 Showed y byd yw'r deaf yn y teimlo ychydig cychwyn ychydig yma ac mae'n ddweud y teimlo cyhoedd yma yng Nghymru ar y dyfodol. Felly yng nghymru yma, mae'n ddweud yn dwyl hwn nôl ychydig ac mae'n ddweud y chyn請u rygwyd i'r oedd yn gwybodaeth felly mae'r ysgolwyd yr ysgolwyd nhw, mae'r tyfn o'r rhannu mor infrosgriff That's why I guess I'm kind of so excited about this next talk, because there's kind of, I suppose, one big challenge for these trends and maybe one of the reasons they sometimes take so long to get going is that they're pretty complicated, right? Security's pretty complicated, API's complicated, Angular's complicated and it can be kind of overwhelming to get into it. And so that's why services like Let's Encrypt are so important and talks like this are even more important and so I'm really, really excited to hand over to Soleil, who's going to tell us all about Securing WordPress with Let's Encrypt. Yes. Well, hi, I'm Soleil. Soleil Dad, Penedys. Soleil's fine. I work at Mozilla. I generally do front-end stuff, but as he said, with a new move to like HTCPS-only APIs, you cannot do front-end of the cool front-end without Secure website. So I was like, okay, I need to find how to sort this thing out so I can do my cool stuff. So I am feedback-ing. So I just don't know what's going on. Is that better? Okay, good. Okay, I've got remote, so I should be fine. Okay, anyway, yeah. So before I get started, I'm going to not assume that anyone knows about security because I didn't even know the most important things. So I'm going to try and explain everything very clearly because there are so many things that we assume that everyone knows that are not really clear at all. It's important to understand what we can do and we cannot do with HTCPS. So first thing I need to clarify is what do I mean with Securing? We can have secure transmissions, which is a secure transmission between servers and clients or between any machine at all. And then we also have secure systems, which is a system that cannot be broken because it doesn't have vulnerabilities or it doesn't have exploits or whatever. And in this particular talk, I'm just going to talk to you about secure transmissions because a secure system is like an internally different world. And HTCPS only helps you with secure transmission. So these are transmissions between servers and users, not between servers and servers. That's not cool. And also we will try to make them as secure as we can make them because we cannot even be sure that what we do is totally safe. So the result of my investigation is that I'm super paranoid now and I hope at the end of this talk all of you are paranoid as well because this is horrible. So yeah, HTTP, HTCPS, what are them? So HTTP is the language between browsers and servers and please don't well actual me. I know it's not the language, it's a protocol, but I need to make things simple enough for this talk. So this is kind of like what servers and browsers talk to each other. And then TLS is encryption protocol. So that's the S in the HTTPS. And TLS plus HTTP makes the HTTPS protocol or language or whatever you want to call it. So when you have an HTTPS, you have an encrypted connection between the browser and the server. And here's when we get fully technical. If you don't engineering, as I did, this might be familiar, but if you haven't, I will fully quickly explain this into you. Here's the internet. This is cables, Wi-Fi, things. This is physical. The internet is when you start having IP addresses on ports, but they don't know anything about ports or IP addresses. This is just impulses, electricity, that kind of things. Here, transport. This is when things start to get interesting, some kind of meaning. And then finally, application. This is browsers, the things that we normally interact with. So with HTTP, here we are just in TCP packets because we want things to be getting in order. You want to have your whole website show up in a normal, meaningful order. If we use these UDP things, we might get things out of order so the website would not make any sense at all. So we're using TCP and the browser and the server are sending packets to each other. And they say things like the browser goes to the server and says, get the index HTML to me. And then the request is happening here in the transport. And the, like, get index HTML is being transported right like that down into the network. So if someone is here accessing or somehow having access to your network, they can see that you're requesting index HTML. Whereas if you go to HTTPS, we have this extra layer of encryption that kind of wraps the older application layer, and everything that goes in between these bits is encrypted. So even if they have access to the physical side, they kind of know what you're requesting. So it's cool, we are hiding things, but here's the caveat. The address and the port number are still visible. So they kind of know if you're requesting a certain page, they cannot read the cookies, but they can still know that you're connecting to a server. So this is interesting because if we were using Tor or something like that, we can hide that kind of things. But, like, for example, with the upcoming load that they're trying to pass, the snooper charter, they can still find which servers you're connecting, but they kind of know what kind of searchers you're running for. So you have some privacy, but not all full