SSL All The Things

Video in TIB AV-Portal: SSL All The Things

Formal Metadata

SSL All The Things
Title of Series
Part Number
Number of Parts
CC Attribution - ShareAlike 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal and non-commercial purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this license.
Release Date

Content Metadata

Subject Area
Over the last few years SSL/TLS encryption of not only websites but many other services as well has risen tremendously. The Let’s Encrypt organization and certificate authority (CA) makes that pretty easy. Since September 2015 almost 1.8 million certificates have been issued. And you can use it, too. For free! In this talk I'll demonstrate how to integrate SSL/TLS and point out some common pitfalls. I’ll briefly layout the Let's Encrypt ACME protocol and explain what you need to set up in Django to make SSL/TLS the default and only way to access your site.
INTEGRAL Set (mathematics) Client (computing) Parameter (computer programming) Mereology Information privacy Perspective (visual) Web service Bit rate Different (Kate Ryan album) Encryption Information security Error message Social class State transition system Algorithm Communications system Hecke operator Staff (military) Schlüsselverteilung Entire function Connected space Category of being Process (computing) Internet service provider Telecommunication Order (biology) Website Configuration space Right angle Cycle (graph theory) Quicksort Purchasing Slide rule Implementation Server (computing) Web browser Wave packet Product (business) Goodness of fit Term (mathematics) Alphabet (computer science) Dependent and independent variables Standard deviation Scaling (geometry) Key (cryptography) Weight Mathematical analysis Counting Line (geometry) Cryptography Human migration Particle system Word Database normalization Computer animation Communications protocol Library (computing)
Context awareness Euler angles Modal logic Multiplication sign View (database) Source code Set (mathematics) Client (computing) Mereology Perspective (visual) Web 2.0 Sign (mathematics) Web service Mathematics Bit rate Lattice (group) Velocity Oval Cuboid Information security Physical system Scripting language Enterprise architecture Email State transition system Electronic mailing list Complete metric space Flow separation Demoscene Connected space Category of being Type theory Arithmetic mean Data management Process (computing) Telecommunication Internet service provider Chain Order (biology) Configuration space Website Self-organization Right angle Sinc function Reverse engineering Web page Server (computing) Game controller Implementation Information systems Web browser Code Theory Power (physics) Goodness of fit Root Term (mathematics) Computer hardware Authorization Energy level Proxy server Address space Domain name Dependent and independent variables Key (cryptography) Information Computer-aided design Cellular automaton Forcing (mathematics) Projective plane Content (media) Line (geometry) Directory service Software maintenance Cryptography System call Word Computer animation Integrated development environment Personal digital assistant Blog Natural language HTTP cookie Family
Domain name Server (computing) Dialect Software developer Gender Content (media) Analytic set Insertion loss Line (geometry) Client (computing) Student's t-test Mereology Perspective (visual) Product (business) Word Computer animation Software Personal digital assistant Different (Kate Ryan album) Website Utility software HTTP cookie PRINCE2 Local ring
Computer animation Stress (mechanics)
thought of it and it is it thank you the analysis using a 5th of the and 1 out my
mora to train of thought and think 2014 when I pick up the other part in their migrations from some work that was about to be released and in 2015 the court in decided they were too lazy to much library quest and made me do it myself which make the and that's the 15 since April I'm working as a senior staff engineer later the in in a and we try elaborate Hadamard on purchasing and selling of goods and more easy use the entire idea behind processes that is to be really really convenient for use that as a kind of all mentions to fight digital goods and the idea behind which is also part of the name is yourself 1st and a later similar when there the rate when you go into a restaurant and order dinner the now back to the topic as SSL all the things the ever since note revealed that the NSA is well on all of us and that's bad this is security and the US for security increased pretty much especially over a nominee where we have a really huge and high data security and privacy then the and that applies to many other European countries as well and while that's a response public for example in public the unencrypted Wi-Fi support rap people might be able to wiretap on the net for communications you have which might be using main communication you have and depending on how the most of set up for applying to set up this might be the business e-mails way reveal that purchase or whatever other class because the company the and well you don't want this 1 DO NOT the coffee next or or any other the person who is in the can feed to be able to wipe out on your communication and yeah so there some need for encryption there I mean you also don't want internet service providers to inject advertisements into your website which is otherwise that free so this is something that happens we have that in Germany which is really scary and the but that of user experience and not to mention from a security perspective that is really awful but as well but before we go into any details I need to tell you something more this a disclaimer i'm