Lets Encrypt Minting Free Certificates to Encrypt the Entire Web

Video thumbnail (Frame 0) Video thumbnail (Frame 1142) Video thumbnail (Frame 3067) Video thumbnail (Frame 4193) Video thumbnail (Frame 5787) Video thumbnail (Frame 7323) Video thumbnail (Frame 8405) Video thumbnail (Frame 9820) Video thumbnail (Frame 11614) Video thumbnail (Frame 13097) Video thumbnail (Frame 14512) Video thumbnail (Frame 15607) Video thumbnail (Frame 17307) Video thumbnail (Frame 18837) Video thumbnail (Frame 20377) Video thumbnail (Frame 21538) Video thumbnail (Frame 22557) Video thumbnail (Frame 27659) Video thumbnail (Frame 29280) Video thumbnail (Frame 31932) Video thumbnail (Frame 33087) Video thumbnail (Frame 34141) Video thumbnail (Frame 38792) Video thumbnail (Frame 45868) Video thumbnail (Frame 47012) Video thumbnail (Frame 48013) Video thumbnail (Frame 49127) Video thumbnail (Frame 50232) Video thumbnail (Frame 51243) Video thumbnail (Frame 52738) Video thumbnail (Frame 54043) Video thumbnail (Frame 55888) Video thumbnail (Frame 57542)
Video in TIB AV-Portal: Lets Encrypt Minting Free Certificates to Encrypt the Entire Web

Formal Metadata

Lets Encrypt Minting Free Certificates to Encrypt the Entire Web
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Let's Encrypt is a new certificate authority that is being launched by EFF in collaboration with Mozilla, Cisco, Akamai, IdenTrust, and a team at the University of Michigan. It will issue certificates for free, using a new automated protocol called ACME for verification of domain control and issuance. This talk will describe the features of the CA and available clients at launch; explore the security challenges inherent in building such a system; and its effect on the security of the CA marketplace as a whole. We will also update our place on the roadmap to a Web that uses HTTPS by default. Speaker Bios: Peter Eckersley is Chief Computer Scientist for the Electronic Frontier Foundation. He leads a team of technologists who watch for technologies that, by accident or design, pose a risk to computer users' freedoms—and then look for ways to fix them. They write code to make the Internet more secure, more open, and safer against surveillance and censorship. They explain gadgets to lawyers and policymakers, and law and policy to gadgets. Aside from Let's Encrypt, Peter's other work at EFF has included privacy and security projects such as Panopticlick, HTTPS Everywhere, SSDI, and the SSL Observatory; helping to launch a movement for open wireless networks; fighting to keep modern computing platforms open; and running the first controlled tests to confirm that Comcast was using forged reset packets to interfere with P2P protocols. Peter holds a PhD in computer science and law from the University of Melbourne. James Kasten is a PhD candidate in Computer Science and Engineering at the University of Michgan and a STIET fellow. James is also a contractor at the Electronic Frontier Foundation. His research focuses on practical network security and PKI. James has published on the state of TLS, its certificate ecosystem and its vulnerabilities. Most notably, James has helped design the protocol and launch the technology behind Let's Encrypt. Yan is a security engineer at Yahoo, mostly working on End-to-End email encryption and improving TLS usage. She is also a Technology Fellow at EFF and a core developer of Let's Encrypt, HTTPS Everywhere, Privacy Badger Firefox, and SecureDrop. Yan has held a variety of jobs in the past, ranging from hacking web apps to composing modern orchestra music. She got a B.S. from MIT in 2012 and is a proud PhD dropout from Stanford. Yan has been a speaker at HOPE, DEFCON 22, jQuerySF, Real World Crypto, SXSW, and various other human gatherings. She is @bcrypt on Twitter.
Web 2.0 Transport Layer Security Projective plane Encryption Student's t-test Information security
Web page Default (computer science) Information Personal digital assistant Multiplication sign Password Website Instance (computer science) Login Landing page Automatic differentiation
Wiki Web 2.0 Process (computing) Arm Multiplication sign Videoconferencing Perturbation theory Instance (computer science)
Videoconferencing Website Office suite Freeware
Spherical cap Website Computer-assisted translation Public key certificate
Email Website
Real number Gradient Address space Field (computer science)
Randomization Email Electronic mailing list Web browser Computer-assisted translation
Email Process (computing) Link (knot theory) Videoconferencing Website Public key certificate Error message Proxy server
Graphical user interface Server (computing) Process (computing) Hash function Blog Cellular automaton Multiplication sign Expert system Configuration space Website Public key certificate Metropolitan area network
Point (geometry) Group action Server (computing) Configuration space Website Table (information) Login Metric system Cryptanalysis
Scripting language Trail Default (computer science) Channel capacity Block (periodic table) Server (computing) Transport Layer Security Web browser Computer font Internetworking Personal digital assistant Mixed reality Public-key infrastructure Encryption Lenovo Group Configuration space Energy level Website Data Encryption Standard Right angle Hacker (term) Information security Plug-in (computing)
Email Link (knot theory) Dependent and independent variables Server (computing) Software developer Online help Web browser Interprozesskommunikation Data management Graphical user interface Software Histology Website Extension (kinesiology) Information security Physical system
Domain name Web 2.0 Graph (mathematics) Mapping Internetworking Projective plane Authorization Self-organization Web browser Public key certificate Routing
Machine vision Authorization Digital signal Encryption Information security Public key certificate
Machine vision Web-Designer Projective plane Website Information security Information security Public key certificate Machine vision Usability Vulnerability (computing)
Domain name Game controller Server (computing) Link (knot theory) Firewall (computing) System administrator Virtual machine 1 (number) Set (mathematics) Port scanner Public domain Client (computing) Public key certificate Number Web 2.0 Cryptography Bootstrap aggregating Root Internetworking Authorization Proxy server Information security Address space Task (computing) Authentication Domain name Addition Email Key (cryptography) Validity (statistics) Public domain Bit Knot Cryptography System call Demoscene Type theory Uniform resource locator Bootstrap aggregating Software Website Communications protocol Row (database)
Domain name Multiplication Server (computing) Service (economics) Validity (statistics) Public domain Bit Mereology Flow separation Revision control Direct numerical simulation Internetworking Query language Data center Router (computing) Monster group Information security Multiplication
Domain name Domain name Existence Key (cryptography) Validity (statistics) Projective plane Set (mathematics) Database Bit Client (computing) Cryptography Public key certificate Public-key cryptography Number Personal digital assistant Authorization Website Router (computing) Annihilator (ring theory) Physical system
