HTTPS with Let's Encrypt

# HTTPS with Let's Encrypt

Carsten Meier 
 Peerigon GmbH

---
    layout: true
    class: theme-whiskey, slides-centered
    ---
    class: slides-chapter

## Who broke the interwebz

---

<blockquote class="twitter-tweet" data-lang="de">
 SSL is really slow.
 </blockquote>
 A lazy developer, ~2012 or before

---

> On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. [...] If you stop reading now you only need to remember one thing: SSL/TLS is not computationally expensive any more.

Adam Langley, Google Inc., [blog post](https://www.imperialviolet.org/2010/06/25/overclocking-ssl.html), **06/2010**

---

<blockquote class="twitter-tweet" data-lang="de">
 We don't need to protect all data anyway.
 </blockquote>
 Some product manager, ~2012 or before

---

---

---

<blockquote class="twitter-tweet" data-lang="de">
 Okay, then let's use well-tested standard tools and protocols to secure our web connections!
 </blockquote>
 Every web dev, ~2013

---

How about using OpenSSL with SSLv3 and RC4? RC4 is really fast, right?

---

<ul class="strikethrough">
 <li>SSLv3 <a href="https://arstechnica.com/security/2014/10/ssl-broken-again-in-poodle-attack/">(POODLE)</a></li>
 <li>TLSv1.0 <a href="https://en.wikipedia.org/wiki/Transport_Layer_Security#BEAST_attack">(BEAST)</a></li>
  
 <li>RC4 <a href="https://en.wikipedia.org/wiki/RC4#Security">(NOMORE and others)</a></li>
 <li>DSA & ECDSA <a href="https://en.wikipedia.org/wiki/Digital_Signature_Algorithm#Sensitivity">(see fail0verflow PS3 hack)</a></li>
 <li>SHA-1 <a href="https://en.wikipedia.org/wiki/SHA-1#Attacks">(SHAttered)</a></li>
  
 <li>DNS (Fix: <a href="https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions">DNSSEC</a>)</li>
 <li>BGP <a href="https://en.wikipedia.org/wiki/Border_Gateway_Protocol#Security_issues">(hijacking)</a></li>
 </ul>

---

Plus we found a lot of nasty bugs:

#### OpenSSL, Debian, Android, iOS, ...

> goto fail;

---

... and nasty companies

Sources: [[1](http://www.tomshardware.com/news/google-removes-symantec-root-certificate,30742.html)]
 [[2](http://www.tomshardware.com/news/google-bans-cnnic-root-ca,28873.html)]
 [[3](http://www.sueddeutsche.de/digital/csc-deutschland-umstrittener-nsa-dienstleister-verliert-ausschreibung-1.2378310)]
 [[4](https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html)]

---

## Who broke the interwebz

---

## Who broke the interwebz

We did!
 (ノಥ,_｣ಥ)ノ彡┻━┻

---

## List of failures
    - trusting bad CAs
    - bad standards in software security
    - no audits for essential open source software
    - no money for essential open source projects
    - deployment of new standards slow as hell

---

<img src="assets/encrypt-all-the-things.jpg" style="width: 100%;" />
 (thanks Mozilla & Google for forcing us with HTTP/2 👍)

---

### What do we need?
 easy!
 <ul>
 <li>X.509 certificate from a browser-trusted certificate authority (CA)</li>
 <li>HTTPS-capable webserver</li>
 <li>some configuration magic</li>
 </ul>

---

### Certificates? CA?

The web public key infrastructure (PKI) is a *federated system*. Everybody can start a CA, but browsers (now) have [strict rules](https://wiki.mozilla.org/CA:Recommended_Practices) for the CAs they set as a trusted CA.

Only a certificate issued by a *trusted CA* will work for HTTPS without a browser warning.

---

## Certificates are kind of expensive though... 😓

(also, nearly all CAs are crap)

---

<blockquote>Let’s Encrypt is a free, automated, open CA founded by EFF, Mozilla, and the University of Michigan, with Cisco and Akamai as founding sponsors.</blockquote>
 Source: <a href="https://www.eff.org/deeplinks/2016/10/lets-encrypt-largest-certificate-authority-web" target="_blank">EFF</a>

---

## Free

...as in beer! 👍

---

## Automated

Let’s Encrypt offers Domain Validation (DV) certificates
 - access to the webserver is needed for automation
 - certs are provided on a per-subdomain basis
 - no wildcard certs 😢
 - but it's easy and fast!

