 Once again, please remember to enter and leave quietly as you can if you are leaving midway through the talk and don't forget to tweet. This is Till Maas. Thank you. Thank you very much and welcome to my presentation. Yeah, say this for later please. So I will be talking about let's encrypt and best practices. First I start with a little introduction about me. I'm from Aachen, Germany. It's a small town near the Belgium and Dutch border. Next biggest city is Cologne and we are for example famous for our printing. It's a nice bakery thing that if you would like to try you can try it here or later I will give some to the Fedora booth because I'm also involved with the Fedora project as a volunteer. Started a while ago as a packager and also patching all the things that I needed to fix for example in the infrastructure and recently I'm involved in the release engineering process, mainly cleaning up packages. As a day job I'm a penetration tester at Retin Pen testing and I'm doing a lot of security stuff and therefore I'm now here to talk to you about especially transport layer security more or less. So who of you knows transport or TLS? Okay so most of you for those who don't know it it's a basic protocol that you need to secure a lot of services. For example HTTP for websites or mail services with IMAPS or SMTPS and of course you can also secure file transfer with it. And to use TLS properly you need TLS certificates and if you don't have the right certificate you see errors like this and usually you don't want that your customers or your users are seeing these errors. So how do you get a certificate? For this you need to go to a certificate authority and the author CA basically says that you have certain cryptographic keys and they belong to you so that everybody knows which keys to use to access your service properly. And what do you think how many certificate authorities are currently stored directly on the Fedora system because a system needs to know which certificate authorities exist. Was there 100? 200? Yeah 200 was right. So you get something? Get your own piece of print. You can take it later. Yes that's right it's about 202 but these are only the so-called would certificate authorities because every certificate authority can also allow others to issue certificates in their name. And these are more or less several thousand authorities nobody really knows how many they are because you don't need to register for them. But this graphic is from the EFF the Electronic Frontier Foundation and they just checked all certificates that they could find for which certificate authorities were issuing them. So we have lots of certificate authorities. Why do we still have connection errors like this one? So why are people not using certificates properly? Or why is there no TLS at all used? And they even cite not enforcing TLS even though they could be using could be enforcing it. And when I ask people why are they not using TLS for example if they're running a service or even sometimes our customers don't actually enforce HTTPS or use it properly there are several reasons that they tell me why they don't do it. And one reason they state is that's not fast enough. But as you can see from on istlsfastia.com the TLS has exactly one performance problem it's not used widely enough and everything else can be optimized. And if you're still wondering what you need to do this website also contains a lot of information about how to optimize TLS. So performance is not really a proper reason and for example at Google there's only about one percent of computational overhead for TLS and everything else is used to provide the actual services. So this reason is not valid but still there are other reasons for example certificates still cost maybe cost too much money. That's also not true in all cases because there are already some CAs that provide cheap certificates or at least or even free certificates but sometimes only for normal users not for businesses. But still if you invest a little bit of money or want to like to invest a little bit of money in a certificate are there other problems? Yes it's also very hard to set up TLS properly. So for example if you want to get a certificate you first have to get an account at the certificate authority then you have to validate your account then you get instructions how to create a so-called certificate signing request where you state what kind of certificate you would like to have. And then afterwards you also have to prove that you control the actual server that you want to have the certificate and after a while you get the actual certificate but then you also have to configure those servers properly to use the right certificate and also do it securely. And to fix all these problems the Mozilla Foundation the EFF and the University of Michigan started a project called Let's Encrypt a few years ago and they basically created a new certificate authority and it's three important properties it's free automated and open and currently it's already available but still in public better so everything it's not it's not finished and it's not not everything is already final and I have to say I'm not directly involved in the Let's Encrypt project I'm just more or less a very interested observer so if I tell you some details it might be that the actual project might change in the future or maybe decide to implement features in a different way than that I'll find it out I only had access to public resources to get this information. So what makes Let's Encrypt special the first property is it's free and it's free to use completely but this doesn't only mean that you get free certificates you don't have to pay for them but it also means that you can use the service of Let's Encrypt and for example they are about 20 or more businesses who already include Let's Encrypt as a service in their service so if you go to one of these hosting providers you can just enable TLS and then you will get a certificate from Let's Encrypt for free and you don't have to worry about anything it will just work and for example this is also an impact on other services like WordPress and they are also planning to provide TLS for a lot of their blogs so if you host your own domain there you will just get a certificate and don't even have to decide about this it's not final yet but you can already see that they are getting the certificates and it's not only free to use but it's also free as and free speech so all information all code from Let's Encrypt