CRYPTO AND PRIVACY VILLAGE - Green Locks for You and Me

Video thumbnail (Frame 0) Video thumbnail (Frame 605) Video thumbnail (Frame 1239) Video thumbnail (Frame 2084) Video thumbnail (Frame 3337) Video thumbnail (Frame 3787) Video thumbnail (Frame 4660) Video thumbnail (Frame 5587) Video thumbnail (Frame 6083) Video thumbnail (Frame 6545) Video thumbnail (Frame 7565) Video thumbnail (Frame 8373) Video thumbnail (Frame 9080) Video thumbnail (Frame 11151) Video thumbnail (Frame 12923) Video thumbnail (Frame 13913) Video thumbnail (Frame 14841) Video thumbnail (Frame 15929) Video thumbnail (Frame 16368) Video thumbnail (Frame 16956) Video thumbnail (Frame 17487) Video thumbnail (Frame 18147) Video thumbnail (Frame 18695) Video thumbnail (Frame 19791) Video thumbnail (Frame 20203) Video thumbnail (Frame 21164) Video thumbnail (Frame 22540) Video thumbnail (Frame 23499) Video thumbnail (Frame 23915) Video thumbnail (Frame 24418) Video thumbnail (Frame 25283) Video thumbnail (Frame 25870) Video thumbnail (Frame 26480) Video thumbnail (Frame 26878) Video thumbnail (Frame 27375) Video thumbnail (Frame 28223) Video thumbnail (Frame 28743) Video thumbnail (Frame 29459)
Video in TIB AV-Portal: CRYPTO AND PRIVACY VILLAGE - Green Locks for You and Me

Formal Metadata

CRYPTO AND PRIVACY VILLAGE - Green Locks for You and Me
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Domain name Different (Kate Ryan album) Encryption Cryptography Theory
Domain name Point (geometry) INTEGRAL Transport Layer Security Mereology Graphical user interface Graphical user interface Blog Green's function Website Quicksort Website Information security
Domain name Web page Server (computing) Email Inheritance (object-oriented programming) Transport Layer Security Multiplication sign Bit Public key certificate Direct numerical simulation Touch typing Website Cuboid Convex hull Sinc function
Web page Domain name Service (economics) Freeware Public key certificate Direction (geometry) Bit Mereology Public key certificate Usability Direct numerical simulation Computer configuration Computer configuration Set (mathematics) Encryption Website Encryption Quicksort Website Error message
Greatest element Public key certificate Software repository Blog Direction (geometry) Time domain
Medical imaging Root Computer file Root Software repository Virtual machine Website Local ring Hand fan
Domain name Direct numerical simulation Word Serial port Transport Layer Security Programmable read-only memory Direct numerical simulation Internet service provider Website Set (mathematics) Bit Surjective function
Web page Email Direction (geometry) Set (mathematics) Point cloud
Domain name Email Slide rule Email Context awareness Multiplication Service (economics) Frustration IP address Twitter Time domain Direct numerical simulation Uniform resource locator Mathematics Flag Right angle Quicksort Hydraulic jump Row (database) Address space
Domain name Email Direct numerical simulation Email Server (computing) Key (cryptography) Internet service provider Bit Key (cryptography) Electronic signature Time domain
Domain name Email Email Graph (mathematics) Block (periodic table) Authentication Public-key cryptography IP address Mail Server Green's function Compilation album Quicksort Message passing Traffic reporting Traffic reporting
Domain name Suite (music) Mobile app Server (computing) Server (computing) Set (mathematics) Planning Bit Direct numerical simulation Googol Different (Kate Ryan album) Blog Set (mathematics) Point cloud Freeware Row (database)
Web page Mobile app Email Email Set (mathematics) Online help Public-key cryptography Direct numerical simulation Uniform resource locator Infinite conjugacy class property Direct numerical simulation Key (cryptography) Quicksort Row (database)
Domain name Direct numerical simulation Type theory Graphical user interface Key (cryptography) Block (periodic table) String (computer science) Row (database) Row (database)
Domain name Direct numerical simulation Graphical user interface Key (cryptography) Direct numerical simulation Set (mathematics) Row (database) Row (database)
Type theory Direct numerical simulation Key (cryptography) String (computer science) Direction (geometry) 1 (number) Set (mathematics) Online help Quicksort Public-key cryptography Row (database)
Domain name Sign (mathematics) Enterprise architecture Email Key (cryptography) Inheritance (object-oriented programming) Set (mathematics) Volume (thermodynamics) Key (cryptography) Freeware Time domain
Email Message passing Computer configuration Block (periodic table) Sheaf (mathematics) Graph (mathematics) Sheaf (mathematics) Traffic reporting
Email Direction (geometry) Flag Traffic reporting Row (database)
Email Email Computer configuration Address space Row (database)
Domain name Enterprise architecture Email Set (mathematics) Flag Traffic reporting Spacetime
Domain name State of matter View (database)
Domain name Frequency Email Multiplication sign File viewer Information Technology Infrastructure Library IP address Hand fan Spacetime
Email Multiplication Range (statistics) Green's function Planning Video game
Laptop Web page Mail Server Type theory Message passing Email Server (computing) Set (mathematics) Flag Information security
Domain name Web 2.0 Email Server (computing) Email Transport Layer Security Transport Layer Security Encryption Electronic mailing list Set (mathematics) Information security
Slide rule Email Uniform resource locator Encryption Set (mathematics) Musical ensemble Traffic reporting
her next talk will be by the wonderful Lyndee Knox Everett she's gonna be speaking to us about green locks for you and me well hi everybody can you hear me call so this is going to be a little bit different than some of the other crypto village talks it's not about encryption theory or anything this is going to be about using encryption for your own personal domains if you have one so pretty recently
chrome need to change they've been driving towards securing everything on the website with TLS and they had been labeling secure sites with a little green lock which is where the title of my talk came from but they just recently made an update such that non secure websites now are explicitly labeled as not secure they have a really cool blog