privacy. So secure, but not that secure. You are connected to something like MakeBombsReallyEasy.com. If the government wants to investigate, they might have some suspicions. But if you're just connecting to Google, they know you're looking for how to make a bomb, or that kind of things. The question of things you might be interested in. So, yeah, with encryption, we have privacy, and we also have data integrity, which is important, because it means that whoever is reading your packets cannot also alter your packets, so it looks like something else. So that's interesting, but you need to remember that websites can still be malicious. Like, even if something is secure, it doesn't mean that it cannot... I'm not going to try and install malware in your computer. So a padlock in the URL address bar doesn't guarantee that a server is a good person server. So what kind of attacks am I talking about? So one of the most visible attacks is inserting ads. Like, for example, suppose you connect to a free public Wi-Fi, and suddenly a website you used to visit, which is HTTP, has ads. And you're like, where did this thing come from? So this is the person who's providing the free Wi-Fi, wants to get some money, so they insert ads to get some money out of there. And a slightly better way is replacing existing ads with their own, so they get the money that you will get, and you don't even notice that if the website usually has ads, and then you see slightly different ads, you're like, whatever, it's still out, so you just become oblivious to that. You can also get behavioural tracking, but not even telling people that this is happening, so that's getting grosser as I progress. Also, you can still use as credentials. So, for example, your bank credentials, and then you go and log in after a person is logged in, and then you just tell, I'll give all the money to this other person. And even probably worse is using the authenticated areas as a vector for elevating, for even grosser attacks. This might be the case because this is an issue with engineers. We kind of trust that people that have credentials to our system are good people, and then we kind of, like, reduce the security requirements for those areas. Like, yeah, people with a password are good people, they should be authorized, personal, whatever. So we put less checks in place, and someone who's trying to break into your system can sell your credentials and then log in and do worse things. So, yeah, para no, yeah. Also, how does this happen? So, some years ago, this wasn't feasible because everyone was using wire networks, but nowadays we have mobile phones, we have laptops. There is very few people that are using wire connections. So, public Wi-Fi access points. Next time you connect to one of those, you should think twice, because I could go to Trafalgar Square and start up an access point that has a captive portal and name my Wi-Fi, public Wi-Fi, and I'm pretty sure that 100 tourists are going to try and connect. And if I trick them into saying, log in with Facebook to connect to this free Wi-Fi, they are going to enter the details, even if there is no encryption or there is anything. So this is the kind of things that we are computer savvy and we know not to do, but most of the people don't know. So it's so easy to steal credentials. Also, access points that use WEP, those can be reinforced, so you can find the password in a couple of minutes. Also, default router passwords. I think it's in Spain, it's so common that router passwords have default passwords. You could just go and say, I mean, I mean, and you would just be in, and you could just change the settings and everything. So you could just be in a block of buildings and start trying to guess passwords. Also, there were even apps for Android phones, so you could just find a password for this router. By using the name of the network, you could deduct the password. So that's bad, but what's even worse is that even network providers try to make money out of their users. So, for example, Verizon was modifying mobile data so they could insert ads in the transmission of their users. BT was inserting ads in our traffic because they thought that we would appreciate having targeted ads based on our, like in them tracking up what we were doing without even asking and you couldn't even opt out. And they call it web-wise because basically we need some wisdom. And even it has been shown that some network providers are able to insert ads in a very strange way by using a glitch in the TCP protocol. Like they send a packet, which is duplicated, but they hope that sometimes you might get the ad, sometimes you might not, because it's legitimate packets. So it's using a property of the protocol to be faster or not faster. It's a tricky thing to do. But anyway, whoever controls the pipes has access to this, has access to whatever it's up to. So if you don't encrypt this thing, you cannot trust a bit. So this is horrible. This is dangerous and scary. But yes, in case you still need more reasons. Using HTTPS is safer by design because browsers are way more picky about that due to the way it's being designed. And also I think this is important to see with users because we know better than them. You know that people reuse passwords and emails and things like that. So if due to their ignorance, they're putting their data and their risk, we should know a bit better and try to help them avoid