Authentication Complex (psychology) Mechanism design Mathematics Server (computing) Transport Layer Security Configuration space Client (computing) Endliche Modelltheorie Perturbation theory Client (computing) Connected space
Focus (optics) Web-Designer Projective plane Website Quicksort Information security
Suite (music) Group action Multiplication sign System administrator 1 (number) Set (mathematics) Public domain Client (computing) Parameter (computer programming) Public key certificate Computer programming Web 2.0 Computer configuration Encryption Automation Information security Email NP-hard Constraint (mathematics) Electronic mailing list Computer configuration Website Information security Point (geometry) Server (computing) Virtual machine Mass Computer animation Revision control Goodness of fit Robotics Authorization Renewal theory Proxy server Traffic reporting Task (computing) Default (computer science) Domain name Authentication Dependent and independent variables Server (computing) Content (media) Planning Client (computing) Incidence algebra Personal digital assistant Function (mathematics) Mixed reality Rewriting Spectrum (functional analysis)
Axiom of choice Scheduling (computing) Group action System administrator Execution unit Set (mathematics) Client (computing) Public key certificate IP address Computer programming Software bug Mechanism design Computer configuration Flag Information Information security Physical system Personal identification number Broadcast programming Data storage device Database transaction Bit Self-organization Website Encryption Quicksort Information security Asynchronous Transfer Mode Point (geometry) Server (computing) Online help Web browser Login Event horizon Code Power (physics) Number Revision control Internetworking Operator (mathematics) Software testing Task (computing) Form (programming) Default (computer science) Dependent and independent variables Multiplication Validity (statistics) Key (cryptography) Projective plane Plastikkarte Planning Incidence algebra Backup
Web 2.0 Demo (music) Demo (music) Encryption Client (computing) Hacker (term) Computer font Entire function
Meta element Structural load Graph (mathematics) Login Client (computing) Bit Client (computing) Generic programming Plastikkarte Code Writing Data management Integrated development environment Information Logic gate Virtual reality Physical system Address space Point cloud
Encryption Website Cryptography Computer icon
Server (computing) Mathematics Structural load Multiplication sign Encryption Login Encryption Client (computing) Physical system Address space
Server (computing) Sign (mathematics) Demo (music) Transport Layer Security Encryption Configuration space Directory service Figurate number 2 (number) Renewal theory
Root Validity (statistics) Hacker (term) Directory service Public-key cryptography Public key certificate
Writing Server (computing) Stress (mechanics) Configuration space Directory service Moving average Website Information security Asynchronous Transfer Mode
Authentication Server (computing) Demo (music) Computer file Server (computing) Maxima and minima Directory service Directory service Public key certificate Code Web 2.0 Data management Mathematics Root Internetworking Right angle Encryption Website Alpha (investment) Game theory Physical system
Axiom of choice System administrator Source code Client (computing) Information privacy Direct numerical simulation Sign (mathematics) Computer configuration Different (Kate Ryan album) Encryption PLS (file format) Information security Identity management Physical system Namespace Block (periodic table) Electronic mailing list Bit Instance (computer science) Electronic signature Category of being Telecommunication Order (biology) Moving average Quicksort Web page Point (geometry) Online help Code Computer icon Number Session Initiation Protocol Goodness of fit Bridging (networking) Phishing Term (mathematics) Authorization Metropolitan area network Default (computer science) Demo (music) Content (media) Plastikkarte Basis <Mathematik> Limit (category theory) Loop (music) Integrated development environment Software HTTP cookie Collision Window INTEGRAL Euler angles Multiplication sign Decision theory Direction (geometry) Design by contract Set (mathematics) Public domain Parameter (computer programming) Public key certificate Web 2.0 Strategy game Bit rate Flag Endliche Modelltheorie Data conversion Position operator Electric generator Connected space Type theory Website Configuration space Right angle Encryption Domain name Server (computing) Functional (mathematics) Service (economics) Divisor Transport Layer Security Web browser Revision control Causality Internetworking OSI model Software testing Angular resolution Proxy server Game theory Task (computing) Module (mathematics) Installation art Domain name Validity (statistics) Projective plane Planning Configuration management Communications protocol Local ring
so I'm yawns ooh I am a security engineer at Yahoo by day and by other days because I don't really work at night I'm a technology fellow at the Electronic Frontier Foundation I'm Peter Eckersley I allayed the technology projects team at uff hi I'm James Kass and I'm a technology fellow at the eff eff and a PhD student at the University of Michigan Hey so whoo yours excited to encrypt the entire web I like the energy okay so what are some problems in the world today other than global warming child hunger and all that another problem TLS is not ubiquitous and it's 2015 a for
instance last summer when I went to Korra this was actually the last time I ever logged into Korra I noticed their login page was just served over a plain HTTP which is already bad but also opened up dev tools and lo and behold the passwords were actually being sent over clear text this is pretty bad if you are a sight worth millions of daily active users but actually in Korres case their purpose is kind of the spread or misinformation about various topics so maybe a man-in-the-middle I don't know
but there's also just a little site called Google I don't know if you've heard of it raising hands if you have so Google's been pretty good at SSL but some pages like this one which is the landing page for Google Ads still over HTTP by default now you might say okay that's fine it's just like a static page it's all public information no user data but a man-in-the-middle such as myself kenan checked a button that says login and make it look really lifelike and googly and all that and an unsuspecting user will click it where i will redirect them to my phishing site and they'll enter their credentials so because they don't use you could pick widows HTTP this is still a problem and that's why we can't have nice things yet a second big problem of the world is
that setting up TLS is still really tedious even in 2015 who here has this process recently yeah a lot of you so you know how bad it is right I still
have one arm at least H what's hot for instance if you want to do this on creme host you go to their web wiki and it's a 12 step process and you're not an Alcoholics Anonymous yet but it's still 12 step process ridiculous so how long