not a cryptographer and the only examples like you feel that to the best of my knowledge if I don't know something I've talked to people I'm trusting that know more about the stuff that I and often they're all their opinion which still means we all human and there might be errors in them clearly our if there's something it is about what something in the slide that's clearly wrong please talk to me after this slide after the talk about and I will update the and slides a property before I publish them and this talk will not cover everything you know about this is you need to know what this is LTS and that would be too much for 1 talk and would probably be done enough for an entire conference also if you think of as a spell here as a sound you as I have probably always mean as of being just the common term for both of them we as L 2 and 3 a broken who use them POS 2 1 . 0 and 1 and 1 are discouraged and you probably should not use them you but that is better than as now and Future looking cryptographers at Google came up with the implementation of a post count and cryptography cryptographic algorithm a couple of days or weeks ago which is called New Hope it's not the novel as our stands for secure socket layer POS for Transport Layer Security but no this is just the words example cryptographic protocols for communication systems most notably that works the and if you don't them provides 2 out of 3 parts of the topic of information security the first one being confidentiality which is provided through encryption which means nobody else can read what is being transmitted the other 1 is integrity which is provided for assigning which means nobody else can change what that without the receiver noticing the set of information security is availability which is something you need to handle on different layers for example scaling and and redundancy in the service but this is something these 2 particles cannot provide well known that general we order all most of the things we do a thing with these this ball websites let's start with talking about what he needs to do to you it website right and this is obviously a that's ever then maximal configuration is something you it which is the 1st step we want later client where they browse the use of the browser of the user speaks as spell was when when talking to your website so let's look at what you need to final configuring about server to make it as a looking up at once and get it up and running and well let's start with a penchant here because comes 1st in the alphabet you need to switch on this island in which happens with this line then you wanted to find such which is something I took from cycle is I'm a 1 of those websites that provide security standards and recommendations you wanna make sure that also this this I the connection between the client and the server is going to use the services you want to look at the client wants because maintain would mean the client is able to all somebody might be able to and reducing and security of that connection and well you also want you not use as as Alison before Apache 2 . 4 already disables this is of true by the forward or doesn't even supported anymore so excluding as 0 3 might be just enough and what it well you might also wanting what excludes 1 at 0 and 1 of 1 and well then you define the summer key and the sort of certificate and last of these there's a thing called Diffie-Hellman parameter which is used for the initial key exchange between the browser and and over and setting a customer and there is also a really good idea when you look at this is at the at the engine X configuration well they're pretty much looks the same now a question arises when the how do we get this certificate from that I was just talking about and this is where outlets include comes into play what the heck is that the crew you might ask yourself and how does this entire solving works anyway and well this is a huge complex topic that tried to break down in in this talk and let's start
off with how as SSL or how the how to pick out as a client policy browser now that the communication and does the servers actually trustworthy and with for that but let's start with what CA celsius stands for the certification of what the certificate authority and these trusted entities we all grow those rely on in order to establish so a good chain of trust brothers or my clients on any other kind that has encrypted communication with the with the server at the pre-installed lab preinstalled list also conclude certificates and this list is operated by the browser e-mail vendors mankind as such as low as that and they have this list is trusted by them and is called the so called fast they certificate authorities then go ahead and only sign so good intermediate certificates which are then used to 2 sides of the certificate you use for your website for example they not signing yup website or that your certificate with their roots that again but with an so certificate in between and we can see the reason for that when you look to the right of the root CA 2 and 3 work as you can see it would theory 3 is not in the trust or so brothers but necessary trust the intermediate certificate that this was signed by that's a fantasy A however if the 2nd CAD the so good profit across this intermediates of the forget yet the chain of trust from you over there the so the certificate would use on a server and well the connection is president and while let's think this 1 of the certificate authorities that not faster In all modern trust or at least not yet and so well they have some other CA that trust members support in and that interest end since that's in Cook has some control over there an intermediate