Introduction to Let's Encrypt

0:02 - 0:09

discussion today. Today I'm going to be talking about
Let's encrypt. my name is April King and
0:09 - 0:13

I'm in information security engineer
here at mozilla and I' just like to say
0:13 - 0:18

before we get this presentation really
going, just a brief disclaimer so you
0:18 - 0:23

know there are many many adjectives that
have been used to describe me and but
0:23 - 0:28

these adjectives do not include the terms
classy or circumspect or anything along
0:28 - 0:32

those lines but because this
presentation is apparently being
0:32 - 0:33

recorded
0:33 - 0:37

I'm gonna try to be at least a little
bit of both of those as best I can but
0:37 - 0:42

no promises. alright, so speaking of adjectives,
there a number of other adjectives that
0:42 - 0:48

do work for me and these include both
old and curmudgeonly because I am both old
0:48 - 0:52

and curmudgeonly I like to begin all
my presentations with a little history
0:52 - 0:58

lesson to make everybody in the audience
suffer along with me so I'm gonna take you
0:58 - 1:07

all back and the year is 1995 and in
1995 there's a new company up-and-coming
1:07 - 1:12

by the name of Netscape Communications
and this up-and-coming company releases
1:12 - 1:16

a web browser and this particular web
browser is actually really special
1:16 - 1:21

because for the first time in history
1:21 - 1:27

includes support for protocol called
SHTTP which later became known as HTTPS
1:27 - 1:33

and this is a really big deal because
for the first time in history the
1:33 - 1:34

average human being
1:34 - 1:40

had access to secure, private
communications over an untrusted network
1:40 - 1:45

now I mean sure there was encryption
before 1995 obviously like you know if
1:45 - 1:48

you are very technically inclined you
might have had access to a tool called a
1:48 - 1:52

PGP and you can use this tool to
generate keys and send them to your
1:52 - 1:55

friends and you guys can send messages
back and forth but it certainly wasn't
1:55 - 2:00

very easy you know and if you were a
huge corporation with piles of money you
2:00 - 2:05

know you can pay IBM to come out and IBM
would set up a nice system for you and
2:05 - 2:09

you could have encrypted communications
over between your data centers and whatnot
2:09 - 2:13

and of course if you are like a
government then you had your own
2:13 - 2:17

army of mathematicians and cryptographers
to do all this work for you but you
2:17 - 2:21

know if you were just the average human
being you didn't have access to this this is
2:21 - 2:27

a really big deal now you're probably
thinking to yourself so 1995 obviously
2:27 - 2:33

you're good at arithmetic 1995 that's
twenty one years ago so given that it's
2:33 - 2:39

been 21 years we must be doing an
amazing job, right? everything on the
2:39 - 2:46

internet must use HTTPS, right? 21 years!
but it turns out that, actually, we're kind of
2:46 - 2:52

doing a lousy job. see, 21 years later
we have found through our data from
2:52 - 2:56

people who opt in to share their
information with Mozilla that only about
2:56 - 3:03

43% of initial page requests are done
over HTTPS and in fact only 65 percent
3:03 - 3:07

of those follow-ups requests are done over
HTTPS now be things like JavaScript
3:07 - 3:13

files and images and things like that
and that's pretty terrible because you
3:13 - 3:17

know without HTTPs, without secure
communications you're missing out on a
3:17 - 3:22

whole lot of things for example without
HTTPS you don't know you don't have
3:22 - 3:26

confidentiality so you don't know if
somebody is monitoring your
3:26 - 3:30

communications watching what you're
doing so if you sent a
3:30 - 3:34

credit card number or social security
number over the internet you don't know
3:34 - 3:38

if somebody is just sitting there and
listening and just like you know writing it
3:38 - 3:43

down I'm sure on their little scratch pads, you know?
you also don't know that you're talking to
3:43 - 3:47

who you think you are talking to you
know without HTTPS you can take
3:47 - 3:52

www.mozilla.org into your web browser and
you might get a site and it might look
3:52 - 3:57

like Mozilla dot org and you may click
to download Firefox and you might get a
3:57 - 4:01

file claims to be Firefox but because he
didn't use https you don't actually know
4:01 - 4:05

if that's the case that could have been
someone impersonating our website and
4:05 - 4:10

offering you up a Trojan version of
Firefox and what's more you also don't
4:10 - 4:14