post about this this is just Val I guess at this point three weeks ago where they wrote about how this is part of their goal towards driving to securing everything with TLS so TLS is really important because it's basically makes sure that the integrity of the website is preserved I'm not going to go too much into TLS I'm assuming if you're in a nerdy talk about green locks you know what TLS is but we're gonna sort of dive into using this for some of our own personal domains so this is my personal
domain I have had a website since like the early tooth actually I've had a website since like 1995 I've had my own domain since the early 2000s and it was just running on a Linux box that I was paying space for and I really didn't touch it if you like a look at it assuming my DNS is not hurt it is a super super simple like plain HTML page and I kept being like yeah I should actually do something about it because I'm such a big TLS advocate and my own personal website is not secure I think it being like well it's kind of a pain in the neck if you have like a two HTML page website on a very crafty old Linux server that you're just renting from someone like this is a pain in the neck how am I going to do this without basically spending hours on it because I don't have hours to do
so I ended up getting a TLS certificate for my website and we're gonna run through that quickly and then I'm gonna end up spending the bulk of this time talking about email security because that's one that was actually a little bit more difficult to set up
so let's encrypt is probably the most famous way to do this I'm actually not going to talk about that method because I host my website now on github pages which is free which is awesome I don't pay anything to host my little tiny HTML pages when I set it up they were not yet quite supported like officially supporting let's encrypt so I'll use CloudFlare so my dns is over there there's lots of other hosting options out there you can use WordPress is another very common one but I like github pages they're how to get hub account I like it hug desktop as a tool to push things up this may be a little
blurry here this is showing the certificate that's on my domain and it's a CloudFlare one so I'm gonna go pretty quickly through how I set this domain up github does not have the best directions unfortunately which is part of what drove me to do this talk this entire experience was a lot of trial and error and I'm pretty nerdy so I wanted to sort of document my path through as I did this for people to go back and try again and if you're at github I love your service please make your documentation a little bit more user friendly so they
have a blog post where they announce the let's encrypt stuff and the directions at the bottom are what I follow they're still pretty up-to-date so you start out
by creating a repo and you just name it whatever your username is my get hub user name is Wendy CK then you check it
out local machine I'm a big fan of github desktop I like command lines but the desktop thing makes it very nice to see like the graphical dips and everything and you move over your files you can see I have like two HTML files and a couple of images I have like the world's dumbest website this is one of
the first like not even tricky but like slightly arcane things you have to do you a text file called cname at the root of the repo and you're gonna check that in
then we're gonna go to settings and we're gonna scroll down and we're gonna add the custom domain you can see that github thinks that my domain is not currently working this is why I was joking about my DNS being corked I grabbed this screenshot this morning serialize I'd forgotten this step and of course it now thinks my sites not secure even though it is and the redirect is actually working so DNS screws up everything even when you're trying to give a talk on TLS it is actually still working so I'm not sure why can't hope thinks it's not I one of the things that
tripped me up a little bit is because I'm not really a DNS person was I didn't know what the word Apex domain meant it just means a top-level domain like for me it's Wendy Kay org and I was talking about like apex domains and I'm like well I don't know what that is and so I don't think that I have that what I do so it's just a terminology that github did not really particularly define very well I thought I had like a subdomain like dub dub dub dub Wendy Kay dark but I don't because I own the domain so they basically are gonna tell you to point to this here's my dns
settings I am copying their directions and putting it in and boom I have a
secure website it's pretty cool although it took like 48 hours I stuff to propagate out but that is essentially how you use github pages with cloud where the let's encrypt setup is almost identical you're just creating basically that cname and you're telling in the setting that this is going to be a secure one so email spam is a big
problem I used to work in email marketing way back in the day and kind of knew at SPF was and so forth and I've had my domain on Google Apps since it came out and so I was kind of lazy about this whole thing I'm like surely Google is taking care of this for me I paid him 5.00 a month I just used Gmail for my domain and I've not configured a damn thing I'm sure they're on top of this and then I kinda started thinking like wait no to use SPF you have to set the main records and I don't think Google can go set my domain records and I was like maybe I should look into this because maybe my email is not half as secure as I think it is like my email is secure but like my domain could be used to spoof and because I have a very old org domain it's actually somewhat valuable for spam feels like I should probably take care of this and then fell down the email security rabbit hold it took me about three weeks to get this to all work and so that frustration kind of drove wanting to do this talk to just lay out my path through setting this up and sort of raising awareness or people to realize that you do have to go through some of this so we're gonna do a nice jump into three technologies SPF D command D mark and they all work together to keep people from spoofing your domain and they send spam so SPF is