but so I'm pretty experienced and doing this but how long does it take a total newbie to set up SSL for the first time well I made a little video with some my
co-workers from PFF so I basically went around the office and I asked some people can you set up TLS and they've they had none of them had done it before so hopefully does it work
oh hello Parker what are you doing today
just gonna try to set up HTTPS on my website that sounds fun yeah can we tell me about the fun video that's okay yes quick okay I okay wow I didn't think that was gonna be clickable no kidding it's a hundred percent free so where do i how do i how do I do this free okay
click the wizard well guess we're not
gonna do that today okay you're probably stopped rolling that's uh so then I went
to someone else and here we have no one making sure you can get female webmaster at cap planet cat which will need later to set up and that's the soul certificate except you forgot this past week hopefully not all
right three minutes later what's up Noah nine hours you don't ever you all works we started already is yeah we're totally filming this yeah so because Noah has not figured out how
to get mail he is going to get coffee instead what's going on with his email
this is the website you need to get
secure no kidding
free like that's not clickable that's like it's expressly I want expressly all
fields are required no sports so I really have to give them my real home address I grade meeting the high grade
it's fine and all of this I take them to sign that congratulations
okay cat planet calm no kept on my cat where's doc cat on this list
what master yeah I got that
okay taking a while taking a while what
does this mean generally free of charge handling fee but where's my the attached where's my sister free why do I have a random congratulation email where is it this is in my browser Oh Here I am still
waiting for the email with my certificate I got a thank you email which maybe points me to an account maybe has my certificate in the link but I have a proxy error from their website when I try to go to it yeah after an hour and multiple tries no certificate
I'm sorry I was such a sad video I hope people have tissues and you're able to cope with this after some therapy so the whole process of doing this took us several hours due to various mistakes we were making and all that that's pretty unacceptable all right so let's assume
that went perfectly and we got our certificate now we have our certificate and we want to set up as a cell on our server um but as this all configurations
really confusing so a few years ago people were saying oh our c4 is fine it's very efficient it's fast but now in 2015 experts like Nick from CloudFlare are saying we need to kill our c4 another example cromoz sunsetting saw
one because it's not secure and sooner or later you if your site to use as sha-1 hashes and a certificate chain you'll be displayed as insecure in Chrome and Firefox so I even think we
should make a movie called the sha-256 redemption it's about a man who who is mistakenly accused of using sha-1 on his website and gets fired from his assignment job and meets Morgan Freeman and spends all this time convincing people he actually is sha-256 in theaters next fall other examples so
like even later and a fall people said we should disable SSL v3 now okay so now SSL v3 is off the table and then there's
log jam and log jam means you have to generate your own diffie-hellman group and you know the point is if you're not
paying attention to this stuff you can fall behind and your SSL configuration will be horribly insecure if you use a config audit tool like SSL labs it'll just give you an F as cryptanalysis attacks get better and so forth but like will notice that let's encrypt org is getting an A+ it's actually one of the best sites that SSL labs has seen recently by their metrics what's up yeah sorry I did that
anyway but we so you know you we use the
latest recommended ciphers from ayran risk book which opened a plugin for right
here right but the problem is most people don't have the capacity to keep track of one day should be changing their SSL configurations and so we end up with kind of broken broken encryption on the internet a problem for mixed
content blocking so this is keeping a lot of people from transitioning to full HTTPS mixed Kanto blocking is when your
site is over SSL but you're loading all these resources from HTTP so browser says okay we need to keep the user at the HTTPS secure level so we're gonna block HTTP resources that you try to load and so your sites just broken if you load scripts from HTTP you know in the case of Lenovo which I checked out a few nights ago it's available over HTTPS but they can't load their fonts yet over HTTPS so by default you're gonna use HTTP so who here uses HTTPS Everywhere
Wow awesome Peter and I work on maintaining that browser extension so if you use HTTPS Everywhere in Chrome you can go to a website and actually see what resources could potentially be written at HTTPS so this is a pretty useful developer tool if you're trying to convert your site from insecure to secure and you have a lot of third parties and you don't know which of them support SSL so open up dev tools and there's like a tab you can play with where it helps you rewrite stuff and
obviously receive is also gonna help you all out there's a new header and CSP called upgrade and secure requests so when a browser sees the header it's going to say oh this site wants us to upgrade all sub resource and some links to HTTPS even though they're written as HTTP so it will try to HTTP request and you know if that fails it just gets blocked but it won't do the insecure Network request so that's also useful and I think the final problem is that
there's too many certificate authorities it's a lot so Peter and some of his
colleagues made this this very complicated scary-looking graph a few years ago Peter aqui tell me what it means yeah so this is a map it's not the whole map it's actually a little portion zoomed in of the whole map that we presented at Def Con in 2010 from the ssl observatory project and when we set out to do that project we thought that there would be about sixty six certificate authorities in firefox maybe a hundred and fifty in IE but then when we scan the internet we realized that they'd all been signing and delegating to other certificate authorities that want in the official trust route but which would actually be trusted by browsers and we concluded there were thousands of CAS operated by at least many hundreds of organizations and a compromised at any one of these CAS could basically compromise any domain on the web so kind of terrifying that's really scary not gonna be able to sleep and in fact earlier this earlier
this year last year this year Google found miss issued certificates from a Chinese certificate authority so this is not just a theoretical attack we've actually detected this in the wild so Peter this sounds pretty bleak how are we gonna how are we gonna make a world
