![Page 2: Let’s Encryptap.hamakor.org.il/2017/presentations/letsencrypt_ap2017.pdfLet’s Encrypt A FREE and Automated CA, gets you a browser-trusted certificate if one can prove domain ownership](https://reader033.vdocuments.us/reader033/viewer/2022053006/5f09af717e708231d4280618/html5/thumbnails/2.jpg)
2Rumors | the Digital Lemonade Stand | rumors.io
“Untrusted” “Trusted”“Trusted”
Battleground
![Page 3: Let’s Encryptap.hamakor.org.il/2017/presentations/letsencrypt_ap2017.pdfLet’s Encrypt A FREE and Automated CA, gets you a browser-trusted certificate if one can prove domain ownership](https://reader033.vdocuments.us/reader033/viewer/2022053006/5f09af717e708231d4280618/html5/thumbnails/3.jpg)
Symmetric Encryption
3Rumors | the Digital Lemonade Stand | rumors.io
Key
“Untrusted” “Trusted”
E DX6zj>?s)&... X6zj>?s)&...
“Attack at dawn!” “Attack at dawn!”
“Trusted”
Key
![Page 5: Let’s Encryptap.hamakor.org.il/2017/presentations/letsencrypt_ap2017.pdfLet’s Encrypt A FREE and Automated CA, gets you a browser-trusted certificate if one can prove domain ownership](https://reader033.vdocuments.us/reader033/viewer/2022053006/5f09af717e708231d4280618/html5/thumbnails/5.jpg)
5Rumors | the Digital Lemonade Stand | rumors.io
Public Key Crypto (Asymmetric Encryption)
● Public knowledge● Anything encrypted
with it can only be decrypted using the Private Key
● Kept secret● Anything “encrypted”*
with it can only be decrypted using the Public Key
* Digital Signature
![Page 7: Let’s Encryptap.hamakor.org.il/2017/presentations/letsencrypt_ap2017.pdfLet’s Encrypt A FREE and Automated CA, gets you a browser-trusted certificate if one can prove domain ownership](https://reader033.vdocuments.us/reader033/viewer/2022053006/5f09af717e708231d4280618/html5/thumbnails/7.jpg)
7Rumors | the Digital Lemonade Stand | rumors.io
Heya Bank! Lets Connect!
Sure! Here’s my Public Key
![Page 8: Let’s Encryptap.hamakor.org.il/2017/presentations/letsencrypt_ap2017.pdfLet’s Encrypt A FREE and Automated CA, gets you a browser-trusted certificate if one can prove domain ownership](https://reader033.vdocuments.us/reader033/viewer/2022053006/5f09af717e708231d4280618/html5/thumbnails/8.jpg)
8Rumors | the Digital Lemonade Stand | rumors.io
Heya Bank! Lets Connect!
Sure! Here’s my Public Key
![Page 9: Let’s Encryptap.hamakor.org.il/2017/presentations/letsencrypt_ap2017.pdfLet’s Encrypt A FREE and Automated CA, gets you a browser-trusted certificate if one can prove domain ownership](https://reader033.vdocuments.us/reader033/viewer/2022053006/5f09af717e708231d4280618/html5/thumbnails/9.jpg)
9Rumors | the Digital Lemonade Stand | rumors.io
Heya Bank! Lets Connect!
Sure! Here’s my Public Key
VERISIGNBANK’s PK
BANK’s SK
VERISIGNVERISIGN’s PK{ {
![Page 10: Let’s Encryptap.hamakor.org.il/2017/presentations/letsencrypt_ap2017.pdfLet’s Encrypt A FREE and Automated CA, gets you a browser-trusted certificate if one can prove domain ownership](https://reader033.vdocuments.us/reader033/viewer/2022053006/5f09af717e708231d4280618/html5/thumbnails/10.jpg)
10Rumors | the Digital Lemonade Stand | rumors.io
Heya Bank! Lets Connect!
Sure! Here’s my Public Key
VERISIGNBANK’s PK
BANK’s SK
VERISIGNVERISIGN’s PK{ {
![Page 11: Let’s Encryptap.hamakor.org.il/2017/presentations/letsencrypt_ap2017.pdfLet’s Encrypt A FREE and Automated CA, gets you a browser-trusted certificate if one can prove domain ownership](https://reader033.vdocuments.us/reader033/viewer/2022053006/5f09af717e708231d4280618/html5/thumbnails/11.jpg)
11Rumors | the Digital Lemonade Stand | rumors.io
Heya Bank! Lets Connect!