that kind of thing. So at least just encrypt our forms and that kind of thing so that no personal details are transmitted and encrypted over the network. Also, as I say, this is the thing that interests me. The newer JavaScript APIs only work with HTTPS. So if I want to keep doing cool stuff, I need to move to HTTPS. So this is something that is forcing me to do that. And even newer protocols also will only work over HTTPS. So if you want to be faster and la, la, la, la, you need to HTTPS. And also browsers are getting really serious. You're going to have huge errors and warnings on things because since users don't care, we need to do something. It's important keeping users safe. It's serious business. So in practice, more diagrams. I am the user. I want to visit example.com. And example.com tells me, hi, I am using this certificate and it's being issued by mega-alls. And the browser is like mega-whats. Who issued this thing? Ah, it was mega-alls. Who issued this thing? This is very true. Okay. Who issued this thing? So we are kind of like following up certificates and this is following the chain of trust. This is how we validate that this certificate is okay. That it's actually a valid certificate. And at some point, because this has to end at some point, we end up in this super-route certificate. And it turns out that browsers have a list of route certificates installed in their browser. So you can do this look up pretty quickly. So at some point we determine that this certificate is totally valid. So we can connect. And the browser continues and la la la la. We get example.com and we are happy. When things go wrong, you get things like this. This connection is not secure. This is a terrible thing. La la la la. If you look at the details, you can see that this is like happy hacker fake. This is not like a proper certificate. Obviously normal users are not going to enter into like who's going to check a fingerprint, no one. So if things go great, you get access to the website that you intended and it's all cool. So how do you get a certificate? And this is where things get interesting. Normally, you would go to a traditional certificate authority. And so you generate a file. You come online using OpenSSL. You sign up in your system. That's registering for us a website. Upload the file, fill in forms. Wait for some post or something like HMRC. Do something like send you a letter with some code, la la la. You maybe have some code in your web to prove that you're on the website. Maybe you go back to the website and prove that all the data you got in the post is back. Maybe you pay, so money goes away. Then you finally get a digital certificate. But this doesn't end here because then you need to install this thing in the server. So you need to take the keys out and maybe in a year or so you have to repeat this whole thing again. So this is really tedious and people end up just like using the same certificate authority forever because they don't want to deal with some other like authority which is the worst. So this is the worst. And that's why I didn't do it before. I'm like, I'm not even bothering with all these things. So with lesson prep, which is the thing I guess you are here for, you install the client in your web server. You get a digital certificate for the domain using this client, which is an executable thing. You take the keys from the certificate and you can also automatically renew the certificates with the client and that's it. When I read it, I was like, that's not possible, there is magic somewhere and there is magic. So it's pretty cool. So it's amazing. So what is this thing that is magically giving you certificate authorities? Well, it's giving certificates. It's a new certificate authority like those traditional old school authorities. But it prides itself on being free, automated and open and I'll explain all of this. And it's also a community project which is by the electronic frontier foundation which is like advocates and defendants of digital rights in this cyber world, this kind of web world. So the other cool thing is that it's trusted by all major browsers. So when you follow the chain of trust for certificates issued by lesson prep, they end up being accepted by all browsers. So you don't get this certificate that's invalid. Where did you get this thing from? So how do you install this thing? Well, the cool thing is that there is lots of support for this. Distribution that supports that. You can just like APT gate install. And you can also do that from source, which is why I did. So I just like clone the repository and it uses Python. So the first time you install it, it will try to install dependencies but it's like really, I think it's the most friction free Python thing I've ever used, which is a lot to say. So once you have the thing installed, you just run something like this and it says, high lesson crypt. Give me a certificate. Using the web route method to... Using the web route method, using my web route path, which is example.com slash public HTML. This is what the website is serving. And then for the domain, example.com. And this is where magic happens. And after a while, magic happens. And then you get some files on the lesson crypt. So you get this, and then full chain. This is what you need to set up your website using HTTPS. So what's going on under the hood because this magic is weird. It's not black magic, we can decipher