 Okay, so welcome everybody to the last session I believe for today, so we're very happy that Peter Ackersley could make it That's one of the positive things that the CCC camp happened at the same time So he was anyway there and he agreed to drop by to give his talk on That lesson crypt. He's the chief computer scientist from the electronic frontier foundation. So please welcome Peter Ackersley Thank you everyone So I'm gonna talk about a project that we've been doing at EFF and the University of Michigan and Missila for the last couple of years And the aim is to issue free certificates automatically using an automated protocol So all of those things that are currently not encrypted can be encrypted Obviously the web is great HTTP has done very well. It's it's been an amazing service to humanity, but it's not good enough anymore We know that the HTTP protocol is completely structurally insecure. You can't do anything With it that is private or protected or authenticated basically and so we need to do better We've been campaigning on this issue at EFF For about the last five or six years. The first thing we did is we started just talking to big companies We went to Google and we said can you please make a Version of search that is encrypted and they said I will think about it And then they came back to us one day and said we're actually gonna offer an optional version of search that you can use over HTTPS and so to celebrate that we launched a browser extension called HTTPS everywhere And then we went and we started hassling Facebook and Twitter during the Arab Spring and Wikipedia and gradually these companies either made HTTPS an option if it wasn't before or Have now largely Gone to HTTPS by default, which is great. We're making good progress But unfortunately, we're not done yet There are huge. I mean, maybe the people in this room don't use Bing But there are huge parts of the web that are used by hundreds of millions of people that are HTTP completely insecure vulnerable to surveillance or hacking by default News websites in particular are a disaster and I'll talk a little bit more about the mixed content blocking problem Which has bedeviled efforts by news sites to to upgrade to HTTPS But sometimes of course the things you choose to read whether it's on a news site or some other side can be quite sensitive Revealing the information the records about what topics you're paying attention to should be private and it's not private on the web today So whether you're reading about Amazon's business practices or you're reading books on Amazon You'll be doing that over HTTP Even Google which largely has been a leader in this space still has Still has Large amounts of its site especially on the ad side of things which are not encrypted by default now you might You might think that this sign-in button here is inadvisable on an HTTP website. Actually the sign-in button is fake It's not really on that site, but once the page is there on HTTP It's easy for an attacker to inject a fake sign-in button that leads to a phishing page So this is an example of what happens if you try to ever serve any page over HTTP So we know we need to be encrypted everywhere the whole web But the problem with telling people this is we are essentially torturing web developers We're telling them they have to do this thing But then if you actually then go and try and do it you'll end up on a page like this with you know Volume multiple chapters worth of instruction saying I have to get this certificate signing request and here go and read the open SSL man page to figure out how to make one and then what do you do with it and then you have to talk to a Certificate authority and what is a certificate authority and how do you find one? And and the one you Google for first will not be a helpful one or whatever you try to find a free one It's it's it's a disaster In fact, we did some experiments. I unfortunately don't have time to show you this video But we did some video experiments where we recorded our colleagues who had websites Attempting to enable HTTPS We did this with three of our colleagues on different occasions two of them just failed altogether One of them succeeded, but it took he's a computer scientist It took him an hour to get his personal website to be HTTPS and so if we if even really competent people take that long We can't expect every web developer to go through this this process I'm gonna skip that video because we don't have time but and even once you've got your certificate the configuration options that you're confronted with When when trying to decide how to arrange your server are mind-boggling Particularly if you read the news you say oh should I use you know this ciphers weight this week is this one better This is the history of RC for which of course went from being Disrecommended to briefly recommended as a mitigation against other attacks in old versions of the SSL and TLS protocols And then went back to being disrecommended So Unless you're following this stuff for a living and paying attention you aren't gonna know how to configure a TLS server correctly It's very complicated We have things like large parts of the the client base being Requiring shall one for a long time all the CAs used it, but we know that well we have an instant messaging window here opening I better kill that You back all right So we know we have to get rid of this Shall one is insecure. It's probably breakable in the next few years by an NSA type actor But you know, how are you gonna go and reconfigure all your systems to do it? We need some kind of you know moment when we switch to shot to Shot to be six, but you know, how are we gonna get there? And of course there are all these attacks that keep coming out every every few months. It seems there's another serious Attack this one log jam