pretty old when I worked on email marketing from like 2002 to 2006 SPF came out I want to say maybe in the middle of that like it was definitely around then this is not a new technology it essentially allows you to publish a DNS record it says for this particular domain like for when DK org only a handful of IP addresses can send email if you're getting email that is from any other IP address and purports to be from this domain you should flag it spam and also I'm gonna be gonna I'm gonna publish these slides to my Twitter account right afterwards so don't worry too much about capturing the URLs I've got a whole like a slide of URLs for all of you to but the problem with this is that it requires every single person who receives email to go do that look up people are lazy it also can be kind of brittle depending on your setup like at the IP address that is sending email changes it can be a problem people who send email from multiple places like if you have your company's email and then your company is also sending marketing email under that maybe through like a mail service or so forth you actually remember to keep these all up-to-date DKIM is the second part of
this it's kind of cool we can cryptographically send our emails without doing a darn bit of work besides entering a dns key Gmail works very well with this so if you're just using Google Apps in your domain they'll help you generate the key which are about to walk through and you publish it and these are gonna work with Demark to basically help you prevent people from spoofing because it's a little tricky it's not actually super widely adopted yet this is still somewhat niche the big providers like Gmail and so forth are using it but joke you mail server may not yet support DCAM
this is the headers from an email I sent myself the other day and I just pulled out the D CEM pieces of it we can see I've got deacons signature and ex-google deacons signatures showing that the email is cryptographically signed and
finally d mark you can think of as sort of a block and report it allows you to publish a policy and to basically see what's happening with your email you can't use d mark until you have D command SPF setup which I didn't realize when I started this I like jumped into D mark and I was like okay I don't understand what's going on here what's happening and had to kind of back up and do the SPF and DKIM first so this is
kind of an overview of how d mark works essentially the receiver is doing a lot of the work here they basically get the email they're going to go check DCAM the public key make sure that this is working they're going to verify that the SPF is set correctly so making sure that like the IP address is all that they got the email from is a lot to send email for that domain and then they're gonna apply a D mark policy which is what we're going to go walk through and then they generate reports for you a very nice pretty little graph so I've got lots of like nice red and green pictures of block spam coming up if
you're on G suite which is the Google Apps for your domain thing they have actually fairly good support it was way better than github and there's also this D mark analyzer thing as a blog post that's also fairly decent that will walk you through how to do this so this is a
little bit jumping back and mentioned I use cauliflower for my DNS so this is just showing that the place where I registered my domain I am pointing to cloud for DNS server I'm going to do all my DNS settings through CloudFlare I'm just on a cloud for free plan I'm not paying them anything and there's three different DNS records that we are going to go set up
so first we want to generate the DKIM public keys this is basic public key cryptography they're going to keep the private key I'm going to publish the public key out my DNS record so anybody who gets email from me can go check it and in Jesus we you basically have to sort of hop down in through a couple settings to get it you would probably
want to it's probably back if you page I check the GG sweeeeet help pages before you do this because they do like to basically rebuild their dashboard and this could move as of the other day it was still at this location and this is
what it looks like it's going to generate a txt record value for you and txt is a type of DNS record that just allows you to publish a block of text the name of it as we saw is Google
underscore domain key and the value starts with this VD k I am it goes out K is RSA we're telling us an RSA key and P equals that whole big long string so I
go to cod4 dns entry up at the top there's a way to add a new record I tell you a lot of text so for name I put on
the Google underscore domain key for value I paste in that whole big value
and voila I have the first of my required DNS settings up here so I'm not
going to dive too deeply into all of the DQ DKIM tags the only required one here is P equals which is your public key if you don't have that in your D chem txt record you do not have a valid one all these other ones are optional the only ones that I'm using I believe are like the K equals RSA and I think we have V equals so those sort of help it figure out what type of key or public key is so
next we're gonna do the SPF settings again Google has pretty decent help for this it will tell you exactly the string that you need to copy and paste into your DNS setting you just follow their directions copy it paste it in so now we have two DNS settings published and so now we're
ready to set up some Demark domain keys this is the fun stuff I use Demark Ian