this. So the client connects to the lesson crypt server. And the lesson crypt server issues a challenge to our client that says, okay, if you want to prove me that you control this domain, and somewhere is this public HTML well-known acme challenge directory. So there might be a number of strange files with generated stuff. And they also have to encrypt things or decipher whatever. But things are placed there. And then the server tries to connect to our domain and make sure that these files are there and they are correct. So that proves that we are actually controlling the domain. If it's all okay, it gives us a certificate. And we get the keys and we're done. But this is really fast. You can't even like feel like you're waiting. It's really, really fast. And then if you're really curious and you don't trust me, you can go and look at this and you will see the whole log which is really interesting to see how the things are going on. But you don't need to do that. So once you have those files and I'm using Gint and I'll explain why. You just need to point to those files from... You don't even need to copy them. You don't need to do the things that it generated and tell it, like, just listen to the HTTPS port, turn the SSL which is encryption on, and bam! This is it. If you don't trust it, you should probably verify that it's working. So engine text, test. Maybe you need to sudo. And then if it looks okay, you just restart the server and you are using HTTPS, which is really, really cool. So, why 90 days? So apparently it's more complicated to expire certificates than to issue certificates for a very short period of time. So the good thing is that you can renew them automatically as well with the same client. So it's kind of similar, but there's a small difference which is that we're stopping our server and then starting that. The cool thing is that when I run Let's Encrypt Auto renew, it's going to renew all the domains that are in this server. So that's really, I mean, it's annoying that you have to stop the server. But in contrast, I don't need to write any bash script to go domain pair domain and like issue the renew thing. So it's really fast. I like simple things. So it renews everything and then it's cool. And the reason we're stopping the server is because we need to free a port 80 so that the client can like start a temporary web server that is going to be serving those challenge like the server is issuing us. So the files is the same thing that we have when issuing, but it's like we need a temporary server for this and when we finish everything is done this temporary service stopped and we can start our server again. And even if we are serving HTTPS content, we still it's a recommended idea to have a server listening in 80 so we can redirect all requests from HTTP to HTTPS. So this is minor. It doesn't really bother me. But I know it looks complicated and it's slightly complicated but it's probably, I don't know, maybe there's better way to do this thing, but I like things that I understand. So if I find a better solution I will tell everyone but so far I'm using this. So the other thing you cannot rely on is to remember to do this thing because obviously you're going to forget to renew certificates. So the best thing is to automate this. You can make a script called renew, listen script and then this is as simple as you can get. You need the full path stop the server, renew, start the server and run it so you edit the crontop and then run something like this like every day at 5 am. My services, my websites tend to be really busy for like Europe and America times but not too much for Asia so 5 am is a pretty good time for me. It depends on you. This is my setup and it's working and my websites have been HTTPS for a while and no one has told me I can't access your website so that's cool. There are limits, it's not perfect single tier there are some rate limits like you can't reduce them more than 500 registrations per hour but I think no one in this room is going to have this issue. It might be an issue for people who are trying to use well they are just encrypt for encrypting domains, but I think for ours it should be okay. The other issue the biggest issue I found is that you cannot try this thing without your being accessible so you cannot try things local hosts like before you have to have like a slice or something digital ocean or whatever you prefer to be reachable so the server can contact you. Right now we can only issue certificates for web so you cannot encrypt chat or mail or whatever but it might change in the future. So are there issue setups because what I told you was kind of like manual yes. There is an Apache plugin, this is officially supported and they recommend I think if you're using Apache but I'm not because it's too slow for me. There is this plugin that was created six months ago and you haven't seen any change. There is to be able to do all these setups and the WordPress CLI but I keep checking to see if there is any progress but nothing is happening so maybe in the future. There are web servers that have this thing built in so you can get from zero to encrypting in 28 seconds. Also hosting components and implementing this for you like Dreamhost I think are going to implement this so you just go to the control panel and say encrypt and just encrypt for you. WordPress.com I think as for last Friday they are encrypting domains hosting