is particularly notable log jam Appears to have been the reason that there was an NSA slide deck that said, you know VPNs We can break them HTTPS SSH we can break it not all of the time maybe 30% of the time they could break it. It was probably this attack. You don't really know But it looks like it could have been a method And so if you had been following a certain set of best practices for Java compatibility and choice of a good Diffie helman group Prior to the realization that this attack existed You would have been vulnerable perhaps and then afterwards those recommendations changed You now need to make your own Diffie helman groups, which may take a long time It's several hours to generate one and then check everything and so we how are we gonna tell a million web developers to sit around following this stuff There is a cool website called the SSL labs quality SSL labs test page and You can go and point it at your website after you've got TLS deployed and it'll try and evaluate how good your setup is But most, you know, big websites or most people who deploy this for the first time will get a very low score And it's only after you then go and read a whole lot more Documentation that you can figure out how to get an A plus like we managed to get for let's encrypt But it took us a while right we actually had to spend quite a bit of time tuning our configuration So it's no good to tell everyone to do this You know you want to drop something like this from bulletproof SSL in your cypher suite list, but you know, how do you know what that is? The next problem that we have is called mixed content blocking and mixed content blocking is on one hand Absolutely necessary for a secure web on the other hand It's turned out to be a huge problem for deployment and so an example of what mixed content is if you go to the Lenovo website It's HTTPS. It looks good But actually some parts of the page the fonts are broken the CSS is broken Maybe even parts of the page and at work you open developer tools and you say why is this and it turns out that the answer is there were some HTTP Scripts and CSS inside an HTTPS page and the browsers have come to Enforce the rule that all the scripts must be the same security level as the page because if they're not it defeats the protection In the old days you get the crossed out HTTPS But now they just block it But that means that many websites like Lenovo or like the New York Times or the Guardian or any you know New site is gonna break as soon as they deploy HTTPS We actually have a tool you can use the HTTPS everywhere client For Firefox and Chrome Has them I think it's just the Chrome version that has this mode has a mode where if you're a web developer You can go to your own site and it'll make suggestions about how to rewrite the Script and CSS URLs in your pages to something that will load over HTTPS So you can you can fix this but you need to you need to know about it. It's expert knowledge There's actually a really cool initiative at the W3C to That's just created a proposed specification for this new Form of content security policy header called upgrade insecure requests So instead of this says instead of blocking everything that's HTTP in the page and making my Lenovo's site break or the New York Times Site break instead if you set this header, it'll try the HTTPS version first. So this is much more sensible behavior It's a pity. It's not the default but There is now a way to do this but once again, we have the problem that how do we tell everyone? There are a million people out there with websites who need to turn this thing on and that we have no way I mean you guys are in this audience paying attention, but we have no way of getting this esoteric information to the people who need it The next problem, and this is one you might have heard us talking about at EFF for a long time Is once you've dealt with all this stuff you have a beautiful secure website It's not actually that secure This is part of a map that we generated in 2010 by port scanning the whole internet we put scanned all of IPv4 address space on port 443 and said Hey, are you there? Is there a machine there? If so, we tried to do a TLS handshake and we saw what certificate We got back and then we examined all of those certificates to see How many certificate authorities were able to sign a valid certificate that a copy of Firefox or Internet Explorer or something Would accept and we thought that we were going to find maybe 50 or 100 of these certificate authorities But actually it turned out there were thousands of them Run by hundreds of organizations and you might say well, how is that possible? I opened Firefox and I looked at the list and they were only you know 66 But they're actually able to delegate or cross-sign their authority to other organizations and they do this quite a lot We'll talk about that a little bit more later But as a result there's this huge number of CAs that can Issue for any domain like google.com add-ons.mosella.org devian.org any of these names 1,000 organization 1,000 CAs can sign a certificate for devian.org and then That means that there are a thousand places in the world or more that you can hack to get a certificate for devian.org Now we flag this as a theoretical problem back when we got these results But actually it turned out to be a real problem For instance a recent example This Chinese certificate authority that everyone had been worried about Had actually it didn't itself issue a malicious certificate It issued a subordinate cross-signature to another CA which in turn attacked Google and Google noticed but although there was also the DigiNotar incident in The Netherlands where a Dutch CA was compromised and they were used to attack Gmail users in Iran for for over a month and you know order of 300,000 people have their