have integrity, see, without HTTPs you
don't know if somebody is injecting
4:14 - 4:18

content in the things you are requesting
or sending so we see this a lot
4:18 - 4:23

especially with our providers all around
the world if you're here in the USA
4:23 - 4:25

might be familiar with the verizon
supercookie
4:25 - 4:30

I think a number of other companies are
doing this where if you are browsing
4:30 - 4:31

from your mobile phone
4:31 - 4:35

all of your outgoing request would
contain a unique identifier identifying
4:35 - 4:40

who you were even, you know if you didn't opt into
this you just got you know you just got
4:40 - 4:47

identified it to your service providers
and strategic advertising partners and
4:47 - 4:52

we also see this a lot particularly in
Asia we see a lot of content injections
4:52 - 4:58

that put ads in the pages you are trying
to browse or those ads that were in the
4:58 - 5:01

page you're trying to get replaced with
different ads and that's pretty big deal
5:01 - 5:08

because you know if your are me and you
really like reddit.com and those
5:08 - 5:12

advertisements that they're offering to
replace with some other advertisements
5:12 - 5:16

than the sites that I really want to
continue to survive are not getting the
5:16 - 5:21

money from offering these advertisements
now it's been 21 years and you're
5:21 - 5:22

listening to me
5:22 - 5:26

April King a security engineer and
Mozilla a company that makes a web
5:26 - 5:30

browser so I'm sure in your head you're
thinking April why haven't you
5:30 - 5:36

personally fixed this problem why
haven't you fixed it, Apirl? Why are only 43%
5:36 - 5:43

of requests done to websites done over
HTTPS and the answer if anybody is
5:43 - 5:50

curious is that money people yes indeed
in fact if you want to have a secure
5:50 - 5:54

website on the internet if you want to
use https you need to have a digital
5:54 - 5:59

certificate and a digital certificate
like a file kinda like a driver's
5:59 - 6:03

license it identifies you to the people
who are visiting your website and it
6:03 - 6:09

allows them to verify mathematically
cryptographically that they are in fact
6:09 - 6:14

talking to who they think they are now
these certificates are issued by about
6:14 - 6:19

2,000 or so different entities around
the world and these energies are called
6:19 - 6:22

certificate authorities and the
certificate authorities want to make
6:22 - 6:27

money now money is pretty great if you
were to come up to me and be like April
6:27 - 6:32

would you like some more money I would
be like why yes I would I would indeed
6:32 - 6:36

enjoy some more money and I don't
blame these certificate authorities they
6:36 - 6:37

also want more money
6:37 - 6:42

but the problem with money is that when
things cost money things tend to be like
6:42 - 6:49

difficult painful lousy experiences
see, you know, because when they're
6:49 - 6:53

lousy and painful you kinda get locked in
but it's a pain that you know right so
6:53 - 6:56

traditionally right if you want a
certificate
6:56 - 7:00

you know you type some arcane
commands into your computer and you get a
7:00 - 7:04

private key and then you type another
command and it generates a file called a
7:04 - 7:08

Certificate Signing Request and then you
take that file and you might copy it and
7:08 - 7:11

go to your certificate authority and
paste it in some web forms and then you
7:11 - 7:16

submit it and then a bunch of back and forth
they verify you are who you say you are
7:16 - 7:20

and then they give you a file and
you download that file and upload to your website
7:20 - 7:26

it's a pain in the but it really sucks I hate
doing it I do this professionally for a
7:26 - 7:31

living I get paid to do it I still hate
doing it while I have some good news to
7:31 - 7:35

everybody here in the audience watching
that is there's a new certificate
7:35 - 7:40

authority in town and it's called Let's
Encrypt and it's amazing and I'm gonna
7:40 - 7:48

tell you why it is in fact super duper
amazing now I'm not going to bury the
7:48 - 7:52

lead I'm gonna to be straight up and honest with
everybody watching Let's Encrypt is a
7:52 - 7:58

free certificate authority totally free
and what they mean is that regardless of
7:58 - 8:01

your ability to pay you can get a
digital certificate if you are well
8:01 - 8:06

known multi billionaire Bill Gates and
you want a free digital certificates why
8:06 - 8:12