Sure! Here’s my Public Key
VERISIGNBANK’s PK
BANK’s SK
VERISIGNVERISIGN’s PK{ {
⋮
Secure Channel
![Page 12: Let’s Encryptap.hamakor.org.il/2017/presentations/letsencrypt_ap2017.pdfLet’s Encrypt A FREE and Automated CA, gets you a browser-trusted certificate if one can prove domain ownership](https://reader033.vdocuments.us/reader033/viewer/2022053006/5f09af717e708231d4280618/html5/thumbnails/12.jpg)
12Rumors | the Digital Lemonade Stand | rumors.io
Key Generation* *Before Let’s Encrypt
$ openssl req -nodes -newkey rsa:4096 \-keyout secret.key \-out request.csr \-subj \"/C=IL/ST=Tel-Aviv/L=Tel-Aviv/O=Rumors/OU=Engineering/CN=rumors.io"
*View SK/PK: $ openssl rsa -noout -text -in secret.key*View CSR: $ openssl req -noout -text -in request.csr
![Page 13: Let’s Encryptap.hamakor.org.il/2017/presentations/letsencrypt_ap2017.pdfLet’s Encrypt A FREE and Automated CA, gets you a browser-trusted certificate if one can prove domain ownership](https://reader033.vdocuments.us/reader033/viewer/2022053006/5f09af717e708231d4280618/html5/thumbnails/13.jpg)
13Rumors | the Digital Lemonade Stand | rumors.io
CA Domain ValidationEngineerof X.com
CAX.com’s PK
DNS
HTTP
$ +
![Page 14: Let’s Encryptap.hamakor.org.il/2017/presentations/letsencrypt_ap2017.pdfLet’s Encrypt A FREE and Automated CA, gets you a browser-trusted certificate if one can prove domain ownership](https://reader033.vdocuments.us/reader033/viewer/2022053006/5f09af717e708231d4280618/html5/thumbnails/14.jpg)
14Rumors | the Digital Lemonade Stand | rumors.io
CA Domain ValidationEngineerof X.com
CAX.com’s PK
DNS
HTTP
$ +
![Page 15: Let’s Encryptap.hamakor.org.il/2017/presentations/letsencrypt_ap2017.pdfLet’s Encrypt A FREE and Automated CA, gets you a browser-trusted certificate if one can prove domain ownership](https://reader033.vdocuments.us/reader033/viewer/2022053006/5f09af717e708231d4280618/html5/thumbnails/15.jpg)
15Rumors | the Digital Lemonade Stand | rumors.io
CA Domain ValidationEngineerof X.com
CAX.com’s PK
DNS
HTTP
$ +
VERISIGNX.com’s PK
![Page 16: Let’s Encryptap.hamakor.org.il/2017/presentations/letsencrypt_ap2017.pdfLet’s Encrypt A FREE and Automated CA, gets you a browser-trusted certificate if one can prove domain ownership](https://reader033.vdocuments.us/reader033/viewer/2022053006/5f09af717e708231d4280618/html5/thumbnails/16.jpg)
16Rumors | the Digital Lemonade Stand | rumors.io
Let’s Encrypt
● A FREE and Automated CA, gets you a browser-trusted certificate if one can prove domain ownership.
● Speaks the ACME* protocol
● Many clients** exists, certbot (aka Let’s Encrypt client) is the recommended one.
* Automated Certificate Management Environment - https://tools.ietf.org/html/draft-ietf-acme-acme-07** LE Clients: https://letsencrypt.org/docs/client-options/
![Page 17: Let’s Encryptap.hamakor.org.il/2017/presentations/letsencrypt_ap2017.pdfLet’s Encrypt A FREE and Automated CA, gets you a browser-trusted certificate if one can prove domain ownership](https://reader033.vdocuments.us/reader033/viewer/2022053006/5f09af717e708231d4280618/html5/thumbnails/17.jpg)
17Rumors | the Digital Lemonade Stand | rumors.io
certbot
● Developed by the EFF
● What does it do?○ Generates a key-pair○ Uses ACME to validate domain
ownership via Let’s Encrypt’s CA○ Installs the legit Cert○ Sets secure ciphersuites○ Allows other security settings
■ HSTS, OCSP Stapling/Must-Staple, HTTPS Redirection, CSP: Upgrade-Insecure-Reqs
* Automated Certificate Management Environment - https://tools.ietf.org/html/draft-ietf-acme-acme-07** LE Clients: https://letsencrypt.org/docs/client-options/
![Page 18: Let’s Encryptap.hamakor.org.il/2017/presentations/letsencrypt_ap2017.pdfLet’s Encrypt A FREE and Automated CA, gets you a browser-trusted certificate if one can prove domain ownership](https://reader033.vdocuments.us/reader033/viewer/2022053006/5f09af717e708231d4280618/html5/thumbnails/18.jpg)
18Rumors | the Digital Lemonade Stand | rumors.io
SSL/TLS Attacks
● CA Compromise - e.g. DigiNotar
● PRNG Fails - e.g. Debian OpenSSL Debacle
● Broken Crypto - e.g. Flame Malware (MD5 Collision), RC4, DES
● Weakened Crypto - e.g. EXPORT ciphersuites (FREAK)
● Protocol - CRIME, TIME, BREACH, BEAST, DROWN LOGJAM, POODLE (many more…) Not just the USA. Many other nation
states and other sophisticated attackers.