usernames and passwords compromised by some Iranian related attack So this system is structurally insecure. There are too many certificate authorities so I'm going to talk about our vision for a solution and And You know the first thing I'm going to say is it needs to be a solution for of two thoughts It needs to be a solution for security and also it needs to be a solution for usability We need we've come to learn that there's no such thing in fact as security that isn't usable because it's great to have a computer Which theoretically? Has the correct properties? But humans are actually parts of our systems, too And if the humans are get confused or don't know how to use the system correctly then in in deployment The system will be compromised By by either technical or human methods So getting back to this question of too many CAs, you know our solution to that problem is to launch one more CA And I sort of Jess and I don't I mean Essentially our reasoning here is we'll do one more. We'll get it right this time Or much closer to right than anyone else has done so far and then we can worry about the problem of you know What to do about structural insecurity from the other ones? There are some ideas about that. I'll talk about them later, but first let's talk about how to do one correctly The big question you have to answer for security when you issue a certificate Is should you do it at all? How do you decide if a particular person who comes and asked, you know Debbie and sis admin comes and asked for a certificate for some domain. Do we give it to them? Our solution involves, you know, it's a little bit like a scene from Monty Python's quest for the Holy Grail You know the the the sis admin or the system comes along and says, you know Please give me a certificate and the CA says back. Well, all right, bring me a shrubbery And and then maybe they you know the the system goes off and finds a shrubbery and comes back with it and then it says Oh, it's a nice shrubbery, but actually what another one like another different shrubbery next to it and so we have a Conversation a little bit like this happening in a protocol that's being standardized at the IETF called Acme And the shrubberies Challenges in this Acme protocol and so the protocol can contain many different kinds of challenges I'll talk about those in a second. And so this is this is an architecture for for verification of domains But fundamentally Because there is no prior crypto in most cases we are trying to figure out how to do Encryption for the first time we have to know what key to use and we have no Cryptographic authority to begin with so we're gonna have to bootstrap that somehow and the way this currently works if you have how many people Here have gotten a certificate from a CA before How many people have not So a few more yeses than noes, but you're you're a mixture so those of you who have have probably had this experience that You go to a CA you say give me a certificate today and they send an email to your to some special email address like root or Webmaster or admin at your domain name That's the common one then you have to click on a link in that email and then you're done Well, you're not done, but you have you've done with that verification You still have to pay money and and deal with bureaucracy, but that's the only validation They do a small number of CAs also support this other kind of validation where you put up a special nonce file On your domain name over each TV So we're gonna do something that's in some sense quite similar to these methods The ones we're gonna support at launch is a thing called DVS and I How many people here know what SNI is? Yeah, sir for the other people SNI is an addition to the TLS or SSL protocol that was added To solve a structural layering problem where Prior to the existence of this method The client would just say I want to talk TLS and the server would come back with a certificate And then you could speak HTTPS over the TLS connection And then in the HTTPS session you'd have a host header saying what domain name you wanted and that that old arrangement was completely incompatible with virtual hosting because the server didn't know what domain name you wanted until after you'd already started speaking TLS and accepted the certificate but the client needs to know what The client needs to inspect the domain name in the certificate before it can start speaking TLS and so the server stock It doesn't know which name which of its many virtually hosted domain names to give a certificate for So there was this addition to the protocol that lets the client say I want to talk to this particular name And then the server can pick the certificate come back. We use this channel in a different You know novel way we ask the the the web server to configure some fictitious SNI names not the ones you're actually serving but special like like weird non-existent ones and we verify that you can put up a special certificate on those non-existent SNI names And the purpose of doing this is to essentially request that the You know in the challenge that the the client prove that it controls the Apache configuration or the engine x configuration Or whatever server configuration you have on that box and so just being a you know ordinary user will not be good enough you need to have WWW user access or root access depending on the system whatever it is that lets you reconfigure Apache you can Pass this challenge the other one we'll support is simple like the simple HTTP thing which is a little bit Weaker that's like the nonce we had That domain it's a little bit weaker, but it should be easier for people who are behind proxies or CDNs so they can put up a file behind the proxy or the CDN So at launch we're planning to have these two and what we'll compare them in deployment see how