WordPress.com so you can still get the benefits of Let's Encrypt even if you don't want to do the manual way which is what I show you and it's actually the minimum thing you could probably like this is like the hardcore thing you could do. So can we now get excited? No, not yet. Because the basic HTTP setup can be vulnerable so the issues that there are people using other protocols and ciphers and all the defaults might be also dangerous. So SSL which is the first protocol for encryption has been proved insecure so then like I don't know if you heard about Poodle this was a huge attack that they found so the problem is that servers like Engines or EngineX keep using SSL as a default and they didn't accept the pull request to change that to TLS first so they said it's fine and like really improbable that this might happen so SSL is not safe so the recommendation is to use TLS which is safer and also you should reverse the protocol use the newer version of the protocol first because it's safer so or maybe just don't offer SSL at all so for example if you have this default which is what Engines Engines does by default SSL W3 la la la remove this and reverse this so this goes first and this so this should be safer and when a browser connects to your server it's going to say hi how can I encrypt this thing and the server will say I offered you this and this and this is kind of like the menu and the browser will say okay I can do this thing okay I'll take this so that's cool the problem is that other clients might not be able to do any of these newer things so you need to be aware of that and same like you have a protocol but the thing that actually encrypts thing is the cipher and other ciphers can be broken as well so you don't want to work in connection with those because it's kind of like equivalent to not having any cipher at all but which ones to choose because you've seen the protocol names are kind of like more or less intelligible but the ciphers like should I use ECD, HE, ECD AS, 256 GC or should I use ECD HE I don't know I have no idea so my suggestion is you trust the experts the security people at Mozilla who are way more paranoid than I am how created this generator which is pretty cool because you can say I'm using Apache and I am kind of intermediate so I could just enable these and it will generate this thing for you and then also will tell you which is the oldest client that can connect so I mean even the oldest is Firefox 1 this is 2004 if you're still using that thing wow but still Android 2.3 was kind of like and there are still a few people using that so that way you can be sure and the cipher is like a huge block that you cannot see here because it's outside of this but it's like a huge block of ciphers it's very strange and very long so yeah this is pretty fancy and also in client-level security you should totally enable strict transport security because this says the browser is being really strict and demanding so once you visit a website that has HTTPS the browser will say I'm not going to take anything less than HTTPS from this website so even if you accidentally provide something like HTTP domain the browser will say no I am deserving something better than this so I'm going to request HTTPS so even if you forgot to update your website it will just ensure that everything is using HTTPS and also if the certificate can't be trusted it will be like no way you're not tricking me so for example if you connect to a network and then you go to some other network which is not really secure and someone is trying to mine in the middle you by sharing a fake certificate the browser will be like you are not going to trick me and I'm not going to let you connect to this so it's safer you are safe, this is cool so you just add this header to the server don't worry about copying things I have like a series of blogs where everything is explained and everything so you should be able to get all of this and there are even more things there is way more things you can do to harden a server configuration and this is totally overwhelming it's a lot and it is a lot for sure so the cool thing is that there are services that let you test these configurations there is this SSL SSL Labs SSL test and then Mozilla has another thing which is kind of like a command line thing you can run your server and you point it to a server and it will tell you this is good, this isn't good I really like the SSL test because it gives you ratings so the first time I run this thing it was like oh I'm going to be amazing this is using lesson Q I was using this weak thing so this is wow not that cool but actually this generates a huge long list of recommendations so I follow them and then I've got a plus so this is really cool there are also lots of guides and tutorials because obviously geeks want people to be safe so there is like a whole list of guidelines and ways of having a very safe key and la la la I don't know, there are many tutorials and you can keep looking and so yeah, WordPress considerations because we are in a work camp I guess so the truth is that WordPress is pretty normal which is good, I like normal I don't like exceptions so it pretty much works fine once you start using lesson Q which is super cool I just found a couple of minor details the admin uses iFrame for showing plugin details so it kind of like goes to WordPress.org gets the details that with an iframe which is