that we want to live in in the future so our solution to the problem of there being far too many certificate authorities and to all of these other problems is actually to start another
certificate authority
but really in more detail as I'm gonna explain in the next few minutes we need a detailed vision both for security for a way that we can get every website it needs and not search it's not supposed to have so a solution for security and also a solution for usability so that humans who are just web developers and don't want to go all the way down the insane rabbit hole of all the strangely named SSL vulnerabilities and the animals they named after and things they don't need to know about that stuff so
the biggest question we need to answer for this project is if we're going to issue certificates how do we decide whether to do sir and you can think of
this as being a little bit like that scene from the Holy Grail where you know someone shows up and says I want to stiphu get and you say bring me a shrubbery and then you know you go off on your quest or you have your software girlhood request and come back with the shrubbery and then you're like oh it's nice but I think I'd like a different other shrubbery as well and sir
this dialogue hopefully it's not quite so comical happens in this new protocol we've got called the Acme protocol a CA will speak is this but I will have a client as well but you can write your own clients if you want and then the shrubberies are called challenges as a particular task that the client needs to perform to prove that it deserves a particular certificate and there's this fundamental issue that you have to deal with with these challenges which is your bootstrapping from non cryptographic authentication somehow up to krypter how do you know what key to use when you didn't start with keys the traditional typical answer for at least bulk issuing certificate authorities the ones that are comparatively cheap and what will not charge you a thousand dollars or whatever is to just send an email to a address at that domain name maybe admin or root or webmaster or something just send off that email totally insecure if a link in the email gets clicked then whoever asked for it to happen gets the set a smaller number of CAS will do this thing where they going to inspect an HTTP URL and see that you put up a knot so they they gave you at that URL so we are gonna do some variant of this type of domain validation the types we're gonna support at launch there's a new DB protocol we've invented called DVS and I that works at the TLS layer and the aim is to prove not just that you're a user on the destination machine that who happen to register that the name admin but that you actually have administrative control over the web server and you can configure it to answer for synthetic fake virtual hosts that we've asked you to answer for now we do that in the TLS handshake we ask for that name using the S&I header if you know it and then we inspect the results and make sure that you're able to customize those we also support simple HTTP which has a little bit less of that security in it but it is also going to be necessary for some people who are behind proxies or CD ends and you know in the wild we'll get certain numbers of attacks against these things that succeed and will monitor the statistics and see how it's going whether we can keep doing both but probably down the pipeline people are asking us for extra things one that we get a lot of requests for is dns-based validation especially for larger deployments just have the DNS name posted not in a special record and another one we may do is an upgrade of the DVS nie protocol to do a whole lot of domains in a single handshake so you don't have to do if you're virtual hosting a thousand domains you can you can just do one fancy set of challenges and not a thousand challenges over over and over again and we might do that on a different port one one extra port in addition to 443 for people who want to keep their their firewall 443 going the way it is and then point a special port somewhere else will have to do a lot of auditing on that port before you pick which one we're going to use probably that will involve internet wide scans and a call for comment but fundamentally
all of this domain validation stuff is a bit terrifying basically the you can imagine the Internet as being like a very dark hallway and you'll fling some packets down down that hallway you can't see where they go and something comes back and says yeah I'm really this domain and it could have been eaten by monsters or modified you have no way of knowing in general and so you will get attacks if people compromise routers compromised DNS service they can defeat these methods not very reassuring we can
do slightly better than that so we can do multi path DV where we use servers in multiple data centers and multiple parts of the world to make several versions of the validation requests or several versions of the DNS query this doesn't completely protect your very powerful adversary you might compromise each of those places or someone might just compromised a router near the victim so there are multiple dock paths through the internet but they all wind up in the same room and being eaten by the same monster so this probably isn't good enough for us to build the whole internet security infrastructure on top of yet but we can do better than that
actually so what we need to do is ensure that this this leap of faith' down the dark hallway really only happens how do we do that we were talking before
about the ssl observatory project we spoke at DEFCON five years ago about this since then there have been a number of these gathering projects the centralized observatory we talked about
we have a decentralized so about a million Firefox clients who opted into sending us certificates
there's the certificate transparency databases run by Google and others and the zmapp project that James and these colleagues at the University of Michigan have have done and these build giant databases of all the public certificates in existence and so we know the entire syllabus at least the public portion of it at any given moment and that lets us do this this thing where when someone comes through the door and asks for a domain name like a bank in New Zealand we've never heard of or a corporate webmail system somewhere we can say look in the database and say oh there is already a valid certificate for this domain name that you're asking for we're not gonna just do non crypto domain validation we're actually going to ask you to prove possession of the private key in the existing valid certificate so that way you can only get a certificate from us if you've already got a cert by signing something or decrypting something with the key in that that cert you have this is going to be a little bit less usable it may mean you have to go chasing around to figure out where your existing key is for your set in the worst case if you've lost it you might have to go to another certificate authority and buy a set but we will ensure that we never rub our issue to a bank or a valuable webinar site or anything that has a certificate right now just because a router got compromised so you might notice if