![Page 19: Let’s Encryptap.hamakor.org.il/2017/presentations/letsencrypt_ap2017.pdfLet’s Encrypt A FREE and Automated CA, gets you a browser-trusted certificate if one can prove domain ownership](https://reader033.vdocuments.us/reader033/viewer/2022053006/5f09af717e708231d4280618/html5/thumbnails/19.jpg)
19Rumors | the Digital Lemonade Stand | rumors.io
Ciphersuites
● “Good Ciphersuites” : at least for now … :)○ ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA
-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
● Disable TLS compression
![Page 20: Let’s Encryptap.hamakor.org.il/2017/presentations/letsencrypt_ap2017.pdfLet’s Encrypt A FREE and Automated CA, gets you a browser-trusted certificate if one can prove domain ownership](https://reader033.vdocuments.us/reader033/viewer/2022053006/5f09af717e708231d4280618/html5/thumbnails/20.jpg)
20Rumors | the Digital Lemonade Stand | rumors.io
Impact
Took the web 20 years to get to 40%
Since Let’s Encrypt launch (2 yrs) another 20%! to 60%!
![Page 21: Let’s Encryptap.hamakor.org.il/2017/presentations/letsencrypt_ap2017.pdfLet’s Encrypt A FREE and Automated CA, gets you a browser-trusted certificate if one can prove domain ownership](https://reader033.vdocuments.us/reader033/viewer/2022053006/5f09af717e708231d4280618/html5/thumbnails/21.jpg)
21Rumors | the Digital Lemonade Stand | rumors.io
Let’s Encrypt - How?Create an Account
ACMEClient
ACMEServer (CA)
1. Hi! I’m [email protected] (signed with $KEY)
● Creates a key-pair (all future messages will be signed with it)● Registers the key-pair with the CA
2. Welcome :)
![Page 22: Let’s Encryptap.hamakor.org.il/2017/presentations/letsencrypt_ap2017.pdfLet’s Encrypt A FREE and Automated CA, gets you a browser-trusted certificate if one can prove domain ownership](https://reader033.vdocuments.us/reader033/viewer/2022053006/5f09af717e708231d4280618/html5/thumbnails/22.jpg)
22Rumors | the Digital Lemonade Stand | rumors.io
Let’s Encrypt - How?Get a Challenge
ACMEClient
ACMEServer (CA)
1. How can I convince you I own example.com ?
● You tell the CA you’d like to be authorized for a example.com● The CA will give you a challenge to prove you own example.com
2. Put xa80 at http://example.com/a281/ and signXhjz9axzFs (nonce)
![Page 23: Let’s Encryptap.hamakor.org.il/2017/presentations/letsencrypt_ap2017.pdfLet’s Encrypt A FREE and Automated CA, gets you a browser-trusted certificate if one can prove domain ownership](https://reader033.vdocuments.us/reader033/viewer/2022053006/5f09af717e708231d4280618/html5/thumbnails/23.jpg)
23Rumors | the Digital Lemonade Stand | rumors.io
Let’s Encrypt - How?Domain Validation
ACMEClient
ACMEServer (CA)
● Once you fulfill the challenge, you let the CA know, and it checks● If all is well, your account is authorized to manage certs for the
domain
WebServer
0. Put xa80 at /a281
1. I put xa80 at /a281 (and signed nonce)
2. GET xa80
3. xa80
4. You are now authorized for domain example.com
![Page 24: Let’s Encryptap.hamakor.org.il/2017/presentations/letsencrypt_ap2017.pdfLet’s Encrypt A FREE and Automated CA, gets you a browser-trusted certificate if one can prove domain ownership](https://reader033.vdocuments.us/reader033/viewer/2022053006/5f09af717e708231d4280618/html5/thumbnails/24.jpg)
24Rumors | the Digital Lemonade Stand | rumors.io
Let’s Encrypt - How?Certificate Issuance
ACMEClient
ACMEServer (CA)
1. Please issue a certificate for example.com
● Client is now authorized for example.com● Client sends a Certificate Signing Request to the Server
2. Here’s your certificate
![Page 26: Let’s Encryptap.hamakor.org.il/2017/presentations/letsencrypt_ap2017.pdfLet’s Encrypt A FREE and Automated CA, gets you a browser-trusted certificate if one can prove domain ownership](https://reader033.vdocuments.us/reader033/viewer/2022053006/5f09af717e708231d4280618/html5/thumbnails/26.jpg)
26Rumors | the Digital Lemonade Stand | rumors.io
Thanks! @sagikedmi
@sagi
sagi.io