On December 3rd, 2015 (one day before the inaugural WordCamp USA) a service called Let’s Encrypt entered its public beta. Backed by several major sponsors (including Automattic), the service caught on quickly. As of summer 2016, more than 5 million SSL certificates had been issued by Let’s Encrypt, nearly four million of which were active and unexpired.
If you are not familiar, Let’s Encrypt is a free, automated, open certificate authority that allows users to encrypt the data flowing to and from their websites easily and for free. The goal of Let’s Encrypt is to make data transfer over the internet secure by default. Towards that end, they have invested a considerable amount of time and energy in making it easy for users of all stripes to secure the data flowing in and out of their websites.
You may have already considered encrypting your website before — perhaps to perform better in search engines, or to gain the ability to accept payments on your website. Regardless of whether you’ve considered enabling SSL on your website or not, the goal of this talk is to demonstrate why encryption on your website matters. We will look at some practical examples and live demos of what data can be stolen from your website, even if you using an encrypted wifi connection. Likewise, we’ll talk about how encryption of all websites — whether they’re dealing with sensitive information or not — makes the web a safer place for all of us.
Last, of course, we will look at how you can get started with Let’s Encrypt on your website. We’ll review the options available to you on common hosting providers, as well as walk through the steps for how you can set this up for yourself, if you have administrative access to your server.
If you already have Let’s Encrypt enabled on your site, this talk may be basic for you (although we’ll do a few cool demos that make for great party tricks, so feel free to stop by).
If you’ve never accessed your hosting provider’s website admin area (CPanel, Plesk, etc), this talk might be a bit hard for you to follow (although you should totally come and ask questions both during the presentation and after).
If you have a WordPress website and you’ve thought about enabling SSL on it but you just haven’t gotten around to it yet, this talk will be perfect for you. By the end of this presentation, you should not only know how to enable encryption on your website, but you will understand why it’s so important that you do.
It sounds like an intimidating topic, but we can do this. Come on and let’s encrypt!
4. HTTP PROTOCOL + SECURITY
▸ SSL/TLS ( Secure Sockets Layer /
Transport Layer Security)
▸ keeps your passwords,
communications, and credit card
details safe between your computer
and the servers you’re
communicating with on the other
side.
▸ still speaking in HTTP, but the
communication is encrypted and
decrypted
5. HOW DOES IT WORK?
HELLO —> CERTIFICATE EXCHANGE —> KEY EXCHANGE
1. ClientHello message
▸ aka the information the server
needs to connect to the client via
SSL
▸ server will respond with a
ServerHello i.e. similar info including
the cipher suite and version of SSL
to be used
2.Certificate Exchange
▸ the server needs to prove its identity
via its SSL certificate*
▸ does it either (a) implicitly trust or
(b) is it verified by one of many CAs
3. Key Exchange
‣ Encryption via a symmetric
algorithm using a single key
* the client may also need to prove its identity, but not always
6. WHAT’S THE POINT?
▸ HTTP requests and responses can now be
sent through an encrypted plaintext
message
▸ i.e. verifies that you’re talking directly to
the the server you think you’re talking to
▸ But because only the other side knows how
to decrypt this message, Man In The Middle
Attackers are unable to read or modify any
requests that they may intercept.
▸ i.e. ensures that only that server can read
what you send and only you can read
what it sends
Diffie–Hellman Key Exchange
7. WHILST THE LITTLE GREEN PADLOCK
AND THE LETTERS “HTTPS” IN YOUR
ADDRESS BAR DON’T MEAN THAT THERE
ISN’T STILL AMPLE ROPE FOR BOTH YOU
AND THE WEBSITE YOU ARE VIEWING TO
HANG YOURSELVES ELSEWHERE, THEY
DO AT LEAST HELP YOU COMMUNICATE
SECURELY WHILST YOU DO SO.
Rob Heaton
9. ▸ if you see encrypted traffic today,
you can generally assume there is a
reason.
▸ by encrypting everything you give
cover to those who need it
▸ for example political dissidents
17. HOW DOES SSL WORK?
WHY DOES IT PROTECT SENSITIVE INFORMATION?
1. 2 key encryption
▸ private key and public key agree on a key for this exchange
▸ symmetric algorithm with asymmetric encryption
▸ anyone can encrypt using the public key, but only the
server can decrypt using the private key
2. digital signature is “signed” by another authority
3. self-signing
21. WHAT IS “LET’S ENCRYPT”?
SETUP OF A DOMAIN VALIDATION (DV) CERTIFICATE*
1. Download Let’s Encrypt on your server that has the address
www.oohshinywebsite.com:
sudo apt-get install lets-encrypt
2. You run it as sudo telling it you want to get a certificate for
your domain
lets-encrypt oohshinywebsite.com
* DV Certificate = “the CA checks the right of the applicant to use a specific domain name. No company identity information is vetted and no
information is displayed other than encryption information within the Secure Site Seal.” There are other types of certificates with varying requirements.
23. SHARED HOSTING
‣ Bluehost
‣ GoDaddy
‣ Pantheon
‣ LiteSpeed
‣ SiteGround
‣ Media Temple
‣ Flywheel
‣ WP Engine
‣ DreamHost
‣ LE’s community list
24. HOW TO ENCRYPT YOUR SITE
VPS AND OTHER SERVER SETUPS
▸ nginx - https://www.digitalocean.com/community/tutorials/
how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04
▸ Apache - https://www.digitalocean.com/community/
tutorials/how-to-secure-apache-with-let-s-encrypt-on-
ubuntu-14-04
▸ Centos vs Debian/Ubuntu - https://www.linode.com/docs/
security/ssl/install-lets-encrypt-to-create-ssl-certificates
27. THE BAD
▸ No wild cards, i.e. difficult in multi/
load-balanced setup
▸ Renewal every 90 days
THE GOOD
▸ Easy to setup
▸ Free to use
▸ Good for single server
setups
28. COMMON ISSUES
JETPACK
▸ change WordPress settings
▸ Dashboard > Settings > General
▸ site URL, WordPress URL
GOOGLE SEO
▸ your search rankings vs any modicum of care you have for
your audience
30. FAQS
I SET IT ALL UP. DOES THIS MEAN I WON’T BE HACKED?
No. Absolutely not.
WILL IT MAKE MY SITE SLOWER?
Not really.
WHAT’S THE DIFFERENCE BETWEEN “LET’S ENCRYPT” AND PAID
SSL CERTIFICATES?
Nothing technically. But within things like PR or insurance…
kinda.
32. COMMON MISCONCEPTIONS*
AUTHENTICATION
“A proper SSL certificate also provides authentication. This means you can be sure that you
are sending information to the right server and not to a criminal’s server.”
INTEGRITY
“because it’s now over HTTPS, and you’re protecting against MITM attacks you can be
assured that the information is in fact the information you’re meant to get.”
ENCRYPTION
“it encrypts the information as it’s being transferred from the browser to the web server.
This is known as encryption in transit, and talks to nothing about encryption at rest.”
* Read Tony Perez’s article :)
33. COMMON MISCONCEPTIONS*
PHISHING
if the website housing the phishing page has https, and it is verified, it will show the user
that lovely green padlock.
NATION STATE ATTACKS
“My advice, assume everything you do online — HTTPS or HTTP — is being monitored.
IN CONCLUSION
It’s definitely a critical piece of the overarching security wheel associated with website
security, but it’s not going to stop websites from getting hacked, the distribution of
malware or keep website owners safe.
* Read Tony Perez’s article :)