is free software you can have both the client and the server code that you can look into and you can also use it and the client provides a Python API that you can use to implement your own client and also the server provides a defined API using the ACME protocol which is a new standard written by the Let's Encrypt project and therefore there are already different clients that you can use and they all fulfill different needs so for example the official client is more or less the biggest client that does most of the stuff and then you can see that there are also clients that try to minimize the feature set and if you want to provide your own client in any language you also find libraries for probably in the future every language and there's even and even if you still like the old way how certificate authorities work with the website you can even use a self-hosting website which just implements the Let's Encrypt client in JavaScript so you can download this website one open it in your browser locally and you get all the steps as before so everything is possible but the official client is actually the one with the most fun especially if you don't want to spend a lot of time because it does all the things automatic and if you're using for example Fedora you can already install it in the latest release and it's already packaged in EPS 7 but it's not quite finished yet so it is possible to get certificates but not everything is already automated so now we get to the next property and it's also open so you can get all the details about the client but you get also all information about what Let's Encrypt does so there's this project called certificate transparency and it's basically a distributed system of several servers who all collect all information about certificates that are issued and Let's Encrypt uses this to store information about all certificates that were ever issued by Let's Encrypt so it's completely transparent if they for example by accident issue a certificate for the wrong domain because of some vulnerability also you can for example see that a certificate that you're connecting to is really issued by the certificate authority and this is already required for example for certain certificates to make it sure that the browser Chrome displays them correctly but not all certificate authorities use it already and Let's Encrypt and I forgot this is also a website not provided by Let's Encrypt but I think Komodo it's called crt.sh for certificate search and there you can search for all these certificates and Let's Encrypt wants to go even wants to become even more open they also plan to publish all the logs about the interaction with the client from the client with the server so you can even comprehend why how users authenticated to the Let's Encrypt server and everything is transparent and now the final but the only problem is that Let's Encrypt is still in beta so there are still things that need to be improved and need to be added and there are also some restrictions in place for example since everything is automated you can only get five certificates within seven days per domain and also each certificate can only contain up to 100 host names so depending on your use case this might restrict you a little bit and actually and there's another problem or there's another restriction and this is that every certificate is only valid for 90 days so this means if you really want to renew every certificate at the latest moment you only you can only have about 60 certificates per domain because otherwise you won't be able to renew every certificate and but usually if you have a service that requires a lot of domains it might be that's the restriction does not need to be for the domain but for a so-called for us domain for public suffix because you do not only have server we just start sub-domains for example FedoraProject.org but you could also have domains for dynamic DNS services and then you can get these domains added to the public traffic list and then the restriction about the or the weight limiting only applies to these sub-domains so you can so each domain for example below these domains can have up to five certificates within seven days and this is also this is not only used or the primary use case of this is not let's encrypt but actually you should you do this already if you're in this situation because this list is also used to separate different domains that have different security properties so for example in browsers you don't want to have one during DNS sub-domain access cookies from another during DNS sub-domain and the only way that the browser can know that it should separate these domains is if it's properly stored in the public suffix list there are also some other restrictions that let's encrypt currently has that will probably not change in the future so for example there are a different kind of validated certificates and in an organization validated certificate you also have additional information about who the certificate belongs to and in extended validation even more and this is something that let's encrypt cannot do because it's an automated process and then you don't have the possibilities for to for example validate that is a certain organization that requests the certificate also code signings out of scope for let's encrypt and they decided to not sign IP addresses at the moment especially because you still have a lot of users that use dynamic dynamic IP addresses and currently it's also not possible to get certificates for military certificates for military domains but this should not be a problem for us there are some features that are not yet available but are planned for the future for example wildcard certificates are currently not possible so you have currently you have to get a certificate that contains all the host names that you want to use it for and the problem here is again that when you do it when you want to have a wildcard certificate created automatically you need to make sure that you really control you really have a person that is allowed to get a wildcard certificate and for example you don't want people to get wildcard certificates for all the dundee and s host names but the current but that it's not easy to verify this properly and as you probably know if you ever seen a python utf unicode encode error international domain or writing for proper encodings is also hard therefore international domain names are currently not possible and elliptic curve cryptography is also currently not