you've if you've heard of tofu authentication this mechanism lets us get tofu tofu is trust on first use you're probably most familiar with it from SSH it's the model where if whatever you stab trusts you establish it on your first insecure connection you get anything changes the person at the other end changes you're going to notice and be protected against it so we think
that's pretty nice now the next problem we're gonna have to deal with is basically the horrible complexity of TLS configuration as yan was showing there are poodles and logjams and hot blades and all these things that can get you and what we want to have is basically a client that runs on your server an agent that runs on your server and magically figures out the right way of doing things for you at least if you
want that and so what this does is it takes the current situation where every webmaster at every web developer out in the world is like a giant crowd of these millions of people and we're sitting up here secure it as a security community kind of yelling at them saying here understand this incredibly complicated corpus of knowledge all of you need to understand this incredibly complicated body of knowledge to customize each one of your sites correctly and it would be way saner to have a world where we can
have a small team of people maybe just the people in this room the people who want to contribute on github to the project focus in on how we actually do TLS deployment correctly do it once correctly and then give everyone else a tool that just sorts out the details for them so that's the the aim with the the
fancier client that we're supporting here and the aim the plan for when someone gets this and installs it in six months or a year's time is that it'll support tweaking their existing server Apache nginx or anything else we heard a little API that you can use to support new server software to pass the challenges and then install the resulting certificate or certificate if you need lots of them and then tweak all of the security parameters and options so that they have good values either maximizing security or maximizing security subject to the constraints of compatibility with all the clients depending on which one you want and automating tasks like renewal and response to security incidents that right now caused massive problems for HTTP deployments so some of you probably are terrified if I'm saying automate security tasks so let me talk about what we mean by doing that because this is a spectrum this easy stuff my tuning the cipher Suites our server you know we go and look up some lists of recommended cipher suites and debate them for a while and then pick a good value retailer csps a point so that everyone can actually tell whether certificates have been revoked or not we town the upgrade in secure and you headed the w3c just specified because it's basically a no-brainer to turn that on more tricky is redirecting from HTTP to HTTPS because of mixed content blocking even with upgrade and secure sometimes this can cause breakage we can maybe do a fancier version where we look to see if you've got a client that's modern enough to know about the upgrading secure mechanism and do a differential upgrade for the modern client and leave the old ones in HTTP similarly auto-renewal andrey keen we've got these implemented actually largely but they're a little tricky there are a lot of chronic cases what happens if you fail to renew a domain and so now you have a or something went wrong with one of your domains so you have a an old set that's four more names but it's about to expire and a new set four fewer names and so at some point you have to transition you want to try and tell the admin hey like please pay attention to me I'm a program on your conservative / asserts there's an issue but the admin is not reading their email so we want to get these corner cases right but we think we can do this pretty well and then the hard stuff is for rewrites for everyone and turning on HSTs you should all know about the HSTs header if you don't set it your site is totally insecure but it's also the kind of secret sauce that can break set if it's not done correctly so we'll need to be very hand-holding and gives the admin good tools and advice to turn these options on when they're ready and not before hand and the hardest stuff which we may build but it won't be there straight away necessarily is HP KP pinning which lets you lock out all the other certificate authorities but can really break sites easily and full mix content auditing automatically somewhere via proxy in the server or via CSP report back this stuff is theoretically possible but it's a big engineering task that's down the road
but fundamentally you know ca's are terrifying things because they control the security of the whole web and we're trying to build a giant automated certificate authority giant crazy machine and we have to be a little bit afraid of the thing web bill and so how do we how do we design for for safety as we build this giant robot authentication machine so one part of
the answer is defense-in-depth and I think the things I've been describing to you our in fact forms of that we're trying to ensure that we have multiple tests in place and we don't fail because one of them with attacks but also we need to plan to detect and survive really serious kinds of compromised events because we're gonna have a giant target painted on us so protecting against ourselves basically and we have a few cards up a sleeve for this one is to be incredibly bait and all of them about to being it essentially incredibly transparent we're gonna publish the logs of the transactions that we have when people come in Oscar's for a certificate as a public server asking for a public certificate we believe that that's actually a totally open public event so will will will list the logs what IP addresses are asking for what certs and what happened when we tried to verify that well we'll publish a full verifiable history of every certificate we issue so you can go and look at the logs see all of them see that they have an incrementing portion and the serial numbers they're all signed you can collect the set of let's encrypt it if it gets really easily if you want and we'll also push that data into the certificate transparency logs so people can validate that every set they're seeing if they want to is there now we also help you with HP KP at some point if you're in power user mode and you're really brave and crazy to lock out the other thousand CAS you probably will still need to keep us in a couple of your choice as backup options you should never just pin to one TA because if you break that pin your site will become unreachable for months and it's happened to people and then we also need a plan what like what happens if we do get compromised what happens if an employee of our organizations is working for someone else what happens if there's a day in our systems what happens if we just screw it up and and was a bug in our code that we should have spotted but but one