---

## Automated

Let’s Encrypt cannot verify your organization or personal details
 - no Extended Validation (EV) certs
 - no Organization Validation (OV) certs

---

## Open

#### Transparency

All certificates issued or revoked are publicly recorded, [available for anyone](https://www.certificate-transparency.org/known-logs).

#### Protocols

Let's encrypt uses the [Automatic Certificate Management Environment](https://ietf-wg-acme.github.io/acme/) (ACME) protocol, an open standard to be issued by the IETF ACME Working Group

---

## How does it work?

---

### Domain Validation (Challenge)

I like a challenge.

Source: https://letsencrypt.org/how-it-works/

---

### Domain Validation (Authorization)

Nice! We now have an authorized key pair.

Source: https://letsencrypt.org/how-it-works/

---

### Domain Validation (Certificate Issuance)

If the certificate signing request (CSR) is valid, we get our certificate.

Source: https://letsencrypt.org/how-it-works/

---

### Certificate Revocation

**CSL:** certificate revocation list; **OCSP:** Online Certificate Status Protocol

Source: https://letsencrypt.org/how-it-works/

---

<blockquote class="twitter-tweet" data-lang="de">
 Listen, I get the point of TLS encryption, but I don't have time to set it all up. And it is just a private project anyway.
 </blockquote>
 Another lazy dev, possibly today

🤔

---

## HowTo: nginx & apache2

with [certbot](https://certbot.eff.org/) and webserver standard config file structure setups

```
    $ certbot --nginx
    ```

```
    $ certbot --apache
    ```

then add a cronjob:

```
    crontab -e
    0 8 * * 1 certbot renew
    ```

done();

---

---

### Certificate Revocation (cont'd)

**CSL:** certificate revocation list; **OCSP:** Online Certificate Status Protocol

Source: https://letsencrypt.org/how-it-works/

---

## Online Certificate Status Protocol (OCSP)

Browsers can verify the certificate status by asking the OCSP server if the certificate is still valid...

---

## OCSP

... and leak all your visited domains to the OCSP server.

┻━┻ ︵ヽ(`Д´)ﾉ︵ ┻━┻

---

## OCSP stapling

---

## OCSP stapling

😊 OCSP responder will not know the client

💥 OCSP stapling must be supported by the CA and webserver

---

## OCSP stapling

<div style="display: flex; justify-content: center; align-items: center;">
 <div>
 <img src="assets/clippy-forgot-staples-might-i-be-of-assistance.jpg" style="width: 100%;" />
 </div>
 <div>
 No thanks clippy, I got my <img src="assets/nginx-logo.svg" style="width: 100%;" /> with me.
 </div>
 </div>

---

## Some more advanced certbot options

for better security and automation

```bash
    cli.ini

# Use a 4096 bit RSA key instead of 2048
    rsa-key-size = 4096

# use this to avoid interactive mode
    email = foo@example.com
    text = True
    agree-tos = True
    non-interactive = True

# Enables OCSP Stapling
    staple-ocsp = True
    ```

---

## even more good stuff

---

## HTTP Strict Transport Security (HSTS)

HTTP header that tells visitors that your domain is HTTPS only

```
    Strict-Transport-Security: "max-age=31536000; includeSubdomains; preload"
    ```

---

## You got HSTS set up?

Great! Apply for the [HSTS preload list](https://hstspreload.org) and all browsers* will only ever access your domain via HTTPS ☺

* at least Firefox, Chrome, Opera, Safari, IE 11 and Edge

---

## HTTP Public Key Pinning (HPKP)

HTTP header that tells the browser which certificates are really valid

```
    Public-Key-Pins:
    pin-sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs=";
    pin-sha256="M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE=";
    max-age=5184000;
    report-uri="https://myreportinfrastructure.xyz"';
    ```

Sounds easy? Then let's do it already!
 (ノಠ益ಠ)ノ彡┻━┻

---

## not so fast.

(ヘ･_･)ヘ┳━┳

---

## WARNING

If you set up HPKP wrong and include HSTS, your visitors will not reach your website again until `max-age` runs out.

If somebody can sneak in a different HPKP header and/or compromises your webserver, [you can be held ransom](https://scotthelme.co.uk/using-security-features-to-do-bad-things/) for the "new", i.e. working certificates.

