encrypt all the things with letsencrypt
play

Encrypt ALL the things with LetsEncrypt Created by : Justin W. - PowerPoint PPT Presentation

Nov 28, 2022 •114 likes •360 views

Encrypt ALL the things with LetsEncrypt Created by : Justin W. Flory Solomon Rubin License : CC-BY-SA 4.0 Introduction What is TLS and why do I need it? TLS stands for Transport Layer Security Difference between https and

  1. Encrypt ALL the things with LetsEncrypt Created by : Justin W. Flory ➔ Solomon Rubin ➔ License : CC-BY-SA 4.0

  2. Introduction

  3. What is TLS and why do I need it? ● TLS stands for Transport Layer Security ○ Difference between https and http ○ Encrypts communications with web servers on the fly Normally, purchase TLS certificate from Certificate Authority ●

  4. Old problems with getting certificates ● Basic encryption is expensive (especially with multiple subdomains) Most certificate authorities (CAs) focus on identity or organization ● verification ○ Most sites only need domain verification

  5. What is LetsEncrypt?! ● Imagine a world where encryption is everywhere and your online communications are always secure LetsEncrypt offers solution to increase security of the web ○ ● Free certificates ○ Providing only domain verification ■ At zero cost ○ Creates a safer Internet

  6. Key Principles ● Free for anyone who owns a domain Automatic cert issuance through CertBot (by EFF) on web server ● Secure : “LE will serve as a platform for advancing TLS security...” ● ● Transparent : All certs issued and revoked are publicly logged ● Open : Cert management process is published as open source software. Cooperative : Joint effort between multiple organizations and community ●

  7. Who made this happen? I want to see the proof! ● Linux Foundation Sponsored by many large organizations ● Mozilla, Cisco, EFF, Google Chrome, Facebook, SquareSpace, Shopify, Hewlett Packard… ○ ○ Many more

  8. How does it work (Root Cert Propagation) ● LE Root Certificate (ISRG Root 1X) ○ Kept safely offline ○ Propagated through Intermediates LE Intermediate Certificates (All IdentTrust cross-signed) ● X1, X2 - Original Intermediates ○ ○ X3 - Current generation Intermediate X4 - Disaster Recovery Intermediate ○

  9. Crazy Diagram!

  10. How does it work? (Domain Verification) ● Automatic verification via DNS Three modes ● Webroot : Domain verification service looks for file in the public web directory ○ ○ Standalone : Uses ports 80/443 to respond to request from domain verification service Automatic : Plugins for Apache and nginx ○ ● Uses URL / key pairs

  11. Verification Process ● Challenge Sets ○ Adding key to a specific, random URL ○ Verify from LE servers

  12. Getting your certificates

  13. Installation ( Certbot ) ● Nowadays, available in most Linux package repositories ○ If not : Compile from source and run it (all Python underneath) Debian / Ubuntu / Debian-based distributions ● ○ $ sudo apt-get install certbot Red Hat Enterprise Linux / CentOS (via EPEL) ● ○ $ sudo yum install certbot ● Fedora ○ $ sudo dnf install certbot ● Arch Linux ○ $ sudo pacman -S certbot

  14. Issuing certificates : Webroot method ● Webroot uses root directory of your domain to verify domain authenticity ○ Places files in root directory, LE servers check if files are present ○ Most useful when using a CDN or something else in between connections to your servers Run the following command to get your certificate(s): ● $ sudo certbot certonly -m me@example.com --webroot -w /var/www/example.com/public_html/ -d example.com

  15. Issuing certificates : Standlone method ● Standalone uses port 80 / 443 to verify domain authenticity ○ Requires ports 80 or 443 to not already be in use ● Run the following command to get your certificate(s): $ sudo certbot certonly -m me@example.com --standalone -d example.com --pre-hook=”systemctl stop nginx” --post-hook=”systemctl start nginx”

  16. Renewing certificates ● Renewing your certificates is… actually easy Run the following command to get your certificate(s): ● $ sudo certbot renew

  17. Run it in prod!

  18. Writing an nginx conf for ex.io (1/3) server { listen 443 ssl; server_name ex.io; root /var/www/ex.io/public_html; access_log /var/www/ex.io/logs/ex.io_access.log; error_log /var/www/ex.io/logs/ex.io_error.log error;