I say to you good sir you may have a
free digital certificate or you know if
8:12 - 8:15

you're an eight-year-old girl setting up
your first website for the first time
8:15 - 8:19

will you young lady you also can get a
digital certificate it doesn't matter where
8:19 - 8:24

you are or how much money you have you
can get a digital certificate that's a
8:24 - 8:28

really big deal because you know when things
cost money there's a whole lot of
8:28 - 8:32

restrictions around it right there's
taxes and there's international law
8:32 - 8:36

and it's really really complicated you
know if you live in a place where you
8:36 - 8:39

don't necessarily have a local certificate
authority or you don't have money then
8:39 - 8:44

you know not be able to get a free
certificate can really make it so you
8:44 - 8:47

just can't have a secure website but
with Let's Encrypt you can have a free
8:47 - 8:50

certificate and a secure website
8:49 - 8:55

so not only is Let's Encrypt free but it's also
automated now I'll talk a little bit more about
8:55 - 9:01

this more later and how this all works
but see most of the difficulty in requesting
9:01 - 9:06

and receiving a certificate is in the
process of verifying that you are who
9:06 - 9:11

you say you are right i mean you don't
want to be able to issue a certificate to just
9:11 - 9:17

anybody who comes along for any website but
Let's Encrypts uses a protocol
9:17 - 9:20

that's in the process of being
standardized to just do all this
9:20 - 9:24

automatically for you it really does
appears like magic
9:24 - 9:27

you just automatically get a certificate if you want
to revoke you certificate it's just like magic
9:27 - 9:31

your certificate is revoked and if you want to
renew it it's like magic again you just
9:31 - 9:37

get a brand new certificate it's pretty
cool so not only is Let's Encrypt free and automated
9:37 - 9:44

but it's also a transparent what that
means is that every certificate the Let's Encrypt
9:44 - 9:48

issues is logged in a system
called the certificate transparency
9:48 - 9:56

system meaning that there's no way for
Let's Encrypt to like issue certificates
9:56 - 9:59

for sites it wasn't authorized for if
we did it would show up in the system if
9:59 - 10:04

you have a site and you want to be
monitoring you know any authority has
10:04 - 10:07

issued a certificate for you and you
don't requested you can look at these
10:07 - 10:12

lives and be sure that lets encrypt
didn't issue a search for your site and
10:12 - 10:17

not only that but if a cert does appear
in the wild from what some crepes and it
10:17 - 10:20

isn't there then you know immediately
that they're not being honest but they
10:20 - 10:24

are being honest they're amazing and
that's why they're using certificate
10:24 - 10:30

transparency alright so they're also an
open certificate authority see
10:29 - 10:34

everything about let's encrypt that they
do is open source that's amazing see
10:34 - 10:38

that includes not just the the the
software runs certificate authority and
10:38 - 10:41

issues a certificate but it also
includes after that you can put on your
10:41 - 10:45

computer or your server to get a
certificate and it's even this very
10:45 - 10:49

presentation as amazing as it is is also
open source you can download it from I
10:49 - 10:51

get hungry power
10:51 - 10:56

requests are happily ignore it it's
great alright but such a totally I'll
10:56 - 10:58

totally take a look
10:58 - 11:04

in addition to all those things but is a
cooperative certificate authorities see
11:04 - 11:08

couple years ago and Mozilla went out
and decided that this is the real the
11:08 - 11:11

need to be needed to be met on the
internet you know we found some like
11:11 - 11:16

really great partners to work with us
including Akamai Cisco and the eff and I
11:16 - 11:21

thought this is an amazing idea and you
know they helped build the software that
11:21 - 11:26

issued the search and receive the search
and it was really great and as it went
11:26 - 11:31

timeline on many other organizations
said oh my gosh this is a great idea
11:31 - 11:35

this is making the internet a way better
place and we want to help so they've
11:35 - 11:39

joined us and become sponsors as well
which means LSU campus in a stable
11:39 - 11:44

supply of middle-income to ensure that
it can be around for many many many
11:44 - 11:50

years into the future now because it's
so cooperative and the softer is so open
11:50 - 11:58

and the protocol that uses is also open
a lot of people have participated in
11:58 - 12:02

this whole process run with the crypt
cell talk a little bit about the process
12:02 - 12:07

with which you can get a certificate
through lesson crepes now here's the
12:07 - 12:12

real question that all C A strugglers
rate this is the question behind request
12:12 - 12:18

and that is if I ask for certificate for
a website I say dear unnamed certificate
12:18 - 12:22

