Target Group: Developers, IT operations, DevOps
Focus: technical
Language: English
Abstract
*********
Eventually, browsers and other Web clients will require all sites to use TLS. But turning on properly-configured TLS is not as simple as flipping a switch… unless your server does it automatically and by default. This talk briefly goes over how that is possible and what kind of usable security we should expect from all web servers in this decade.
About the Speaker:
*********************
Matt Holt (B.S. & M.S. Computer Science, Brigham Young University) is a software engineer with special expertise in TLS deployment and automation. He is the author of the Caddy web server, the only server to use HTTPS by default, which has over 25 million downloads and has secured and served trillions of HTTPS requests since 2014. When he's not coding stuff with his bare hands, you can find him rock climbing or bicycling.
3. Transport Layer Security
Confidentiality
A guarantee that the
data stays private in
transit.
Integrity
A guarantee that the
data is not modified in
transit.
Authenticity
A guarantee that your
connection is with the
intended party.
✔
self-signed
✔
self-signed
✖
self-signed✔ third-party
4. Generate private key
Generate CSR
Secure key
Order SSL certificate
Paste CSR into online form
Choose an email address
Wait for email
Click link in email
Wait for another email
Download certificate
Concat into bundle
Upload bundle to server
Configure server to use cert and key
Reload configuration
Don't forget to renew it... and don't mess up
5. Generate private key
Generate CSR
Secure key
Order SSL certificate
Paste CSR into online form
Choose an email address
Wait for email
Click link in email
Wait for another email
Download certificate
Concat into bundle
Upload bundle to server
Configure server to use cert and key
Reload configuration
Non-automatable
6. Generate private key
Generate CSR
Secure key
Order SSL certificate
Paste CSR into online form
Choose an email address
Wait for email
Click link in email
Wait for another email
Download certificate
Concat into bundle
Upload bundle to server
Configure server to use cert and key
Reload configuration
Extra attack/error surface
7. Generate private key
Generate CSR
Solve ACME challenge
Download certificate bundle
Use cert and key
ACME: simpler and automated
8. The 3 ACME Challenges
HTTP
:80
TLS-ALPN
:443
DNS
1
2
3
ACME server (CA) DNS server Your server
9. HTTP Challenge
HTTP
:80
Serves resource at special URI on host
● Requires port 80
● Must be accessible from outside
● Can be done manually
✔ No config required (usually)
10. TLS-ALPN Challenge
Negotiates special TLS handshake
● Requires port 443
● Must be accessible from outside
● Tedious to perform manually
TLS-ALPN
:443
✔ No config required (usually)
11. DNS Challenge
Sets special TXT record in zone file
● No open listeners; works behind proxies & LB
● Can be done manually
● Can be automated with DNS provider's API
● Some providers are slow to apply changes
✖ Requires DNS provider credentials (easy)
DNS
1
2
3