they work Later on we're planning to support DNS validation So if you have a huge infrastructure and you want to just do validation in one place you can put up a magic text record What we're also planning to support a faster and more secure version of this DV SNI thing where you want to have a thousand Names virtually hosted on a server. You can do one single DV SNI to connection to us And basically you say it we say make these 100 different virtual hosts And then we pick five or six of them randomly and validate those five or six randomly And then we know that you probably did all 100 because statistically you couldn't have guessed which five we were going to validate And that way we can basically be confident that if you ask us for a thousand names We do one TCP connection. We're convinced you're serving all of them But so all of these methods this is what we're going to support on day one And these are the things we're going to support later, but all of these methods are fundamentally terrifying If you if you're building a giant robot to issue certificates for the whole web What you're doing with these things is you're saying I'm going to fling some TCP packets down a dark corridor And I'm going to listen to the message that comes back and I'm going to believe it And I don't know what monsters look in that dark corridor I don't know if there's a hacked router. I don't know if there's a hacked DNS server if there is I'm going to be fooled by it And so this is a problem We aren't quite in this worst case scenario. We can do slightly better By doing multiple paths. So rather than just validating from one dark corridor we can start in several places on the internet and Try to connect to the server and if we get the same answer back from all of them Then we know that it isn't at least you know if there's a hacked router It can't just be anywhere. It has to either be very close to the victim or Someone very good someone who's so good that they're able to compromise our routers all over the internet and so we were significantly reduce the attack surface for breaking domain validation But this is still not good enough actually We're still that we still wouldn't be satisfied launching a big robot to do authentication for the whole web if non cryptographic attacks Would allow us to for instance be used to compromise a bank in a small bank in some country or a corporate webmail system somewhere So we really should try to protect against this and fortunately we can do better So I mentioned before the SSL observatory where we port scanned all of the public internet We also have a decentralized SSL observatory through our Firefox HTTPS everywhere uses they can opt into sending us certificates So we have this and we have certificate transparency from Google We have these giant databases of all the certificates on the web now And so we can use these both the centralized and decentralized ones To sometimes demand a different kind of shrubbery not just a domain validation Challenge but we can say oh we see from our database that there is a current Existing valid certificate for your you know small corporate webmail system or your bank And so actually please prove to us that you possess the private key From that certificate that already exists And so that way an attacker who can compromise a router can't come and use us to attack someone who already has a certificate now So this this is really good But it you may notice that there are some potential usability problems if you've already purchased the certificate And then you lost it your hard disk crash. You don't have the certificate anymore You're gonna get this demand from us saying bring us the shrubbery bring us a proof of the private key But you don't have it anymore So what we will do in this case You know we won't be able to issue to you But there is an escape path which is you go back to a CA one of the existing CAs you pay them money And they do the the manual verification. They call you on the phone. Whatever it is You pay you pay for a new certificate Then you can come back and run our automated client again, and you can pass the proof of possession challenge with your new set so There is this idea of you know in the theory of Authentication on the internet of of tofu trust on first use You're probably all familiar with this idea from SSH where SSH didn't have any of this nonsense with certificates And what we're able to do here is basically get back the security the type of security that you get with SSH But deploy it in a place where it was never really deployable before which is web servers email servers Servers where the people who are connecting to the server don't know this is admin that controls it So, you know, you couldn't do SSH for the web because if you ever got that weird SSH error message with the wrong key How would you know if you should click yes, or if you should abort because you're under attack You know with SSH usually just call the person who owns the server or you are the person who owns the server And so you know the right answer but with HTTPS, you know that that model wouldn't have worked But here with us in the middle. We basically get to function this way So we're pretty excited about that We'll also be able to solve a lot of these problems that people have with the playing HTTPS and TLS and configuring it correctly and the idea is to produce you don't obviously Debbie and users don't need to use this But if you want to We'll produce a client or a rich client or an agent that you run on your servers that knows how to configure your your Cypher settings and everything else on a dynamic basis and just do it right and So rather than having millions of web developers out there and we're telling them all you need to be experts on security You need to know everything you need to follow the news