authority because I am being recorded
near unnamed certificate authority I
12:22 - 12:27

would like a certificate for amazon.com
I am a fucking but I'm also definitely
12:27 - 12:32

the owner of amazon.com now that's
significant authority to look at me and
12:32 - 12:38

say April you looked super shady I don't
think you actually own amazon.com items
12:38 - 12:43

and now and that's what they're supposed
to do they're not supposed to issue me
12:43 - 12:47

one of those certificates because if I
had that certificate I could be
12:47 - 12:54

amazon.com even if people did use https
now historically there's been a number
12:54 - 12:56

of different ways that we have verified
that somebody actually own the domain
12:56 - 13:02

that they claim they own for example you
might ask them to set up a DNS record
13:02 - 13:08

right that you know is a branch off of
their domain specific thing with a
13:08 - 13:10

special record inside it
13:10 - 13:15

and you can reasonably say that some
controls DNS then they also control the
13:15 - 13:19

website right i mean if I control the
dinosaur amazon.com explain it any
13:19 - 13:25

server I wanted to you that's one way or
another way as they might say we want
13:25 - 13:30

you to place this particular file on a
particular spot on your web server and
13:30 - 13:33

then once it's there you can let us know
and we'll go out and check to see if
13:33 - 13:37

that fails there and if you have the
ability to place this file on amazon.com
13:37 - 13:41

web server and the specific location
then you probably actually do own
13:41 - 13:46

amazon.com and lastly underway as they
might say you know spin a web server
13:46 - 13:50

that uses GPS with a you know what they
saw us answered that will give to you
13:50 - 13:55

and then we'll go out and we'll connect
you right and if you can do that if you
13:55 - 14:02

can listen on port 443 on amazon.com
then you also probably on amazon.com is
14:02 - 14:06

a historically been kind of a three
primary methods that we've done this but
14:06 - 14:11

what's encrypt it kind of ties to
automate all that away and it does that
14:11 - 14:16

through and center call acne and acne
stands for the automated automatic
14:16 - 14:20

certificate management environment and
it's a protocol it's in the process of
14:20 - 14:24

being standardized by the IETF that
hopefully in the future
14:25 - 14:29

every CA every certificate authority can
use now the idea of having a
14:29 - 14:35

standardized protocol is that you can
build toting around it right now if you
14:35 - 14:39

make a web server right if you make a
patchy your engine acts or something
14:39 - 14:43

like that then you can build support for
this work all right into your web server
14:43 - 14:49

if you were trying to set up a doctor
container you can set it up so that it
14:49 - 14:56

goes out and it requests to do these do
this protocol because it exists
14:56 - 15:01

we've actually seen incredible adoption
across the industry and in fact an
15:01 - 15:05

increasing number of like web hosting
big web hosts relic DreamHost not
15:05 - 15:11

combine WordPress and the like I have a
Dr less equipped to add support for a
15:11 - 15:15

CBS across thousands of domains that
never had as two Bs before and they can
15:15 - 15:16

do that because of letting
15:16 - 15:22

apps for their we're seeing tools for
pretty much everything with you you can
15:22 - 15:26

think of that support the acne protocol
to help you automate the process of
15:26 - 15:31

requesting certificates and a number of
web servers have begun the process of
15:31 - 15:37

adding support for Mitac mio or other
modules rate that support the crack me
15:37 - 15:40

so that like in the future you know you
can just put the URL for the acne thing
15:40 - 15:44

you know your web service configuration
and regardless of certificate authority
15:44 - 15:48

right you can just go out and get a
certificate when it starts up in fact
15:48 - 15:54

I'm gonna show you are a demo of that
and by a guy named Matt Holt and battled
15:54 - 16:00

writes a web server called caddy is the
primary author of it and he built in
16:00 - 16:06

support into his web server for lunch
and then and acne and he recorded a
16:06 - 16:07

video of himself
16:07 - 16:10

setting up a web server getting a
certificate he put it up on YouTube for
16:10 - 16:14

us to for the whole world to see we
don't ask him to write the code we
16:14 - 16:17

didn't ask you to put the video up and
he did it and I'm gonna show you all
16:17 - 16:29

what that looks like alright so here we
go I
16:29 - 16:34

here we are he is heading the file that
contains the host name of his server
16:34 - 16:38