implemented but planned and it might be that you can use let's encrypt also for secure mail encryption with asmime in the future but still something that's not done yet and currently let's encrypt is already trusted by most systems but there are still some systems that might not accept let's encrypt certificates that valid certificates for example java might not know the actual root cr that's used to sign let's encrypt certificates or android systems don't support it and in blackberry it's currently it's going to be included maybe the biggest problem might be still windows xp and it has actually a problem with if it's not updated enough with the kind of kind of signing algorithm that's used in let's encrypt certificates but this is handled by a new service pack but the other problem is that let's encrypt is currently using is currently a subordinate certificate authority and it contains this restriction for dot mill or military host names and therefore and this is something that windows xp doesn't seem to handle right now so it just does not accept the certificate but this might go away if let's encrypt gets included into other might or maybe doesn't go away for windows so skip that so if you have now a proper certificate and want to use it and you have still some things to do to make sure that you're doing this correctly so for example if you have any links make sure that they are already using https because otherwise you might already might have set up a proper server that provides https but nobody is using it if you still have links that don't use https if you have a lot of links that you need to update for this and don't have the time yet there's a feature called upgrade insecure requests that you can set in your http browsers and then make sure that the browser automatically updates insecure requests but this is still not the best possibility there's also another option that's called strict transport security and this basically says the browser that certain domain should be accessed over https for a certain amount of time after your access after the browser accesses once via https so this makes sure that a user cannot even access the website anymore insecurely except for the first actually request ever to this website and even this can be mitigated because google maintains a so-called hshts preload list and you can add your domain to this one and then the browser already knows which domains will always should always be used via https but you should do this only after carefully testing that everything's working because once you're on this list it's really hard to stop using https so if you still have one subdomain that's not actually working well with https but requires plain http you have a problem if you have in the strict transport security list and for example in the fedora project we are working several years now to migrate all services from http to plane to proper https with strict transport security so now if you have the proper certificate and you have it configured properly there's still another problem because for example let's encrypt might be a very good and secure certificate authority but there are thousands of other certificate authorities and who knows what all these names have in common yes yeah so you also get some printed afterwards and exactly so these are former certificate authorities or sometimes also still operating certificate authorities but not trusted anymore that the hacked or contained for example the certificate or were included on notebooks so that everybody had access to the private keys of the certificate authority or they issued certificates not to the proper owner of a domain and you can also avoid this kind of problem by using public key pinning so initially the certificate authority certifies which public which encryption key to use for your domain but you can do the same with an http header and then the bowser um knows which keys to use for future request and if there's any other key used it will deny the request or if you want to experiment with it first you can also make the bowser just report problems with false keys and this is for example the feature that made it even possible to identify all these problems with certificate authorities and there are probably even more certificates out there that are not in use by the proper domain owner but nobody really knows because it's not properly reported and if you're doing this you have to make sure that your keys are properly stored so and you have a backup key for example if you now use access to one encryption key and all bowser's think that's the one key that you need to use to access the website then the bowser's will not be able to access the website anymore and the system even mandates that you should have at least one second backup key that you can already specify but of course to make sure that this one is not compromised at the same time at the primary key make sure that's properly hidden and there are still even other options that you have to set to make sure that TLS is properly used so for example you can you have to make sure that you also use the right encryption after your certificate is set and Mozilla allows you to set up to get the proper configuration depending on your needs because if you have to for example support all systems it might be that you have to lower your security but if you have a modern system like Fedora you can even make it better so if your clients are using the modern system and there are so many settings that I cannot get into detail about them but there's one page by Kralis the SSL labs where you can test your website and you get information about what's all good and what's bad but eventually the good news is that the let's encrypt client will support all these settings and make sure that you can select the security level that you would like to have so with this I would like to conclude my presentation and would like to thank everyone who allowed me to use their pictures I would also like to thank you and I hope you enjoyed this presentation and even if you there's something that you didn't like please make sure that you fill out the feedback form because it's really appreciated as a speaker to get any kind of feedback for example last year I only got one feedback mail and I heard that the speaker for most feedback mails got only 10 so that's not so good for a speaker to not get feedback thank you very much and I'm not here to answer any questions okay so the question is how long will it take to learn everything