of our systems gets compromised and we're planning to and what happens if you know what keys getting factorized we keep saying crypto attacks that are very powerful what happens if those affect us and the plan there is to have some mechanisms that allow really fast server initiated responses to security incidents so if a hotplate event happens we should be able to put up a flag on a million sets and get them within 24 hours all retain and reissued at least if the clients a polling us and saying hey do you have an emergency for us to respond to we can tell them and that can happen before the sysadmin gets out of bed if they want that their site working that way and then we can also do recertification if one of our intermediate CAS were to be compromised we're not too big to fail we could actually switch it out for a different one go to the cold storage that the bank vault get out the key make a new one and then roll everyone onto the new then you start really fast so these are structural protections that we think help make this safer so some institutional and kind of organizational details this project began as a murder of an EF f and units project to do this and a Mozilla project so it's now you know that all of those organizations teaming up together it's housed in its own nonprofit called the internet security research group or is RG and it has major sponsors AFF Mozilla Cisco and Akamai are all putting a lot of resources in others really helping out I don't trust automatic and the Linux Foundation helping to do the administration for is I J and a couple more sponsors on the way roughly break down which bits are being done by which teams operations of the actual CAS servers and so forth is IG and mozilla server code mozilla any FF client code a FF and you itch and everyone's been chipping on the giant complicated policy and legal and bureaucratic tasks that happen here on the current schedule we have this is as of this week we had a slight revision so we're gonna have our first set issue during the week of the seventh of ten you'll be a valid public validity so default browsers will trust these sets from sometime in mid-october roughly and there'll be a beta program to start actually deploying them on a wider and wider sort of science and then general availability for everyone will be the 16th in available in the meantime we
have a lot of what to do there's both the bureaucratic tasks of passing the crazy audits and producing the insane documents and then the documents of your documentation about all of you know your backup plans for everything that that's one of the giant tasks that makes studying us to the good authority expensive and time-consuming so wait we just have a couple of people working through this they're incredibly valiant and tenacious in getting those audits passed and then code and if you guys are interested I occurred for both the server and client paces are on github
and the spec you can come and hack on it help us break it help us fix it help us implement some of the cool features that we talked about but haven't got yet and
help us ultimately encrypt the entire web but I'm not gonna leave it there I'm gonna hand over to James to give a demo of the way the client works and some of the stuff we have running right now all
right so I'm James hopefully we can do a live demo here and nothing will go wrong pray to the demo gods nothing ever does there we go if you can increase your font size
so can people see that we're bigger that's about as big as our girl all
right so right now we're using virtual
environments but hopefully I will get into sorry a little bit tall here hopefully we will get into package managers here right now when you download the code off of github it gives you instructions to set up a virtual environment and our clients run in Python right now but let's go through an example here so pretend we have an
enthusiast you know who owns encryption example.com you know he likes to teach
people about crypto unfortunately he can't set it up himself
and you know he's also interested in finance making making money so he registered the site TLS trust at us it has everything you need to be secure it has all the logos and you know has the like lock icon up there but it doesn't actually run over TLS which is unfortunate it looks secure to me you know how that
goes so luckily let's encrypt came out and you can simply he has an Apache used to be next he has an Apache server that but oh that's re sorry I'm not used to nice change this first time using OSX
yeah sorry let's give them alright so so when you run the client it asks you
to go through an end-user agreement right now because it's a preview release but basically the client will actually
go through your server configuration and figure out what names you're hosting so it goes search through the config files you can select which names you'd like to use the first example we'll just do encryption example.com and it actually
will go through and solve the challenges for you so it's kind of listing what it does here those of shrubberies going post write all of the shrubberies you I can use a little tune-up here but in that
timeframe we've actually completely solved the challenges and set up TLS on the server that was 20 seconds rather
than three hours this is still self signing for the demo yeah there we go yeah so we have an HTTP server and now
mind you that it's still signed because we don't actually have the CA up and running yet but yeah if you if you trust the happy hacker root which I don't advise because the private keys public you two can get that green bar out there right now I've the logo let's encrypt logo or the are you talking about extended validation certificates okay so we can also you know it's probably advised that for the TLS trust at us we're always going to want to run over HTTPS so we can run and I didn't you can
actually specify everything on the command line and not use any prompts at all but once again it will quickly set up the server solve the challenges and it also will create a redirect from the original HTTP host to to the new host so
that's all great so we're gonna add some nice little and cusses UI in that but asks you you want easy mode or secure
mode or customer and they'll try to figure out which of the dozen or two
dozen security features like redirects HSTs OCSP stapling etc you want configured for you yeah so now you're safe you know it's stressful and s-works now some people obviously don't want us to actually touch their configurations which you know makes make sense and if you do and if you do want to simply remove every you know or we mess up your configuration which we won't hopefully you can roll back everything that I just did there are three checkpoints roll
back everything and now HTS is no longer enabled on anything it goes back to the original state as if we haven't touched anything finally you know we what not
yet right now it doesn't revoke the certificate we will have another management system that you can manually revoke all the certificates and see I was trying to get that ready for the demo but I couldn't quite code fast enough especially with the spotty internet finally you know if we don't support your server right now or you