  19. Writing an nginx conf for ex.io (2/3) ssl on; ssl_certificate /etc/ssl/certs/ex_io/ex_io-fullchain.pem; ssl_certificate_key /etc/ssl/certs/ex_io/ex_io-privkey.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "SSLv3:TLSv1:+HIGH:!SSLv2:!MD5:!MEDIUM:!LOW:!EXP:!ADH:!eNU LL:!aNULL"; ssl_prefer_server_ciphers on;

  20. Writing an nginx conf for ex.io (3/3) location / { index index.html index.htm; server_tokens off; } } server { listen 80; server_name ex.io; rewrite ^ https://$server_name$request_uri? permanent; }

  21. Just like that!

  22. Live Demo : nginx Completely and totally unrehearsed. brokenencryptionmakesmecry.jwf.io

  23. Questions? Comments? Suggestions? Justin W. Flory ➔ Solomon Rubin ➔ License : CC-BY-SA 4.0

Recommend

Encrypt All The Things: Implementing App Mobile Security Nathan Freitas @n8fr8 @guardianproject

Encrypt All The Things: Implementing App Mobile Security Nathan Freitas @n8fr8 @guardianproject

Encrypt All The Things: Implementing App Mobile Security Nathan Freitas @n8fr8 @guardianproject https://guardianproject.info INTENTION vs. EXECUTION The Guardian Project https://guardianproject.info Secure Your Mobile Life Apps &

816 views • 60 slides
Several possibilities for combination: So far: had cryptographic algorithms to achieve

Several possibilities for combination: So far: had cryptographic algorithms to achieve

Several possibilities for combination: So far: had cryptographic algorithms to achieve Encrypt-then MAC: encrypt message, then compute MAC of Privacy: use encryption ciphertext. Integrity: use MAC MAC-then-encrypt: First compute MAC, and then

203 views • 3 slides
Close lid to encrypt Hard disk encryption in Linux suspend mode Tim Dittler FOSDEM, 02.02.2020

Close lid to encrypt Hard disk encryption in Linux suspend mode Tim Dittler FOSDEM, 02.02.2020

Close lid to encrypt Hard disk encryption in Linux suspend mode Tim Dittler FOSDEM, 02.02.2020 Whats Close lid to encrypt? Project by Jonas Meurer and me Freelancing systems engineers living in Germany Full-disk encryption

397 views • 16 slides
Why Encrypt Data? We have already discussed authentication and access control as means to

Why Encrypt Data? We have already discussed authentication and access control as means to

Security in Outsourced Databases II Outsourced Databases II (Query Processing on Encrypted Data) Disks replaced Data worthless if encrypted Customer Credit for maintenance Card Number Laptops stolen Backups lost p 1 Why Encrypt Data?

759 views • 19 slides
Why (Special Agent) Johnny (Still) Cant Encrypt: A Security Analysis of the APCO Project 25

Why (Special Agent) Johnny (Still) Cant Encrypt: A Security Analysis of the APCO Project 25

Why (Special Agent) Johnny (Still) Cant Encrypt: A Security Analysis of the APCO Project 25 Two-Way Radio System Sandy Clark | Travis Goodspeed | Perry Metzger Zachary Wasserman | Kevin Xu | Matt Blaze Usenix 2011 P25 Modulates voice

147 views • 14 slides
Exercise: Encrypting and Decrypting with RSA In this exercise, you will encrypt and decrypt

Exercise: Encrypting and Decrypting with RSA In this exercise, you will encrypt and decrypt

Exercise: Encrypting and Decrypting with RSA In this exercise, you will encrypt and decrypt numbers using a simple version of the RSA algorithm. Each team should have two members. Each team-member should complete the exercise as Bob, then pass

229 views • 4 slides
No domain left behind is Lets Encrypt democratizing encryption? M. Aertsen 1 , M. Korzyski 2

No domain left behind is Lets Encrypt democratizing encryption? M. Aertsen 1 , M. Korzyski 2

