Target Group: Developers, IT operations, DevOps Focus: technical Language: English Abstract ********* Eventually, browsers and other Web clients will require all sites to use TLS. But turning on properly-configured TLS is not as simple as flipping a switch… unless your server does it automatically and by default. This talk briefly goes over how that is possible and what kind of usable security we should expect from all web servers in this decade. About the Speaker: ********************* Matt Holt (B.S. & M.S. Computer Science, Brigham Young University) is a software engineer with special expertise in TLS deployment and automation. He is the author of the Caddy web server, the only server to use HTTPS by default, which has over 25 million downloads and has secured and served trillions of HTTPS requests since 2014. When he's not coding stuff with his bare hands, you can find him rock climbing or bicycling.

1. HTTPS by Default
How Caddy Makes the Web More Secure
Matt Holt Go Gopher by Renee French, derivative works by Deise Misiuk

2. ACME
Automated Certificate Management Environment

3. Transport Layer Security
Confidentiality
A guarantee that the
data stays private in
transit.
Integrity
A guarantee that the
data is not modified in
transit.
Authenticity
A guarantee that your
connection is with the
intended party.
✔
self-signed
✔
self-signed
✖
self-signed✔ third-party

4. Generate private key
Generate CSR
Secure key
Order SSL certificate
Paste CSR into online form
Choose an email address
Wait for email
Click link in email
Wait for another email
Download certificate
Concat into bundle
Upload bundle to server
Configure server to use cert and key
Reload configuration
Don't forget to renew it... and don't mess up

5. Generate private key
Generate CSR
Secure key
Order SSL certificate
Paste CSR into online form
Choose an email address
Wait for email
Click link in email
Wait for another email
Download certificate
Concat into bundle
Upload bundle to server
Configure server to use cert and key
Reload configuration
Non-automatable

6. Generate private key
Generate CSR
Secure key
Order SSL certificate
Paste CSR into online form
Choose an email address
Wait for email
Click link in email
Wait for another email
Download certificate
Concat into bundle
Upload bundle to server
Configure server to use cert and key
Reload configuration
Extra attack/error surface

7. Generate private key
Generate CSR
Solve ACME challenge
Download certificate bundle
Use cert and key
ACME: simpler and automated

8. The 3 ACME Challenges
HTTP
:80
TLS-ALPN
:443
DNS
1
2
3
ACME server (CA) DNS server Your server

9. HTTP Challenge
HTTP
:80
Serves resource at special URI on host
● Requires port 80
● Must be accessible from outside
● Can be done manually
✔ No config required (usually)

10. TLS-ALPN Challenge
Negotiates special TLS handshake
● Requires port 443
● Must be accessible from outside
● Tedious to perform manually
TLS-ALPN
:443
✔ No config required (usually)

11. DNS Challenge
Sets special TXT record in zone file
● No open listeners; works behind proxies & LB
● Can be done manually
● Can be automated with DNS provider's API
● Some providers are slow to apply changes
✖ Requires DNS provider credentials (easy)
DNS
1
2
3

12. Minimum Required Config
Required inputs
● Domain name
Optional inputs
● Email address
● A few crypto details

13. Enough talking
More live demoing

14. ✅ Rate limiting
✅ Failed validations
✅ Revocations
✅ Infrastructure outages
✅ Customer domains
Production Challenges
✅ OCSP problems
✅ Misconfigured storage
✅ Fleet coordination
✅ Millions of domains
✅ = Caddy handles it
(external scripts/tools… don't)

15. Next Monday, probably
Thank you! :)
https://caddyserver.com