simply want to use another technique you can specify we have a manual Authenticator which will not require root so it simply gives you the file to post to your server and a standalone which you just click and a lot of math to get your cert and drop it in the current working directory right that one listens on full full three so you have to turn off your existing web server if you have one yep but yeah that's it
do we have time for questions ten Matt's
the question is awesome let's go I think
there's a Mike C should go up and passports no Mike am I on given how hard it is to get a third how hard was it to become a certificate authority and getting accepted by the browser that does Sarah oh we didn't talk about this okay how many people here think that in order to become a certificate authority you need to be accepted by the browser vendors can I see hence you need to get into the thing I'm saying you like so many of you may have realized that you don't need to be accepted by the browser vendors at all actually all you need to do is get one existing certificate authority to promise by contract to cross sign you and then you're in the all of the browser's instantly if that existing CA was so the crucial thing for us was getting an agreement with the certificate authority saying yes if you pass some audits we will cross sign you and then once we had that we could talk publicly about the fact we were gonna do this because we had a reliable path to being a browser trusted CA now passing the audits is a lot of work there's an incredible amount of bureaucracy there you know documents for hundreds of pages long with requirements that began as sensible things that we would all think oh yeah you should probably have a back-up plan and then an emergency plan you should have a way of reading your personnel in a way of revoking their credentials you write all those things down it becomes a really long list then you write down another entry saying okay now document your answers to all the previous questions and now pass an audit where you get asked where the documentation for the documentation is and sir it costs a fair bit of money and takes a lot of time to do that stuff and we're close to having all of it done I mean we're gonna have a cross sign from a CA called i dint rust so one of your tenants is to make it very easy to get these shirts out there which is totally awesome but it's still to a technical crowd you're at the command line the demo it's awesome by the way is there plans to get involved with something like C panel or the VPS hosting environments where end users who are not so savvy can easily get certs yeah absolutely I mean we we want to have those tools available you know the let's encrypt client the fancy Python one can be used by those hosting environment or they can code it up there or in client you know I think there'll be a trade-off for different people some will do their own coding and some will just deploy our code so API yes there are two API is actually the equity spec is itself an API that you concurred to it's a protocol that's open and then there's another API for our client which is basically you have a new server so you might want to write a you know for instance a postfix or an exome or an XMPP server module or an IMAP server module to obtain or deploy certificates for all those different things and we have a simple API against our Python client that what helps you to understand new types of service so obviously with certificates you have to think about revocation lists and something as large as lifting the entire Internet you're gonna have a pretty big revocation list and I guess the popular strategy currently is purging it every now and then but that can cause security issues for certificates that were actually your hope because of compromise if they get pushed off the CRL with things like sadie's signatures so what is your plan for dealing with that or you just sir we're gonna do OCSP as as well I'm not actually I can't remember our latest plan for CR ELLs basically the main can like reason for doing CR ELLs is to make sure that Google and other people who bacon revert certificate lists are going to have a fresh way of knowing what which of us sets are going to be valid we're also going to be launching with a three-month validity window so we're gonna have a little bit less like risk from Unruh work certificates structurally than most CAS and in the long run perhaps we could aim to to one day have an over CSP must staple kind of environment both I think that's a little bit more speculative and there's a lot of missing technical pieces and unsolved technical questions because revocation on the the web right now it's broken thanks so on the server side when you're actually updating configs on behalf of users like for nginx or patchy you have any plans on integrating with the configuration management tools that might also be vying for updating those like puppet and chef and all those things so we want to be yeah we'd like to write an installer for puppet and chef I'm well aware that that is a major need there we just haven't gotten around to it yet but it should be possible and if people want to write their own clients that would be great to also actually these are the exactly the kinds of tasks that make a lot of sense of volunteers because they're very separable we have a fairly clean API for extending client functionality and so if you want to make one of those things happen come and find us on github yeah no I work for puppet so I would love to see there be like a good integration there so I will totally check it out Thanks yep hi as we know a lot of add sites or web content are paid for through add sites and as you push to encrypts all these sites and everybody goes encrypted you deflect the ability to inject as dynamically how do you think that'll impact content generation on the web and do you think it'll push to the more APA style it's funny cuz we also just launched privacy badger and you could ask us some more pointed version of that question about privacy badger but the I mean the answer is I don't think there's any technical reason why add tech companies can't all just switch to HTTPS there's nothing that you can do over HTTP there that you really can't do it HTTPS in my conversations with those companies we just get referred yeah but I mean much to my you know sadness actually you can get refers either you can post them which is what ad companies typically do or you know if it's HTTP to HTTPS they're largely still there it's complicated but you know mostly they get blocked because it's a an HTTP destination and HTTPS source so I think that just has been this attitude amongst some company saying why should we do this we don't see a reason and others I mean I've been in a room full of ad tech people yelling at each other where some of the listen you need to do this why are you not doing it and others just saying we don't see a reason and I think I think the answer will be everyone just ends up doing it hi y'all have a lot of plans that seem pretty lofty and very