required to set up a website for example running nginx to use https properly so if you're using so if the official let's encrypt client is finished and it already ended with support nginx eventually then it's just it just takes a few seconds because you just install the client and run it and then it will get the certificate and also update the nginx configuration so this will be the best case if you don't know everything there's already a lot of documentation about it but I can't really estimate how long it will take for you but at least getting the certificate will be very easy because you can also use the client just to get the certificate in a few seconds without it having when it does not already support your configuration so the question was if you just have to go download the client and tell it something about your configuration and yes you only have to tell it you might only have to tell it which domains you actually are using unless it is also possible for the client to get this information from your configuration so you get stomping up about just combined so the question is how easy is it to automate the renewal of certificates and it is as well very easy because you can just run the official client in a cron job like every 60 days or even maybe more often in case you skip some ones and it will verify whether or not it needs to renew the certificate and then do it and it's currently recommended to do it after 60 days the question is if you can sign subordinate certificates with that encrypt and this is currently not possible the question is if there are plans and I don't know of any plans because yeah I think you have the same problem currently at least with wildcard certificates because you would like to delegate trust for a certain unknown large set of domains and this is really hard to do it properly in an automated way so the first question was about the location of the servers that issue the certificates whether they are only in the US I'm not quite sure yet where they are located properly in the US but there are plans to locate them at different to have validation from different locations on the internet to make sure that there's not a local attacker directly near the computing center of let's encrypt and the other question was okay so the question was whether the server code is also open source and yes it is it's written in go and you can use it to set up your own certificate like let's encrypt for example there was a question at another conference about whether or not it would be possible to sign dot onion addresses with let's encrypt and this is currently not possible but you could use all the set up the infrastructure yourself and then use like a dedicated certificate authority for tour hidden services okay the question was since it's an automatic process what is there what is done to prevent someone from register registering an address for google so the even though it's automated there's still a check like classical certificate authorities do and for example you have to make sure that you have a certain value in your available on your document route which let's encrypt tells you a secret value and or random value and then if you provide it then let's encrypt we get it and then more or less know that the certificate is that the domain is yours it's also possible to use dns so you have a dedicated dns entry where you have to use this random value which makes it easier if you have a lot of domain names that you need to register and there's also some very interesting thing planned called proof of possession where you have you can use all the certificates or if you have a certificate already you can make use this one to prove that you where are the actual owner of the certificate because it was used already and but I think this is still planned and this is also something where you can use certificates from our other certificate authorities to have more or less like a trust on first use process so you once got a certificate and then it's more or less locked down to all people having access to this certificate or all certificates issued afterwards so the question was how a certificate relocation handled and I believe there's probably a regular cl there's also a signed ocsp responder which is an interactive method to revoke certificates and the other question was whether expired certificates are put in the cl and this is actually the good thing about the short validity of the certificates because you don't need to put them in the cl they are already invalid because they are expired so this also makes it easier for let's encrypt to keep the workload on the ocsp responder or small because they have only a signed information about the certificates that are still valid and that were issued within the last 90 days so the question was if there's a defense against registering domain names that look like official domains and there's a list of domains I think maybe the top 100 Alexa list or also a list about financial institutes and other high value domains and it's currently impossible to register domains that are too similar to them or are more or less the same and this even but this is also the also something that's currently a little bit developing for example it was possible for some people to register domains that looked too similar to to a banking domain but not by not by intention but more or less by accident so they have a domain that's similar and they got the first certificate but then later they couldn't renew because the restrictions became more restrictive okay so the question was whether I know any attacks that or any phishing site that's already using let's encrypt I think there were some phishing sites using let's encrypt but let's encrypt is also using the safe browsing technique used by browsers to identify malicious websites to also make sure that they don't issue certificates for bad domain names so the question was why are certificates only valid for 90 days so there are several advantages of doing this the one is that the workload for let's encrypt is reduced because to make to use this OCSP service which allows it to verify whether certificates were reworked or not other certificates need to be signed and since it's an automated service let's encrypt could have millions of certificates that they need to handle and with these 90 days they have a little bit of restriction in there also it makes sure that if you have a compromise of private keys of a certificate for example with hard bleed then you only have to