG for 2020: Fueling Tomorrows Shipping LN LNG as as a a fue fuel l - Regulatory Framework &amp; SGMFs Guidelines 20th February 2020, SUNY Maritime College, New York Presented by Gianpaolo Benedetti Gianpaolo.Benedetti@sgmf.info So

478 views • 16 slides
Northern Gas Networks Limited Bond Investor Presentation March 2010 Basil Scarsella Chief

Northern Gas Networks Limited Bond Investor Presentation March 2010 Basil Scarsella Chief

Northern Gas Networks Limited Bond Investor Presentation March 2010 Basil Scarsella Chief Executive Officer Chris Johns Finance Director Cautionary Statement For the purposes of the following disclaimer, references to this presentation

404 views • 38 slides
Scaling Agriculture to Meet Increasing Marketplace Demand Agriculture Trade Show Workshop

Scaling Agriculture to Meet Increasing Marketplace Demand Agriculture Trade Show Workshop

Scaling Agriculture to Meet Increasing Marketplace Demand Agriculture Trade Show Workshop January 2015 Problem: How to Scale? Ways to Scale Production Diversification Year round growing Increased acreage under production Use of

789 views • 21 slides
Corporate Presentation September, 2017 Important Notice Safe fe Harbor This presentation

Corporate Presentation September, 2017 Important Notice Safe fe Harbor This presentation

Corporate Presentation September, 2017 Important Notice Safe fe Harbor This presentation contains statements that contain forward looking statements including, but without limitation, statements relating to the implementation of

505 views • 27 slides

More recommend