Introduction to Let’s Encrypt October 11, 2018 Justin Sun
Padlock icon • Your browser is communicating securely with the nejug.org through an encrypted channel • Your browser trusts nejug.org because the NEJUG website has a certificate • The certificate is valid – not expired and not revoked • The certificate is signed by a Certificate Authority (CA) that your browser trusts
Certificates and Certificate Authorities When you visit a website over a secure connection, the website presents your browser with a digital certificate. This certificate identifies the hostname of the site and verifies the site owner. Certificates are issued to website operators and signed by a Certificate Authority (CA). The proof of identity represented in a Certificate may be trusted by the user as long as the user trusts the Certificate Authority. Modern operating systems typically ship with over 200 trusted CAs, some of which are operated by governments. Today’s model requires all users to trust that the hundreds of CA organizations correctly issue certificates... Source: https://transparencyreport.google.com/https/certificates
Let’s Encrypt • Free: Anyone who owns a domain name can use Let’s Encrypt to obtain a trusted certificate at zero cost. • Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal. • Open: The automatic issuance and renewal protocol will be published as an open standard that others can adopt. Source: https://letsencrypt.org/about/
Automatic Certificate Management Environment (A (ACME) • Protocol for interacting with a CA • Verify that applicant owns a domain • Issuance of the certificate Source: https://ietf-wg-acme.github.io/acme/draft-ietf-acme- acme.html#rfc.section.6.1
Using Let’s Encrypt • Domain owner provides proof of ownership of a domain • Let’s Encrypt verifies information submitted • If verification is successful, the domain owner can create a new certificate, good for 90 days
How it works – Domain owner • Verify domain ownership – File or DNS change • Verify keypair ownership – Sign nonce Source: https://letsencrypt.org/how-it-works/
How it works - CA Source: https://letsencrypt.org/how-it-works/
How it works – certificate operations • Create certificate • Renew within 30 days of expiration • Revoke certificate
Growth Date Certificates issued March 8, 2016 1 million April 21, 2016 2 million June 3, 2016 4 million June 22, 2016 5 million September 9, 2016 10 million November 27, 2016 20 million December 12, 2016 24 million June 28, 2017 100 million August 6, 2018 115 million September 14, 2018 380 million Source: https://en.wikipedia.org/wiki/Let%27s_Encrypt
How many certificates have been issued?
Resources • Let’s Encrypt Website: https://LetsEncrypt.org • Wikipedia entry: https://en.wikipedia.org/wiki/Let%27s_Encrypt
Recommend
More recommend