---

If you want to use HPKP in production

## always use a reporting infrastructure!

## always use more than two keys!

Take a look at https://report-uri.io/

---

## HPKP Reporting

Testing only:
    ```
    Public-Key-Pins-Report-Only:
    pin-sha256="cUPcTAZWKaASuYWhhneDttWpY3oBAkE3h2+soZS7sWs=";
    pin-sha256="M8HztCzM3elUxkcjR2S5P4hhyBNf6lHkmjAHKhpGPWE=";
    max-age=5184000;
    report-uri="https://myreportinfrastructure.xyz"';
    ```

---

## HPKP with Let's Encrypt

certbot usually regenerates the keys on each renewal, which means that the private key and therefore also the certificate hash changes.

You can force certbot to use a specific CSR with the `--csr` cli flag. Keep in mind that the CSR changes when you want to include new subdomains.

---

## HPKP the easy way

Pin your CAs at the root and intermediate level like [GitHub does](https://report-uri.io/home/pkp_analyse/https%3A%2F%2Fgithub.com).

---

## HPKP the easy way

Keep in mind that Let's Encrypt in only an intermediate CA right now, you therefore need to pin the [IdenTrust root and the ISRG root](https://letsencrypt.org/certificates/).

Dont' forget: you still need a backup CA and reporting infrastructure!

---

## Pimp your webserver

---

## nginx HTTP headers

```
    add_header Strict-Transport-Security "...";
    add_header Public-Key-Pins '...';
    add_header Referrer-Policy same-origin;
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    ```

---

## nginx TLS protocol tweaks and cipher suites

```
    ssl_protocols TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_ecdh_curve secp384r1;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
    resolver_timeout 5s;
    ```

For updates and other webservers check https://cipherli.st/

---

Please be carefull with this stuff!

**Take your time.** This isn't something to be done on the go.

---

## [Fun stats!](https://letsencrypt.org/stats/)

---

## And even better...

We now have infrastructure funds ([SOS](https://www.mozilla.org/en-US/moss/secure-open-source/) by Mozilla, [CII](https://www.coreinfrastructure.org/) by Linux Foundation) that audit and help improve open source software security.

🤗

---

## Conclusion

- HTTPS with Let's Encrypt is really easy to set up
    - integrate it into your workflow **early** for maximum benefits
    - check your setup with tools like [Mozilla Observatory](https://observatory.mozilla.org) & [SSL Labs](https://www.ssllabs.com/ssltest/index.html) and [Security Headers](https://securityheaders.io/)
    - secure your keys!
    - watch out for pitfalls with HSTS & HPKP

---

## But please keep in mind...

TLS stands for transport layer security, not end-to-end encryption!

take care of the rest of your stack
 - serverside data encryption
 - secure your cookies (`Secure` & `HttpOnly`)
 - correct CORS headers
 - have a look at CSP (content security policy) and subresource integrity

---

## Thank you

- carsten.meier@peerigon.com
    - @acidicX on GitHub
    - Slides are online: https://peerigon.github.io/talks/

---

## Links

- [Mozilla Observatory](https://observatory.mozilla.org) – security testing
    - [Security Headers](https://securityheaders.io/) – security testing
    - [Qualys SSL Labs](https://www.ssllabs.com/ssltest/index.html) – security testing
    - [Cipherlist](https://cipherli.st/) – for webservers
    - [Scott Helme's blog](https://scotthelme.co.uk/) – on all things security headers
    - [Report URI](https://report-uri.io/) – awesome service!
    - [Let's Encrypt FAQ](https://letsencrypt.org/how-it-works/)
    - [certbot](https://certbot.eff.org/) – with easy install instructions
    - [HSTS preload list](https://hstspreload.org/)
    - [Certificate Transparency](https://www.certificate-transparency.org/how-ct-works)
    - [Josh Aas about LE during LINUXCON NA](https://www.youtube.com/watch?v=ksqTu7TX83g) – video
    - [Awesome tableflip emojis](http://cutekaomoji.com/misc/table-flipping/)

---

## Images (where source not stated)

- [NSA](https://commons.wikimedia.org/wiki/File:National_Security_Agency_headquarters,_Fort_Meade,_Maryland.jpg), public domain
    - [GCHQ](https://commons.wikimedia.org/wiki/File:GCHQ-aerial.jpg), OGL v1
    - [Let's Encrypt Logo](https://en.wikipedia.org/wiki/File:Let%27s_Encrypt.svg), (c) Internet Security Research Group (ISRG)
    - Company logos (nginx, Symantec, etc.), (c) by their respective owners