Deprecate this change this every day We can have a much smaller group of people who work with us You know basically on github and come in and tweak the curd and we can put in good solutions Maybe a couple of good solutions. There's a maximum security mode and there's a maximum compatibility mode We what we focus our energies on these two things and then we can deploy that out to a million people and their websites via the agent So the plan for the default this default client is When you run it it will tweak your server It'll use Apache or nginx or in fact it can use any server it has a little plugin API So you can write a plug-in to do Dove cart or xm or postfix or your xmpp demon or your isc demon anything you want You can have these These plugins configured to pass the challenges pass, you know bring shrubberies to the CA You can have them just accept the certificate once the challenges pass So probably for your IRC demon. We're not going to validate anything of IRC So you use port 443 to get the certificate, but then you can have a plug-in going to take it and install it in your IRC demon and Then it can also tweak the security options inside that server to To follow current best practices And then of course the other thing you'll know if you've deployed HTTPS is renewal is a giant pain just as soon as you've You know it's so complicated getting a set and you figure out how to do it And then about 11 12 months later you've completely forgotten and then your certificate expires and your site goes down So we're able to automate renewal for the certificates and maybe we can also automate even some of the more More interesting what sort of more predictable security response tasks I'll talk more about that in a second. So Automation comes in different For these protocols comes in a spectrum of difficulty. There's easy stuff like tuning the ciphers Turning on OTSP saplings so people can tell if your certificate is revoked or not Doing the upgrade insecure thing for mixed content that I mentioned before those you can just turn on where there's gonna be a Turn it on for everyone these are obviously good ideas. They don't have any real downsides So they're good defaults There are some things where we're gonna have to hold the hand of the sysadmin a little bit more We can't just charge in and do a redirect to HTTPS because for some clients The mixed content blocking will become a problem if you just redirect and things will break And so we need to you know, maybe turn this on but then tell the admin Hey go and checks that everything's working. Okay, and then here's how you wind it back if you turned on something that was broken Renewal is a little bit tricky to get right. I think we've actually got a pretty good implementation of that harder stuff It's doing full rewriting for all clients Or HSTS, which is a really important security Header that you absolutely need to set no one does right now or very few domains do but the one of the reasons Why people don't set it is because Not just they don't know about it But if you set it and you get it wrong it breaks your website It has a very strong set of security properties And it has a time to live and if they're violated before the time to live is done Then the site is just down the user will get a big red Red everything that they can't click through so it it requires a lot of care before you turn this on the hardest things One of them is HPKP or pinning which is the solution to the problem of there being hundreds of CAs There's now a header you can set which says from now on for you know for the next two months three months six months Do not accept a certificate from any CA except What you know the two or three that I name here the problem with doing that is if you accidentally violate it You know your CAs you starts costing too much or you stop doing business business with them, whatever again you have an un Like an unrecoverable error or if you ever serve the wrong HPKP header on your site, you're completely completely screwed So this stuff needs to be done very carefully It's also possible to do what what we call mixed content auditing where we use the content security policy To cause clients to send a message to servers if they see a an HTTP script or image inside or CSS inside HTTPS page, but that's tricky because we need a place to put up a server for you It would be a little bit crazy for our agent to start running new web services on your servers without You having configured them? So at some point we may be able to do this kind of stuff automating fixing these problems But it's going to be hardest but So so having done all of this it just remains the case that operating a robot to authenticate the entire web is terrifying it's this giant machine that could get hacked it could go wrong and if it does it'll have terrible security conference Consequences for a lot of people and so we need to Protect ourselves and and you guys as much as possible when we launch So we want to both defend in-depth have multiple layers of protection against compromise But also have very good plans to detect if we ever get hacked and to make sure that that hack Doesn't cause a persistent problem. We always have a way to recover pretty quickly if something goes wrong So in terms of transparency, we have three big things we're going to do One is we're going to publish all the logs of the acme protocol stuff that happens So if someone comes to us and asks for a certificate We're going to publish a record of what IP address they came from what what challenges we gave back to them What happened when we ran those challenges? What the conclusion was so you guys anyone who's interested can watch our live stream of What we're doing and ordered it and help us to catch Problems if they're occurring or attacks if people are trying them Then at