if you have a personal domain and you don't have a lot of email volume this is great because it's free you're gonna see you later like my super low email volume I just don't send very much if you're a company it's also really cool I know some folks who have enterprise accounts are very happy with it you do have to pay for those but you have to be sending a significant volume of email before you're paying for it so if it's just your personal domain you're probably gonna be fine on the free one they make you sign up first for a trial and then they'll tell you if you can remain free after two weeks like you're probably gonna remain free so they have a whole
section it's going to walk you through how to add Demark these are all the
Demark options here the PCT is going to be the percent of messages that we're going to be doing this filtering some people like to start out with just subjecting 10% of their sent email to it I send such little email that I just immediately set it to 100% the are you f and are you a are used for reporting we're gonna see some reporting options that I get from D marking so I D mark Ian so I can see like very nice graphs a block to email and so forth and if using de Marquis and they will tell you what email value to put in the P is a policy you can be doing quarantine or blocking or and I'm spacing on the name of the like don't do anything just let me see what's being sent options so there's three options there this is my D mark
txt record I went to cloud where and I put it in sodium arth?on has fairly good
directions a P equals not as the like don't do anything I just want to see what's out there I it's a good one to start with once you have like your reporting working and you marquee and has a like a little issue tracker and it tells you like hey things are great it's not flagging any issues which for me it was flagging like I don't have SP set up at first then you can move to quarantine which means like hey flag these things of spam and then once you have that you can move through eject which means like don't allow the smell to get sent reporting is really fun
the argue a equals option is where you said it you don't have to use the marquee and you don't have to use their stuff for it you can put your own email address in here and do your own filtering and so forth but I'm lazy and don't want to write my own tools I'm using the free tools they have a really
nice thing called the D mark record wizard my d mark setting came out of this tool it walks you through it basically prompts you like what you want to do it you want to be blocking what percent of emailed you want to use our tools or do you want to use another one and as I've been mentioning they have
really nice reporting this is mentioning
you could use your own email in that are you a tag some people have like bigger enterprises are doing that otherwise if you have the D marking an email in there it goes there it will show where email from your domain is sent from I've had some friends who have set this up and been like whoa where is that email coming from like that's within our IP space and we didn't realize that with sending email so that can be kind of enlightening threat unknown emails that it flags are basically things that are not within your SPF and they're not following your D chem settings so when
you log in you get this very nice domain overview I only have one domain mile IndieCade org you can see right now the SPF the deacons state are all set up because I published those keys and they've propagated out this is going
into essentially a summary view that they have you can export as CSV s or so forth this is an older screenshot and
one day when like 36 fan mails were sent from my domain we blocked them it varies immensely like I've seen up to like 200 and then long periods of time with nothing a long period of time nothing is a little more common now because I've had this set up for a little while and I think that people are starting to decide my domain is not worth spoofing anymore but it's really fun when you are getting
spam to go in and like see like whoa who's trying spoof me this is really cool you can sort of dive into like the IP address space look it up see what country it is it's very interesting I lost a lot of time just poking at it because it was fascinating to me at the detail viewer
this is from that day with the ton of spam and you can see also I'm a very light email user I sent like four emails on those days this is well within the range of Demark and free I could probably like quadruple or more my email sending volume and be quite fine on the free plan this is what it looks like now
I've sent two emails over the last week everything's green nobody's trying to spoof me life is great de Morgan's
issues tab under monitor is super helpful I took screenshots when I was trying to set this up and I lost them on my laptop so I don't have anything to show you but it would be a little like your SPF is screwed up go fix it a message which I found incredibly helpful so if for no other reason than for that I recommend you use team Archaean if you're setting this up so finally I just wanted to touch on a couple other things I am the
world's biggest advocate of outsourcing your email I did email it's ridiculously complicated I remember getting pages at 4 a.m. when things went wrong so I do not want to do this anymore but I have some friends who for whatever reason like to run email servers in their basement so if you're that type of crazy there's two things I want to flag for you empty a strict security basically
allows domains to require TLS encryption it's an interesting setting starti
starts TLS also allows your mail server protect against downgrades they're building a list of basically servers that are going to do this and it is basically going to be like what happens with the web with TLS you could say no I I only support TLS like please do not ground downgrade me and so finally I
have some slides or some URLs for you here Erin pointed out that the FTC has a really helpful report on why you would want to use these email encryption settings if I haven't convinced you it like walking spammers is you can go read about the FTC these how to explain SPF D command D mark are really helpful because I had to go very fast over them and so cool that's the end of my talk thank you for coming [Applause] [Music] [Applause]