certificate they can still sign whatever type that once and your browser is going to cost that this is probably a good idea is not necessarily a good idea but even some security measures back and and background this is probably a good idea in this and this uh this column context and well let's think of as an API to depends much unlimited certificates for the domain you had that is under your control and and I O controlled means they need to be able to provide something on port 80 prior to the by now let's encode provided more than 5 million certificates and the set up like one-half 2 years ago which is pretty impressive now let's look at the process in which you get 1 of those certificates and this process is called a semi automatic certificate management environment it's a fairly simple Jason API with some complementary but I'm not going to do that in detail but the entire poses only has like 4 steps and the 3 things you need for this process 1 being in a county which is something that you need to offer rate that you use to authenticate yourself on your server against then that's interesting a certificate the certificate which is the 1 you put in your attitude and annex configuration and the certificate signing regret rate request which includes all the domains you want to see the sign in your certificate those the API starts with well the and this is my key um please reduce the mean and or authenticate me if I'm boring you register it can provide to e-mail address for example they are epigenomic cell certificate is going to them to expire but this is this policy and this is a certificate signing request that you send over and as a response let's and is going to provide you with a bunch of challenges these challenges you're writing to a web server by 3 and provided name on but the provided with a specific content let's introduce like and so In the next step in this the that you have here Italian X include OK and I'm I forgot all the challenges and this and that is going to request all those challenges on those demise by port 80 what just that said when you have control over the main you are able to provide content under certain domain if you don't have to content but if you don't have to control of that domain you can provide the content which means this status so this secure and velocity you request the certificate from that central once all that's a cryptic all the challenges and that's pretty much all the magic of the things about well this is the best configuration of how you would include the following would define the challenge directory for example so this this on that going to request something on land on ACM challenges this is a directory of path and the well you have to provide and everything else it's pretty much expert explained in there and well just for completion the same for engine eggs now that we know how to how much interest is working how do we actually use it and well that's efficient line which does all the magic literally it rewrites so Apache config if you wanted to and well they are also working as Western along the implementation for engine genetics and well while this might be a good idea for people who have just stop so management this is probably a bad idea for enterprises and which 21 in Information System Management words for reasoning there is so watch my talk from 2015 is like in Australia and that's a script called a scene tiny by Russell of riches like 200 landscape of tank it's easy to understand and to and it does exactly those forces that they should be for it's a real recommended recommendatory and if you wanna look at the start looking at let's this this is a really good idea of how it's working and I think that's uh project and edit system gives support and a few other things and if this expect implementation doesn't work for you well go ahead for it and just as you want there's also a bunch of other foods for example I think of it of W S by leg-spinner which has names that suggest that supports for implements AWS support there's a flu called property by Emma Brown which is the reverse proxy which just ask all the magic is only defined the maintenance nothing else and well this is the
script we use that's a useful my websites and we use a genome project you provide the information I said he needed and be done with it around this every what level of every month or so the certificates provided by letting could have a maximum or if a lifetime of 90 days but also means that in case something happens you know you lost for 90 days but then of the certificate is invented anyway and nobody can then use it being a channel comes basically not much we need to do just in to make this is a work best 1 thing or 2 things you might wanna just for I recommend you want to just which is the good of the secure settings fall to the case which is the session cookie and this is I OK and also you probably don't wanna on their website on it the and it's the best only mention this if you wanna go into further details on what things you could possibly say that we have a look at this on this list of features then supports I'm out of the box in in terms of as style it's a lot of features that you probably would use engine eggs or actually would not do in general but as part of the reverse proxy in the from the front and well let me go through those things in the next couple of minutes it lesson trip certificates as briefly mentioned on live have all valid for 90 days if you use them or if they are compromised you can revoke them by an API call same applies where county if you use that you can change that and the safe again if you lose your certificate he well this is the same as if you have if the certificate is compromised