the output level once we've decided. Yes, you get to have a certificate. We're going to Publish every certificate we issue in a verifiable way So they're gonna have a portion of the serial number that is strictly incrementing and then a signature on every certificate Over the incrementing number so that actually functions like a blockchain Basically, there'll be a public record that you can inspect This is the complete history of all that's encrypt certificates if there's anything in that history that shouldn't exist You can see it and if you ever have a certificate that doesn't have the serial number and the signature you know It's malicious We're also going to publish this To the certificate transparency logs run by Google and other people We'll give you away if you want to only use us and and not the whole 500 other thousand other CAs to turn on this pinning stuff if you're brave and crazy And I think it'll be a good idea for sites that have a fairly fairly high level of operational sophistication But we'll still want that to be a thoroughly buried power user feature until it's very well tested We also plan to To try to implement a feature that doesn't exist for current CAs which is The server the CA itself should be able to send a message to clients your web server showing hey We've spotted a problem with your set or with your key. Maybe there's an attack against your server It's hot bleed or there's a weak key on your machine or in the worst case We've been compromised our subordinate intermediate CA has been compromised. We're gonna have to revoke your certificate, but we'll tell you 12 to 24 hours in advance so you can ping us over OCSP and see You're about to To reissue this require reassurance or reking of this set if you are then your client on your on your server Can just do that automatically for you without your pager having to go off And this means that where currency is if they're compromised It's just a disaster because all these websites go down With us we should be able to have a plan to roll over really fast to a different set of keys a different set of hardware Or when we see a lot of compromised machines, we can help them get fixed really fast So this project as I mentioned is a collaboration originally EFF and the University of Michigan had a project Mozilla had a project the two merged together We're also getting sponsorship from Cisco and Akamai Ident trust automatic and some other people. I think on the way the project is housed in a new nonprofit called ISRG the Internet Security Research Group EFF is working mostly on the client code of the agent software that can run on machine on OS is like Debian and on the server Which is written in go. It's called bolder Mozilla and ISRG are mostly in charge of the The the actual servers and the CA operations everyone's working on the bureaucracy The schedule has slipped slightly from what we first announced, but it's still pretty close So we'll be issuing first set around the 7th of September There'll be a validity public those sets will become valid And there'll be a beta that some people can participate in publicly from around mid-october And then everyone can use it from mid-November In the meantime We're dealing with a lot of audit and bureau like both technical and paperwork bureaucracy and also coding away on github We'd love your help. We have three repos the spec the client and the server written in go And you can help us encrypt the web now. I have a little bit of time I'm going to try and show you guys a super quick demo of this thing in action. So Can everyone read this font? Is it big enough? Okay, so I'm gonna just do that to Reset everything to start of demo state and then Open a new little Window, so I have a test website here. It's very simple Just HTTP and then I also I have two of these. He's a fancier website It's a bit like the New York Times website or something with a lot of fancy content on it It has some embedded JavaScript that causes ponies to dance around when they load Here we go And so over here in this on this server we can run the let's include Client And let's put it in verb postmode and let's ask for redirect and Here we go. So It figures out what names you're serving Here it's asking for shrubber ease and then it's going to go and get them and we're previously Doing this took about an hour Now we're done So let's see how this works We don't have the reader. Oh, yes. Here we go. We have a redirect HTTPS. This is not actually valid I had to add our test CA into the browser so you can't get a live set yet, but it'll be live in mid-October But we still have some problems here So I mentioned HSTS before If we reload this page you look at the network requests Wow, this is actually hard to do with such a small screen Okay I'm sorry, I'm not actually going to be able to show you basically what you have here is you'll still have a single HTTPS request that's hijackable because even though we're redirecting the client doesn't know there's a redirect until it sends all its Cookies and everything over HTTP and gets told to go to HTTPS And on the other fancier website things are also not going so well Because when we go to HTTPS Mixed content blocking has kicked in and so we have no ponies It's really sad now the user could get the ponies if they were gonna if they knew that this little shield here Let's they can click on it and ask for ponies and insecurity, but that's not good It's like we don't like users don't even see that thing so We can also support secure mode And here this is the version where we're willing to take some risks We're willing to turn on some fancier more experimental Security features it's gonna take another 20 seconds. It's getting its shrubberies Okay, and this time you probably you won't be able to see it, but this time there was Especially on the