that's it is gonna start of his web
server setup is going out to link up to
16:38 - 16:44

get a certificate and done it has a
digital certificates now he's just gonna
16:44 - 16:49

go to his website is going to see it is
unfortunately he's using ground but you
16:49 - 16:52

know what this works in Firefox it works
in edge works in Safari
16:52 - 16:56

Christopher gets to you and there you go
he's got a digital certificate is let's
16:56 - 17:02

say works at HTTPS and that was so easy
wasn't it was so easy you compared to
17:02 - 17:07

all the copy and paste in incomes
cryptic OpenSSL commands you take in the
17:07 - 17:08

past
17:08 - 17:13

pretty great so lets the crib has been
around available to the public for about
17:13 - 17:18

three months so how well has left
encrypted been doing since it started a
17:18 - 17:29

few months ago and the answer is amazing
and in fact been over there is only one
17:29 - 17:33

over one million on expired certificates
issued by less equipped covering over
17:33 - 17:37

two and a half million domain names and
the reason why those numbers are not the
17:37 - 17:41

same as that advocating cover like you
know website aa.com and www.sedar.com
17:41 - 17:48

and so on and so forth and the coolest
thing about all of that is that the vast
17:48 - 17:54

majority of those sites have never had
sushi ps2 for an effect of those two
17:54 - 17:56

point six or whatever
17:56 - 18:01

2.6 million domains only about a hundred
and sixty-five thousand of them have
18:01 - 18:04

ever had a stiffer get it from a
different certificate authority that's
18:04 - 18:05

incredible
18:05 - 18:09

we're actually making a huge difference
on the Internet tons of states that
18:09 - 18:13

never had a chance or couldn't afford a
GPS before now have HTTPS and in fact
18:13 - 18:19

you remember that I turn that sad but
you know delicious looking pipes are at
18:19 - 18:25

the beginning of the presentation of it
said only 43% of requested under a CPS
18:25 - 18:29

well before let the crib started three
months ago that number was only 40 per
18:29 - 18:35

sentence so in just a few months we have
moved the needle 3% on the internet
18:35 - 18:39

that's huge I know it only sounds like a
small percentage point three percent is
18:39 - 18:41

a ton
18:41 - 18:45

of traffic on the internet that's
incredible now how big is letting crips
18:45 - 18:52

already the fourth largest issuer
certificates in the world behind komodo
18:52 - 18:57

some Mexican Go Daddy pretty cool but
this is only the beginning seeing
18:57 - 19:04

obviously I work at Mozilla and I love
the web and so I wanna see every website
19:04 - 19:08

using HTTPS and that's a great goal but
you know the Internet has a lot more
19:08 - 19:14

stuff on it than just web servers right
has mail servers has IRC servers and
19:14 - 19:22

many many many other protocols we want
to secure all of those as well so I'm
19:22 - 19:24

really looking forward to a day and I
think we're definitely moving there
19:24 - 19:29

thanks to let some crepes and and acne
and all of the community support that
19:29 - 19:33

has been built up around this where
everything that we do on the Internet is
19:33 - 19:38

to cure and its privates and you know
that when you are on the internet and
19:38 - 19:41

you were trying to talk to somebody that
your conversation is secure and private
19:41 - 19:46

so as this presentation has been
recorded in kind of talking to the whole
19:46 - 19:49

world I guess I have to tell everybody
hello world
19:50 - 19:53

crafts
19:58 - 20:09

have any questions that I can answer yes
let's encrypt is not too wild card certs
20:09 - 20:16

and the reason for that is line is that
while there's can kind of read you a
20:16 - 20:22

number of security issues and two is
that it's just so easy to get a search
20:22 - 20:26

for whatever name you need with what's
incorrect like there's no real need to
20:26 - 20:30

get allows for certain you just start
the server and never got an answer for
20:30 - 20:34

you just run the command and you you
have a search that doesn't support while
20:34 - 20:39

cart sir another thing that people often
ask me can I get like a four I guess
20:39 - 20:45

three-year long certificate with I think
reps and you cannot do that either one
20:45 - 20:52

of the issues such as they get their
certificates for about three months and
20:52 - 20:56

because they only have three months it
tends to lead to a world where the sort
20:56 - 21:00

of stuff this certificate requesting and
web site configuration such as automated
21:00 - 21:01