served from your own website so if you try to use this xFrame option which is one of the extra things you can do to harden this option makes the browser say I don't want this thing to be embedded in other domains or in iframes or whatever so if you use this thing you're kind of like denying yourself from showing the details from the plugins so my recommendation is you just use same origin so you're still allowing your site to be framed in your domain so that's good but if you don't want to allow even that you can just keep just denying it like super secure when you move to HTTPS you need to update those things like the address inside other URLs because some plugins is just the constant W plugin URL and that like for pointing to CSS or JavaScript so if you don't update that they will still use HTTP and you will get a big content warning from the word browser and also if you use super cache empty the cache like all files like using HTTP pointing to the resources so that's not cool and this is the most horrible things I found with WordPress which I think is pretty good for just like this huge change on protocols and things and once you have HTTPS and using WordPress you have privacy and integrity that I mentioned before you have safe plugins so your form is not going to be transmitted on the plane and again people are not going to know what your users are accessing so that's pretty cool and if you run ads you keep your revenue for you and here's this little thingy unless your computer, your visitors computer are infected with malware or whatever so no one's safe actually so what API features that you can access with this this this this this my colleague who's here has done all these plugins so you can have access to all these cool things which are only available with HTTPS we are not doing this but suppose you can do this in now and in the future background sync and la la la and cool things is that everything about less and give is open source which means that we are kind of like trust them better than all certificate authorities if you don't like the client you can use our client so maybe even write your own client using the protocol which is open and standardized as well and maybe in the future certificate issues might want to use the protocol to to let you get certificates so you can still use the same client and it's easier some numbers like they opened the beta in September December of 2015 they were the fourth certificate issue worldwide and in March they had issues with 1 million certificates and the coolest thing is that many of those websites hadn't been using any kind of security at all before that so that's really cool so cure of the things and thank you I've got this thing where you can get all the materials that I've rushed through and yeah that's it I'm done ok as always we have 10 minutes for questions so stick your hand up, you'll get a mic speak into the mic hello a slight multi-part question so if you would go back to where you were talking about certificates and you've got the stack and levels my understanding is if you've got a certificate it's the trust comes from the certificate authority which is where you've got the certificate from correct and it's important that there are only a handful of certificate authorities and that they are secure and trusted well it's important they're trusted I don't know so as a side leading on to something else if one of those certificate authorities was compromised and that's quite bad isn't it they could do all sorts of terrible and horrible things but in this case from the past record I imagine those certificate authorities are quite secure but if you can put your hands up if you're on the university wifi on the metnet wifi network just if you've logged in in the last two days on your phone or your device and when you logged in did you get a certificate security warning and who pressed trust so that certificate is self signed from the university and by clicking trust you trust that you trust any certificates that they hand out so that means basically you basically trust the university isn't doing anything terrible and if something terrible happened to a certificate authority and terrible things could happen and you're basically trusting that it isn't happening in this place on this network that they're not going to hand out other certificates and that they're not going to do other things there's in India there's a lot of controversy over universities that try to do similar things they try to force you to install certificates so that they could see exactly what you were browsing and what you were looking at so that they would be sure that their students weren't looking up inappropriate materials and that they could snoop on all of their private communications by replacing official certificates with their own and then of course because it was a requirement to be a student that would be an option so when you're connecting to wifi networks always be worried I've noticed sometimes on max it prompts you sometimes it doesn't but the warning is there if you look for it but it's not obvious and it's not something that people are told so just be very mindful of that say if you're on it now I would say that I wouldn't think that the university is trying to do anything terrible but to be mindful if you're on an Apple device usually you can go into general under settings and profile configuration and you can usually see the list