second load. There is no longer an HTTP request that's made it now goes straight to HTTPS because of the HSTS header that's been set and then if we go to the fancier website This time let's reload it The upgrade in secure header has been set and so even though the page Contains an HTTP List of ponies the client is told by this header to upgrade the request And so now the New York Times or whatever website Lenovo can have their ponies Anyway, thank you everyone We have time for a few questions. Yeah, thanks a lot Peter. Is there any questions if you have questions? Okay, I'll just pass the microphone. I just want to say thank you very much I have a PhD in computer security and my Colo my own personal website is not using TLS for all these reasons and I'm just so glad that you are wading through this swamp for me Thank you very much. What about What about email certificates, sir? Do you mean S-Mime or do you mean IMAP? SMTPS those so for pretty early on we'll be able to support the the IMAP pop and SMTP cases those are you know You can use our current software to just obtain a certificate and then you can copy it into your configuration But you can also write a plug-in for in fact We're hoping that people will write a few plugins for the common free mail clients that Sorry, free mail servers both the SMTP kinds and IMAP and pop that know how to automatically deploy to post fix to XM To dovcott etc on the mime front that will be separate engineering on the server side and we are going to focus on getting TLS done correctly and and working correctly before we think about whether S-Mime is the next step, but it might happen Hey, thanks for doing that. Let's go end group is like a cool project that pushes the web folder But I got some questions I'm like one of the guys behind Tor and CJDNS and alternative routing protocols where like statistics when and DNS is not the issue for the certification behind right and Will there be support for like CJDNS and Tor With my first question and then the second question would be like if there would be like the possibility to have like certificates that are not that are Anonymous and not traceable so that people can host anonymous website without being traced by the government or so Sir, there are multiple cases in there. I think that The first feature that I want to implement that's Tor related is a dash dash Tor flag for this client Which knows how to go and can make a hidden service that maps to your existing website And so you are a public server. You're speaking TLS on the public web. So you don't have this confidentiality thing But you want to be you want censorship resistant routing to your service So people who might be subject to DNS censorship or whatever can come and connect to you Over Tor and so, you know initially will probably use onion We've also been talking to the Tor development community about other, you know Things that might be a little bit faster than all six hops of onion routing in terms of pure onion certificates and whether we can We whether we can do a completely anonymous certificate for a dog onion name I don't know the answer to that question. I know that the rules in that this current club of CAs have made up Would currently the ones that they wrote for themselves before we get to join the club Require Eve what's called an EV certificate for a dog onion and so under those rules unless we can change them We won't be able to issue you a dog onion set because we won't be doing Evie Evie requires that you actually know the company at the other end you inspect their records, etc But I make the other the next following observation Because Tor controls its own client, you know the Tor browser bundle is not Google or Apple or Microsoft or Mozilla if you want to use our code and and generate a separate assigning authority that's just for onions and then put it in the root list for For Tor browser bundle, there's actually no reason not to do that yourselves Hi, my name is Sanjeev three and I coach are the day working group and Just out of the curiosity. I heard a lot of crap from certification authorities that they have a blacklist of names like By Paul.com so they don't issue DV certificates for that I Don't have opinion on that. Well, I have but not related to this Do you plan to address this as well or not? Yeah, so we in our current code base? I think we block the Alexa top something hundred thousand or something and So that's in our source code and if anyone from one of those domains wants to use us They can come and send us a pull request to remove the block for it for their For their particular domain name in the server source code because it's on get GitHub so you can just say okay where where wikipedia we want to be unblocked from issuance Here's our pull request. You can talk to us will approve your pull request and then you'll be unblocked We also effectively do this for many more than the Alexa top 1,000 with this the proof of possession challenge that I described because all of those high security sites have current valid certificates if you try to use Let's encrypt for one of those domains. You're going to get a proof of possession challenge We're only going to give you a set if you can show that you hold the key from a current valid one So yes, we're actually going to do something quite similar to that Yeah DKG Hi, thank you for working on this. I'm really excited to see this happening I noticed that you're I guess I have questions about your approach towards HP KP The way you framed it you are looking mainly at HP KP for pinning the authorities But another approach if you have control of the server itself is that you can pin the NNZ certs and make backup certs in some in some other secure area So that you can actually work without the certificate authority pinning itself. So have you considered