acme and let's encrypt: https made easy
TRANSCRIPT
Physical
Application
Transport
Network
Data link
HTTP
HTTP
TCP
IP
Ethernet/802.11
HTTP
TCP
IP
Ethernet/802.11
Physical
Application
Transport
Network
Data link
HTTPS
HTTP
TCP
IP
Ethernet/802.11
SSL/TLS
TCP
IP
Ethernet/802.11
SSL/TLS
HTTP
HTTPS handshake
You’re safe here!
Welcome to a secure website. :)
https://secure.example.comSSL/TLS versions, chiphersuites and compression
SSL/TLS and chiphersuite chosen and server’s certificate
Symmetric key
How to get a certificate
1. Register in the CA2. Ask for a certificate3. Install the certificate
Pretty easy, huh?
How to get a certificate
1. Register in the CA2. Ask for a certificate3. Install the certificate
Pretty easy, huh?Hummmm… yeah, except no.
ACME protocol
● Automated Certificate Management Environment
● Spec is still a draft (to be proposed as RFC)● Authors:
o Richard Barnes (Mozilla)o Peter Eckersley and Seth Schoen (EFF)o Alex Halderman and James Kasten (University of
Michigan)
Certificate issuance
1. Prompts for a domain name
2. Presents list of CAs
3. Operator selects CA
Webserver w/ ACME CA
4. Requests certificate
5. Downloads and installs certificate
6. Periodic contacts to keep things up-to-date
Let’s Encrypt
● Certificates cross-signed by IdenTrust● Standard Domain Validation certificates● Linux Foundation collaborative project
References● https://github.com/letsencrypt/acme-spec/blob/master/draft-barnes-
acme.md● https://letsencrypt.org/howitworks/technology/● https://letsencrypt.org/howitworks/● https://github.com/letsencrypt/acme-spec● http://security.stackexchange.com/a/20833● http://security.stackexchange.com/a/41318● http://robertheaton.com/2014/03/27/how-does-https-actually-work/