. . . . . . . . . . . . . . No domain left behind is Lets Encrypt democratizing encryption? M. Aertsen 1 , M. Korzyski 2 , G. Moura 3 1 National Cyber Security Centre The Netherlands 2 Delft University of Technology The

292 views • 18 slides
POST-QUANTUM CRYPTOGRAPHY HOW WILL WE ENCRYPT TOMORROW? Hanno Bck https://hboeck.de 1

POST-QUANTUM CRYPTOGRAPHY HOW WILL WE ENCRYPT TOMORROW? Hanno Bck https://hboeck.de 1

POST-QUANTUM CRYPTOGRAPHY HOW WILL WE ENCRYPT TOMORROW? Hanno Bck https://hboeck.de 1 INTRODUCTION Hanno Bck, freelance journalist and hacker. Writing for Golem.de and others. Fuzzing Project , funded by Linux Foundation's Core

1.09k views • 46 slides
Revelation 1:19 Write the things which you have seen, and the things which are, and the

Revelation 1:19 Write the things which you have seen, and the things which are, and the

Revelation 1:19 Write the things which you have seen, and the things which are, and the things which will take place after this. Revelation 4:1 After these things I looked, and behold, a door standing open in heaven. And the

438 views • 30 slides
No domain left behind: is Lets Encrypt democratizing encryption? Maarten Aertsen 1 , Maciej

No domain left behind: is Lets Encrypt democratizing encryption? Maarten Aertsen 1 , Maciej

No domain left behind: is Lets Encrypt democratizing encryption? Maarten Aertsen 1 , Maciej Korczy nski 2 , Giovane C. M. Moura 3 , Samaneh Tajalizadehkhoob 2 , Jan van den Berg 2 1 National Cyber Security Centre The Netherlands 2 Delft

423 views • 21 slides
Lets Encrypt as a Startup Success Story Security and Ops and Encrypting the web Daniel

Lets Encrypt as a Startup Success Story Security and Ops and Encrypting the web Daniel

Lets Encrypt as a Startup Success Story Security and Ops and Encrypting the web Daniel Jeffery Linux Foundation Why HTTPS? As our dependency on the internet has grown, the risk to users' privacy and safety has grown along with it.

746 views • 40 slides
tcpcrypt Mark Handley What would it take to encrypt all the traffic on the Internet, by

tcpcrypt Mark Handley What would it take to encrypt all the traffic on the Internet, by

tcpcrypt Mark Handley What would it take to encrypt all the traffic on the Internet, by default, all the time? Crypto 101: Encryption without authentication is useless. Encryption without authentication is like meeting a stranger in a

813 views • 31 slides
Securing the Web of Things Andrei Sabelfeld @asabelfeld Web of Things Internet of Things (IoT)

Securing the Web of Things Andrei Sabelfeld @asabelfeld Web of Things Internet of Things (IoT)

Securing the Web of Things Andrei Sabelfeld @asabelfeld Web of Things Internet of Things (IoT) Incompatible standards, platforms, technologies World Wide Web Consortium (W3C) is in a unique position to create the royalty-free and

273 views • 15 slides
On the (In)Security of IPsec in MAC-then-Encrypt Configurations Jean Paul Degabriele Kenneth G.

On the (In)Security of IPsec in MAC-then-Encrypt Configurations Jean Paul Degabriele Kenneth G.

Motivation The Attacks Concluding Remarks On the (In)Security of IPsec in MAC-then-Encrypt Configurations Jean Paul Degabriele Kenneth G. Paterson Information Security Group Royal Holloway, University of London CCS 2010 Jean Paul

930 views • 68 slides
Why Can't Online Social Networks Encrypt? Ero Balsa , Filipe Beato, Seda Grses KU Leuven NYU

Why Can't Online Social Networks Encrypt? Ero Balsa , Filipe Beato, Seda Grses KU Leuven NYU

Why Can't Online Social Networks Encrypt? Ero Balsa , Filipe Beato, Seda Grses KU Leuven NYU W3C Workshop on Privacy and UserCentric Controls 1 20-21 November 2014, Berlin << Facebook has been able to deploy end-to-end encryption

429 views • 10 slides
Cybersecurity Considerations for Telework Security for Enterprises Enterprise Planning Plan