that mode? We haven't and if you think you have a good story about how An integrated version of that could be implemented In the instant in a way that basically is like pre-packaged for a certain like category of sys admins Please come and implement it We should we should be giving you a nice easy framework to add a command line flag That's like, you know private HP KP mode You know, you can tell people to add that flag and get that particular experience Hi, thanks for working on all of this I had a question about sort of privacy So because you mentioned that all these domains will be published to your own log and separately certificate transparency Is there a way to have some of these domains not be published absolutely immediately like maybe a day ish later? Or not a question of the domain. Yeah We don't currently plan to do differential like log log pipelines. I think we'd want to see a really We would one need to see a really clear story about why that was worth engineering and then two We'd need to be convinced that that was the most important thing to spend development resources on Because it's you know, it's hard enough to build a reliable Pipeline and then having a reliable pipeline with two different speeds in it is trickier. So I Might be willing to do some of the engineering work on that. Yeah I mean the problem you get is that having holes in your list of like in your blockchain basically Requires people to tolerate a blockchain that's constantly in a like full of holes And maybe you can bound those and say well you can verify up to yesterday, but you can't verify today, but No, but the question is why really yeah, sure tell us why you would like this Sorry, it's always me Right, so this is for sandstorm, which is another web app package manager I'll be talking about on Thursday, but we run each user session of an app on a one-time use subdomain So if those subdomains if those we'd like to have HTTPS for all of those And we'd love to use lots encrypt and we'd love for everyone in the world to be running their own sandstorm server with Let's encrypt HTTPS and the sessions can be short like a day And just merely knowing one of these things is is a security problem if they're yeah, they're used for They're used for avoiding cross-site request for three attacks So the idea is that you have it normally you don't have a session ID cookie with a well-known host name of an app But here you have an rare an unknowable an unguessable rather Host name for the app and so this defangs cross-site request for three attacks I think in the long run. I mean the obviously the thing you want is wildcard search And we aren't gonna offer them at first. Maybe one day we will who knows but but not at first, sir Yeah, we don't really different CA until we're ready to help you We can't solve every problem simultaneously unfortunately Where by the TLS Needs Different subject alternative names than than the host name. So it is a URL instead So it's supported by the the CLS Certificate protocol, but what would do a support issuing certificates that has subject alternative names that are not only host names But also URLs. What was the protocol that you were by the plus TLS? Huh, well, I think that's the kind of thing that in principle We think see it, you know RCA should support if protocols need weird things It's also the kind of thing that we need to look at really closely and have people audit before we add it to the code base. So Send us a pull, you know send us a balder pull request If you can Implementing the kinds of validation that that protocol needs and in the long run. We may be able to do it Okay, so one last question Yes, I might have missed that but how did you convince Google for Chrome and Microsoft to Include your root certificate brain question. Well, are you sure that it will remain there for longer? Great question, sir There's actually a slide missing from this particular version of this talk Which is what do you need to do to become a certificate authority? And I did have the giant pile of paperwork there, which is like a crucial piece of this is the giant pile of paperwork But and you need to pass these audits and things But one of the things you might think you need to do is get into the trust roots of Microsoft and Apple and Mozilla and Google operates one for Android The answer is you don't need to get into the trust roots There was a lot of drama for instance when CN Nick the Chinese certificate authority was added to the Mozilla trust Route and of course we we saw in the slides that actually turned out to be a bad idea in the end But actually CN Nick had been trusted by browsers for a year or two before it was added to the Mozilla route because of cross signatures so It turns out all you need to do is to persuade another CA to cross-sign you and now you're trusted by the browsers and the Browsers themselves don't get to decide Straightforwardly whether they trust you or not it happens automatically Sir We were able to announce this project basically on the day that we had a contract signed with identity for a cross signature It was contingent on us passing the same audit that all the other cities past But once once we had that contract signed and they were committed to cross-signing us when we were ready Then it didn't matter whether Microsoft said yes or no later. It didn't matter whether Mozilla said yes no later What we needed was that contract Sorry so Peter will be here for the rest of the evening. He has to unfortunately go tomorrow morning, but he's here so you can talk to him and Sorry for running a bit over time, but now we're up for dinner. So thanks Peter again. Yeah Thanks ever for great questions. I will add on that last point We will get at it. We will get ourselves added to those lists. It just isn't the thing that actually matters