right
21:01 - 21:06

expire every three months you can't deal
with the process we're like a beast rate
21:06 - 21:09

of piece of code that monitors all of
your sites and goes out every day and
21:09 - 21:14

thanks to expire inserts and then you go
and upload new ones because you never be
21:14 - 21:20

able to make it work so it forces people
to automate the issuance of certificates
21:20 - 21:24

under web server so that like you're
constantly getting new certs and you
21:24 - 21:28

know that you know you're constantly
safe under console using the most secure
21:28 - 21:31

methods of securing your sites
21:35 - 21:39

so the same commanded that same single
command that it takes to issue a
21:39 - 21:43

certificate is basically the exact same
to come and you use to get a brand new
21:43 - 21:50

so I know just how I got a process that
runs every couple months I don't
21:50 - 21:53

recommend it is everybody thinks the
first of the month is the best day but
21:53 - 21:56

they just have a process that runs every
month or two that just goes out and just
21:56 - 22:16

get really really is the question is why
would anyone so I mean like trying to
22:16 - 22:21

take over the world like their you know
their goal is to make certificates
22:21 - 22:26

available to everybody but you know
these use cases that what's encrypt
22:26 - 22:30

meets are not like every possible use
case like you know there's a lot of
22:30 - 22:37

hardware on the internets alot of
devices that you just can't do not
22:37 - 22:40

getting updates you can apply new
certificates to them but you you can
22:40 - 22:43

write new car from there's nothing ever
be support for actually built into them
22:43 - 22:48

and those cases like having the option
to be able to get a three-year long
22:48 - 22:52

certificate and go on an insult one can
be sure that it's fine for three years
22:52 - 22:58

is great and there's a number of use
cases that traditional meat and doesn't
22:58 - 23:03

and that's great you know but for the
average person who want to certificates
23:03 - 23:07

for their website he now has never been
able to get on the floor let script is
23:07 - 23:12

is the perfect solution for getting that
certificate yes
23:29 - 23:33

their features that need to be built to
you know kind of help support supporting
23:33 - 23:40

chats and email and other things like
that and the answer is yes so I
23:40 - 23:44

currently at what secret is a little bit
women didn't like how might actually
23:44 - 23:50

works as they either like other places
filing your webserver likes you don't
23:50 - 23:57

have to like restart it or it starts at
the server the lessons on port 443 and
23:57 - 24:01

you know what script will talk to that
system to verify the domain ownership
24:01 - 24:07

but for a lot of sense that's not
possible right I give you just have a
24:07 - 24:11

mail server you're not going to want to
also install a web server or something
24:11 - 24:19

on there to do that and so there is work
on possibly identify another part that
24:19 - 24:24

could be used as work on just the whole
Turner on all of the other tools that
24:24 - 24:32

people use now it's not too difficult in
my experience to make it work with those
24:32 - 24:37

things like the commanders lunch menu
can run as stand-alone right it doesn't
24:37 - 24:40

work in connection with any web servers
and all it does is it starts up and put
24:40 - 24:44

the stick it on your file system for
your domain so you know you just run
24:44 - 24:48

this one command in your mail server for
email download still adore it goes out
24:48 - 24:53

and gets a formality and all you have to
do is just you know that automated
24:53 - 24:57

update every couple months and you put
your mail server at that certificate
24:57 - 25:02

file that just get put on your file
system and just have it reload every
25:02 - 25:06

couple months as well and then you're
really too hard to get it working with
25:06 - 25:14

non rebbe things but certainly be a lot
better yes
25:15 - 25:37

why funds instead of one week for
exploration or one year or whatever why
25:37 - 25:43

I'm the answers they like two months is
kind of like a reasonable compromise so
25:43 - 25:47

one of the things that really is
terrible about issue BS on the internets
25:47 - 25:52

is that a certificate is that it's
really hard to revoke a significant one
25:52 - 25:57

ambien by revoking a certificate is
saying that the certificate if you see
25:57 - 26:01

it in the wild is no longer valid for my
websites right or my mail server or
26:01 - 26:05

whatever and there is a historically
been a number of different protocols to
26:05 - 26:09

make this work but they've also they're
all terrible they're all really really
26:09 - 26:15

bad and so and it's getting a little
better but still the process of
26:15 - 26:19

revocation is is kind of painful and so
when you have a short clip certificate
26:19 - 26:25