Cybersecurity Considerations for Telework Security for Enterprises Enterprise Planning Plan

Cybersecurity Considerations for Telework Security for Enterprises Enterprise Planning Plan telework-related security policies and controls based on a zero-trust model. Encrypt client devices storage, encrypt all sensitive data stored on

371 views • 9 slides
Hebrews 6:9, But, beloved, we are confident of better things concerning you yes things of

Hebrews 6:9, But, beloved, we are confident of better things concerning you yes things of

Hebrews 6:9, But, beloved, we are confident of better things concerning you yes things of better things concerning you, yes, things that accompany salvation, though we speak in this manner. Hebrews 6:10, For God is not unjust to forget

739 views • 41 slides
Shai Halevi IBM CRYPTO 2011 Wouldnt it be nice to be able to Encrypt my data before

Shai Halevi IBM CRYPTO 2011 Wouldnt it be nice to be able to Encrypt my data before

Shai Halevi IBM CRYPTO 2011 Wouldnt it be nice to be able to Encrypt my data before sending to the cloud While still allowing the cloud to search/sort/edit/ this data on my behalf Keeping the data in the cloud in encrypted form

956 views • 60 slides
9/6/20 Exceptions: What to do when things go bad IO: Where things often go bad 1 An exception

9/6/20 Exceptions: What to do when things go bad IO: Where things often go bad 1 An exception

9/6/20 Exceptions: What to do when things go bad IO: Where things often go bad 1 An exception is an object describing unusual or erroneous situation Division by 0 in computing expression (ArithmeticException) Array index out of bounds

371 views • 8 slides
How to Encrypt with the LPN Problem Henri Gilbert, Matt Robshaw, and Yannick Seurin Orange Labs

How to Encrypt with the LPN Problem Henri Gilbert, Matt Robshaw, and Yannick Seurin Orange Labs

How to Encrypt with the LPN Problem Henri Gilbert, Matt Robshaw, and Yannick Seurin Orange Labs ICALP 2008 July 9, 2008 intro LPN problem LPN-C security parameters conclusion the context the authentication protocol HB + by Juels and

708 views • 21 slides
LETS ENCRYPT Olivier Yiptong oyiptong@mozilla.com PRIVACY MATTERS PRIVACY MATTERS: HTTPS

LETS ENCRYPT Olivier Yiptong oyiptong@mozilla.com PRIVACY MATTERS PRIVACY MATTERS: HTTPS

LETS ENCRYPT Olivier Yiptong oyiptong@mozilla.com PRIVACY MATTERS PRIVACY MATTERS: HTTPS Con fi dentiality Data Integrity Authentication NO PRIVACY: HTTP Public-only communication (Possibly?) Tampered messages Of

244 views • 23 slides
Responsible Behavior http://xkcd.com/364/ Lab: Alternate CTR mode Suppose we use encrypt

Responsible Behavior http://xkcd.com/364/ Lab: Alternate CTR mode Suppose we use encrypt

Responsible Behavior http://xkcd.com/364/ Lab: Alternate CTR mode Suppose we use encrypt using the following formula: C i = P i E(K, IV+i) Is this secure? Why or why not? If so, how does this relate to CTR mode? If not, what

935 views • 48 slides
Lets Encrypt October 11, 2018 Justin Sun Padlock icon Your browser is communicating

Lets Encrypt October 11, 2018 Justin Sun Padlock icon Your browser is communicating

Introduction to Lets Encrypt October 11, 2018 Justin Sun Padlock icon Your browser is communicating securely with the nejug.org through an encrypted channel Your browser trusts nejug.org because the NEJUG website has a certificate

270 views • 15 slides
Getting Things Done Der Antiverpeil Talk 2007-12-29, Berlin Getting Things Done Overview

Getting Things Done Der Antiverpeil Talk 2007-12-29, Berlin Getting Things Done Overview

Getting Things Done Der Antiverpeil Talk 2007-12-29, Berlin Getting Things Done Overview Introduction The Problem: Why Things Are on your Mind The Idea: Outsource your Brain Methodologies Tools Getting started Chaos

451 views • 23 slides

More recommend