is should get a news he getting users and signing requests that a new certificate and you like well you probably won't revoke the key as well but yeah then as a thing called edge the STS or it could be used for transport security which means your brothers after the 1st with visits to the edge of the is only ever going to request need to be as wasn't off the and not even trying it pp remains if you turn it on and turn it all and there's a there's there's L then all the climates the roles of that went to the website before cannot exist anymore because you don't have as a small animal so if you enable at the issue about what you do that this is another what it wikipedia it to be public keeping which workers this lattice separate level it's probably not true useful for most people on the other when you have like a really big of an organization or company and all subjects to gain as a text so 8 has the same drawbacks as as edges as not ever gonna BAT your clients won't be able to connect view In this changes so if you if you use the the confirmation that you can use I'm mentioning you can use that include the the certificate provided by this include for any kind of other services that users as of now by just providing a service that answers that supplies these challenges on port 80 for that domain president if you get a certificate for that domain for the where ever you use and another for example I use it myself for Wise on IRC bounds well being of cryptography things can go wrong and things can go horribly wrong and there's no finance list of things that but there are it STS and speaker p if you want to use it please be aware of the down sides and what could possibly happen and how you know how how that you can break your side but the you probably want to use it the this is kind of a trade of speaking off cryptography you have keys and well occasionally you probably yeah you will lead a key the all hopefully only about lots of well hopefully never but it's going to happen happen to everybody and and it just so you want be able to you not want to have a process in place to revoke he's and as before let's think of it as the implemented and has the future them just be a well they 1 how you can do that people say as pesticides or that he has that use lots more of resources yes of course it doesn't need more resources in competition power but honestly that doesn't really matter if any of being more or less modern hardware so let's say the last 4 years you for a dominant recognizes users with incomplete list of sources the first one was pretty much the 4th of a list of the would become and recommendation for is the Cyprus and use while this is a configuration you might wanna use the 2nd 1 is probably you go to page if something with as a confirmation of broke but if you wanna see how good or bad you the idea Web services seriously this is the like the reference true from my perspective far it's my SSL set up correctly and then there's a couple of blog posts and other resources of how to use or not use as as well thank you few lead you 100 times his mentioned that he questioned these can and and make the agreement is is it in a minute the they we go I don't know if you turn on the secure cookies I Q matter questions 1 How does runs around all that and q if you have to share your cookies from Durango with a legacy called Bayes with legacy code basic Roger domain as a cold fusion how does that work as well 1 you don't so which is the reason why I have the the 1 I had the environment
governments in here so this is something you understand production but you don't wanna use and development because development is not gonna work unless it's at local as all set up which is kind of a pain but the other 1 I didn't really get but if I have a domain say work nite you bend that you with subdomains like bigger about word that you bend that EU and cold fusion that word that you that EDU how do I share a cookie across work that you and I Eurosecurities it so work across the entire domain if you set a Cauchy for about work that you cannot EDU and not the actual server I'm not too sure to be honest look at the then we got the documentation to 3 and a half of it it's not this is probably a topic you something you should add to the documentation is a possible problem and thus prince this ticket and possibly that
will somebody should we do like Interpol go grab just committed by gender secretly that's all you hear a hanky my questions for similar to the last 1 but a different case of let's say you you know so what to use a bunch of vendors and possibly added uh servers analytics vendors and they're not running on age the yes i any suggestions on how you can still protect your site or is it just I has in getting that's company or etched networks that provide as as al men there's not much you can do except for you live with 0 yes I users insecure content or not used as a self am might even an hour on this side of line sight is insecure content often people used to use at workers and it is not longer Condon and and and honestly that that's not much you can do that is the major at works as far as I Cyrus the couple of weeks ago the out slowly moving over from food to it the edges uh to which UBS small but this this yes or but I was wondering if you use dialect in Cripps built insert part utility and if there's any advantages of using the the tiny hints that and the let's encodes offers client BASt too much magic from my perspective I phoneme on my students to get my certificates and give with the rest must myself or with 2 is that I mentioned you that so you know I haven't used anything else that need 1 moon and consumed in the few Ch it it thank you
you see this and