large goals he said you have to API is publicly available do you have any other api's planned and if so when and what will they do no other API is planned in the you know for this project in the short term and you know one of those two api's is very small so the big one is the Acme protocol which is like you know it's going through the IETF the mozilla team is largely shepherding it through that that's gonna be a big like new web protocol to do this kind of stuff the other loop I is much smaller it's from a Python client and it's basically a way that you can write some Python code for your particular server that slots in neatly you can think of that as much being much more plug-in infrastructure for the client thank you very much I was one of the guys that said that not every site should have SSL I think specifically I don't want to see phishing sites with SSL you've talked about your plans for avoiding direct collision so site comm site comm you're not going to reissue to a different actor what's your plan if I go and get site - secure comm for a very low tech comma glyphic type attack how are you gonna deal with that I think that this is actually still an open question we are in talking a lot internally about two different plans or two different even types of plans so I think from my first principles basis we agree that we need protections against phishing the internet needs to not fish people but there's also a question about whether the x.509 layer is going to continue to be the best layer to do this because that's true it's traditionally been the layer at which this occurs because of the lock icon and sort of fetishization of the lock icon which made sense when that was a mock of you know a trustworthy ecommerce site versus a random site it's not trust its identity TLS gives you two promises it gives you identity and transport security if you're saying I'm not the so let me finish sir sir if we were going to do it outside of x.509 the two places it could go would be into the domain name system itself or it could go into the client so that there's a rich API because the client has you know and it already exists in clients with Safe Browsing from Google and used by other browsers so one option for us is to take our data sets do our hama glyph detection do all of a you know maximum protection against phishing and just pass that data set over to Safe Browsing or over the DNS registrar's and say we you know we were flag going up about this domain here he's all the evidence you make a decision about how to show the user the right UI around wanting them off being fished here the other option is we do that ourselves inside our own infrastructure but there are some costs that come to doing that you know I'll tell you a couple of them one is when we deploy HSTs for instance and order annual for people and then their site gets onto a watch list because they host 10,000 software downloads and three of them turned out to be malware and so they get put on a Safe Browsing list if we for instance were to go around and respond to that by revoking their cert and they've deployed HSTs and we've helped them we closed an unrepairable outage at this site and so it just seems that it's dangerous to do this kind of detection with false positive rates inside kind of a basic protocol layer that affects communication so well you know we haven't gone a choice about this but these are the factors that we're weighing up they're also people who just say politically you know I run that site with a thousand downloads and Google blocks me sometimes I don't want to be denied a cert and the ability to communicate with with people because I have this blacklisting problem and so I think there are arguments on both sides that I think you're also looking at identity validation versus domain validation so the main validation already exists you're looking more for identity validation which yep hye-young say you're you ssl certificate authority is wildly successful and everyone on the internet is now you pls and has your certificates seeing how's the primary goal of TLS is to prevent man-in-the-middle attacks say I go to your encryption example.com and my web browser right now my web browser is gonna make a connection on port 80 first now if I'm a man in the middle I'll just respond to that connection and bypass TLS completely how do you how do you going to address so the answer to that one is HSTs right and that and of course the you know HSCs does two things it deals with that and it deals with the fact that people don't know that they need to sit the secure flag on their cookies and so huge numbers of web sites set off cookies don't flag them as secure and then they're totally cookie jack of all so you need ultimately for a secure site to have HSTs set we will try to help sites do that but it's in the category of things that can cause a lot of breakage and so we need to have good tooling around turning it on for you know are just a few minutes at first and then gradually increasing the TTL and having good test for breakage so that we can tell the admin to roll roll it back or which pages on their site of breaking because of it so the plan is to definitely go in there and actually fix this stuff of people but it's gonna take work to smooth out all of those rough edges but I mean even if every site is sending an HSTs header the man in the middle is going to intercept the connection before the client receives on ages there are preload lists in the browsers and so we could order submit I mean I think they probably have an engineered for the sheer number of domains that would wind up on the preload list if we robo submitted every one that turns on HSTs with us and so that's probably a bridge we'll have to cross with the browsers when we have enough deployment to cause a problem for them do you think it may be a better solution what to convince the browser makers to start with the port 443 request and try HTTPS by default it doesn't help because the attacker can drop the packets and then wait for you to try it at any point yeah thanks will you eventually support will you eventually support wild card certificates or not is it okay to hit the API we will not support them at first and then we'll look at her you know who knows what we'll do later I mean I want to say I could tell you why it's hard right like it's the people who are really mad about identity and phishing if you give people wildcard certificate so they can go and get PayPal dot their domain calm or whatever and they can do that without limit and sir we will get you know unless we have a good answer to the phishing debate wild cards will be politically sensitive for that reason so to follow up with that is there any way at all that you could use this for dot local domains don't local domains in TLS don't entirely make sense I think the the thing one should aim for there is to try to actually get namespaces that are not colliding or to make up new browser UI for dot local you know maybe maybe there should be an explicit tofu model for those local namespaces but it needs to be engineered separately from public web web naming Thanks thank you very much