that one that kind of last for only a
few months or a couple weeks you kind of
26:25 - 26:30

get revocation for free right when I
mean by that is that if somebody breaks
26:30 - 26:33

in your system and they still a private
keys and is still your certificates
26:33 - 26:37

right that's difficult only to be valid
for very short period of time so well
26:37 - 26:41

that is super bad right it will expire
very quickly and those kids will no
26:41 - 26:46

longer be valid if that's what you get
with no longer be valid and now as to
26:46 - 26:52

why it is three months and not like a
week which would be better I mean if you
26:52 - 26:56

write if you have an automated you could
have to get a new search every night and
26:56 - 27:01

the answer is like for people's comfort
right if if people are used to
27:01 - 27:05

requesting a certificate the last 42
years right and I wasn't using an
27:05 - 27:10

erroneous to forget that last for a week
that people get really nervous when I
27:10 - 27:16

build system breaks right and for some
reason I just can't fix it in a week
27:16 - 27:22

right then you know you're gonna go bad
right so there's no reason
27:22 - 27:27

why it can't be sure and I think I think
in the future there might be the ability
27:27 - 27:31

to request sugar lips certificates but
like three weeks as art I few months is
27:31 - 27:35

considering I kind of like a reasonable
compromise between security and
27:35 - 27:53

usability yes I said the question was
what is the process for look like for
27:53 - 27:59

the answer is really really really good
so if you use any kind of modern browser
27:59 - 28:08

then you will have support for letting
crepes and the way they obviously you
28:08 - 28:11

think your selfless let's encrypt it was
called the ritz certificate authority to
28:11 - 28:17

issue certificates rights you know that
put into all these browsers behind you
28:17 - 28:21

go back and fix like you know how do you
go back and fix Firefox 38 right we
28:21 - 28:26

can't like to build an old version of
Firefox and goods less equipped and the
28:26 - 28:29

answer is that existing root certificate
authorities will sign with the crib
28:29 - 28:34

certificate authority like exists that
have been in browsers for a long time
28:34 - 28:39

will sign that 30 so that it shut the
chain a trust that is used to verify
28:39 - 28:44

saved goes up to something that has been
around for a long time so that means
28:44 - 28:48

that if you have a certain should be
less incorporate now it should work with
28:48 - 28:53

pretty much anything made in the last
quite awhile works on all the major web
28:53 - 28:56

browsers that works in Java works in
pretty much everything you would expect
28:56 - 29:02

I believe support for were very old
versions of Internet Explorer is coming
29:02 - 29:09

very soon if it hasn't already but by
and large if you have a site on the
29:09 - 29:15

internet you can be pretty comfortable
in fact that you will be able to connect
29:15 - 29:18

you just fine
29:18 - 29:30

yes one more question the question is is
there anything that prevents you from
29:30 - 29:33

your questions for its more frequently
in the answer is no you can request more
29:33 - 29:40

frequently the only downside is that you
know what the craft has like a certain
29:40 - 29:48

amount of economic issues so many third
so quickly right so I eyewitness I
29:48 - 29:51

recommend whether crept to be used for
like you're building a container right
29:51 - 29:55

and just you know during your build
process server container and goes on
29:55 - 30:00

request a certain does all these tests
like I would recommend using my back
30:00 - 30:04

because there is there are those rate
limiting the African and Jamaican get
30:04 - 30:08

new certs but you know if you want to
request a third every month or so
30:08 - 30:14

there's nothing stopping you from doing
that I thank you all for coming I really
30:14 - 30:14

appreciate it

Title:: Introduction to Let's Encrypt
Description:: Let's Encrypt is a free, automated, and open certificate authority (CA), run for the public's benefit.

I'm a Security Engineer at Mozilla, and in this presentation I discuss the past and future of SSL/TLS and HTTPS on the internet, and how Let's Encrypt is promising to make the internet a safer place for everyone.

more » « less
Video Language:: English
Duration:: 30:27

	Chih-cheng Yuan edited English subtitles for Introduction to Let's Encrypt
	Tom Farrow edited English subtitles for Introduction to Let's Encrypt
	Irvin Chen (MozTW) edited English subtitles for Introduction to Let's Encrypt

English subtitles

Incomplete

Revisions

Revision 3 Edited

Chih-cheng Yuan

Introduction to Let's Encrypt

Revisions

Our website uses cookies

Operating cookies (Required)