of what's been added there in the past so just a note just to answer your question if that was a question when certificate authorities are like I don't know what you actually were going to anyway browsers invalidate their certificates that happened with some authority a couple of years ago so if you connect to a website which is using that kind of certificates the browser will say the certificate is invalid so users should be fine just in case there is ways of doing that Any other questions? I was just wondering if you could maybe share your experience with have you had any experience with using Cloudflare flexible SSL do you think? I haven't really but I found well I was reading all these things you can duplicate the certificate that you issued from the encrypt so you can upload the keys to Cloudflare so you can still use self generated or list certificates with Cloudflare or other CNNs I think you'll see the ends because I'm kind of like a small user Thank you Hi What is the prevention to stop someone who is in a situation of doing a man in the middle of attack from automatically regenerating a new certificate so that when a visitor comes to your website they will get a valid a trusted certificate it cannot be trusted if they are doing a man in the middle attack they are sat between your server and the internet so therefore they can see all requests coming into your domain because they are passing through them so if the browser already visited your website and you have strict transport security yes so they go to example.com it goes to your IP address if they sit in front of your IP address they will fail at that point but if then they request they go to let's encrypt and say I want a certificate for example.com let's encrypt gives them a new certificate Do they have access to let's example.com Yes because they are sat in front of your IP address they have gone to your network Can they reach that place? I mean man in the middle means that someone is in my network so they have to be in the same network that let's encrypt is so they can fake it so they have to be in the same network as you Well But luck How do you prove that the person requesting a refresh on a certificate is the original person that asked for that certificate and not someone else coming along and saying I want a refresh on this but not actually being the original site I'm not quite sure you are finding this to be a certificate but I'm not quite sure you are finding this thing in the same server so it has to be it's a connection between the server between your web server and the let's encrypt server so if something is happening between it's always a person that controls the domain If it's a man in the middle someone sat on that network sniffing your traffic going through whilst it's encrypted that's fine if they can then fake it Maybe you just live IT so I think you should ask that in the forums if you are curious about that Hi The reason the renew process is so different is because part of the renew process is serving up your original SSL certificate so if you have a man in the middle attack for the renew process they cannot sign as if they were you so your request goes out renew the certificates they come back and get man in the middle and they are going to give you a new certificate but you still can't actually sign as you originally Yes, a renewal request but if you initial a fresh request and you've already done a request in the past let's encrypt isn't going to serve you a new certificate because you already have one possibly I know that you can't request another one when you still have one and renewing it is difficult slightly more difficult because of that exact scenario but you shouldn't be able to get man in the middle during a renewal and a man in the middle shouldn't be able to renew because they need your original certificate to sign for the renewal It's like a public-private key that's over-accessible authentication you're man in the middle but even though you make a fake request they're not going to renew it because you don't have a virtual private key but some people don't If you could generate one for that domain it's clear that you now all make what we have as a friend it's going to visit the original domain and challenge it with something so the man in the middle would need full control of the domain at that point We're a little tight on time so I think this would be a good discussion for after the talk We've got time for a final question so stick up your hand and let's have it It's not really a question it's more of a comment I'd specifically ask for a question John Blackburn is working really heavily to make core support HTPS there's a bunch of weird edge cases with it Have you heard about his plug-in? I think we've got room for one more question Before we finish if there are any if there aren't we'll finish Just a comment, not a question I'm not sure I think earlier a gentleman mentioned about the university I think the university may have issued their own certificate your own you cannot offer but I think when we're all using public Wi-Fi I think it's highly advisable you can get your own VPN connections very very cheap four or five dollars so if anybody's really conscious about using open Wi-Fi networks just get your own server open VPN server That's good, you're getting paranoid I like it Okay well a fantastic talk I'm sure you'll all agree so let's give a round of applause