acme and let's encrypt: https made easy
TRANSCRIPT
ACME and Let’s EncryptHTTPS made easy!
Gabriell Nascimento
Physical
Application
Transport
Network
Data link
HTTP
HTTP
TCP
IP
Ethernet/802.11
HTTP
TCP
IP
Ethernet/802.11
Physical
Application
Transport
Network
Data link
HTTPS
HTTP
TCP
IP
Ethernet/802.11
SSL/TLS
TCP
IP
Ethernet/802.11
SSL/TLS
HTTP
HTTPS handshake
You’re safe here!
Welcome to a secure website. :)
https://secure.example.comSSL/TLS versions, chiphersuites and compression
SSL/TLS and chiphersuite chosen and server’s certificate
Symmetric key
And what about the certificate?
And what about the certificate?Tells a lot about who the client is talking to!
However...Someone must trust that
That’s a job for the Certificate Authority (CA)!
The CA
● A trustworthy company● Issues certificates for another ones (trusts
them)
How to get a certificate
1. Register in the CA2. Ask for a certificate3. Install the certificate
How to get a certificate
1. Register in the CA2. Ask for a certificate3. Install the certificate
Pretty easy, huh?
How to get a certificate
1. Register in the CA2. Ask for a certificate3. Install the certificate
Pretty easy, huh?Hummmm… yeah, except no.
to the rescue!
to the rescue!
ACME protocol
ACME protocol
● Automated Certificate Management Environment
● Spec is still a draft (to be proposed as RFC)● Authors:
o Richard Barnes (Mozilla)o Peter Eckersley and Seth Schoen (EFF)o Alex Halderman and James Kasten (University of
Michigan)
“ACME is a protocol for automating the management of domain-validation certificates”
Certificate issuance
1. Prompts for a domain name
2. Presents list of CAs
3. Operator selects CA
Webserver w/ ACME CA
4. Requests certificate
5. Downloads and installs certificate
6. Periodic contacts to keep things up-to-date
ACME protocol
● A key pair represents the account● REST● JSON over HTTPS
https://letsencrypt.org
Let’s Encrypt
● A new CA● Free, automated and open● ACME based● Arriving September 2015
Major sponsors
Let’s Encrypt
● Certificates cross-signed by IdenTrust● Standard Domain Validation certificates● Linux Foundation collaborative project
Technology
https://letsencrypt.org
Technology
https://letsencrypt.org
Technology
https://letsencrypt.org
What means...
$ sudo apt-get install lets-encrypt$ lets-encrypt example.com
Drawbacks
● No Extended Validation (neither plans for that)
● No wildcard (possibly in the future)
https://imgur.com
Thanks!
References● https://github.com/letsencrypt/acme-spec/blob/master/draft-barnes-
acme.md● https://letsencrypt.org/howitworks/technology/● https://letsencrypt.org/howitworks/● https://github.com/letsencrypt/acme-spec● http://security.stackexchange.com/a/20833● http://security.stackexchange.com/a/41318● http://robertheaton.com/2014/03/27/how-does-https-actually-work/