Introduction to Let's Encrypt
-
0:02 - 0:09discussion today. Today I'm going to be talking about
Let's encrypt. my name is April King and -
0:09 - 0:13I'm in information security engineer
here at mozilla and I' just like to say -
0:13 - 0:18before we get this presentation really
going, just a brief disclaimer so you -
0:18 - 0:23know there are many many adjectives that
have been used to describe me and but -
0:23 - 0:28these adjectives do not include the terms
classy or circumspect or anything along -
0:28 - 0:32those lines but because this
presentation is apparently being -
0:32 - 0:33recorded
-
0:33 - 0:37I'm gonna try to be at least a little
bit of both of those as best I can but -
0:37 - 0:42no promises. alright, so speaking of adjectives,
there a number of other adjectives that -
0:42 - 0:48do work for me and these include both
old and curmudgeonly because I am both old -
0:48 - 0:52and curmudgeonly I like to begin all
my presentations with a little history -
0:52 - 0:58lesson to make everybody in the audience
suffer along with me so I'm gonna take you -
0:58 - 1:07all back and the year is 1995 and in
1995 there's a new company up-and-coming -
1:07 - 1:12by the name of Netscape Communications
and this up-and-coming company releases -
1:12 - 1:16a web browser and this particular web
browser is actually really special -
1:16 - 1:21because for the first time in history
-
1:21 - 1:27includes support for protocol called
SHTTP which later became known as HTTPS -
1:27 - 1:33and this is a really big deal because
for the first time in history the -
1:33 - 1:34average human being
-
1:34 - 1:40had access to secure, private
communications over an untrusted network -
1:40 - 1:45now I mean sure there was encryption
before 1995 obviously like you know if -
1:45 - 1:48you are very technically inclined you
might have had access to a tool called a -
1:48 - 1:52PGP and you can use this tool to
generate keys and send them to your -
1:52 - 1:55friends and you guys can send messages
back and forth but it certainly wasn't -
1:55 - 2:00very easy you know and if you were a
huge corporation with piles of money you -
2:00 - 2:05know you can pay IBM to come out and IBM
would set up a nice system for you and -
2:05 - 2:09you could have encrypted communications
over between your data centers and whatnot -
2:09 - 2:13and of course if you are like a
government then you had your own -
2:13 - 2:17army of mathematicians and cryptographers
to do all this work for you but you -
2:17 - 2:21know if you were just the average human
being you didn't have access to this this is -
2:21 - 2:27a really big deal now you're probably
thinking to yourself so 1995 obviously -
2:27 - 2:33you're good at arithmetic 1995 that's
twenty one years ago so given that it's -
2:33 - 2:39been 21 years we must be doing an
amazing job, right? everything on the -
2:39 - 2:46internet must use HTTPS, right? 21 years!
but it turns out that, actually, we're kind of -
2:46 - 2:52doing a lousy job. see, 21 years later
we have found through our data from -
2:52 - 2:56people who opt in to share their
information with Mozilla that only about -
2:56 - 3:0343% of initial page requests are done
over HTTPS and in fact only 65 percent -
3:03 - 3:07of those follow-ups requests are done over
HTTPS now be things like JavaScript -
3:07 - 3:13files and images and things like that
and that's pretty terrible because you -
3:13 - 3:17know without HTTPs, without secure
communications you're missing out on a -
3:17 - 3:22whole lot of things for example without
HTTPS you don't know you don't have -
3:22 - 3:26confidentiality so you don't know if
somebody is monitoring your -
3:26 - 3:30communications watching what you're
doing so if you sent a -
3:30 - 3:34credit card number or social security
number over the internet you don't know -
3:34 - 3:38if somebody is just sitting there and
listening and just like you know writing it -
3:38 - 3:43down I'm sure on their little scratch pads, you know?
you also don't know that you're talking to -
3:43 - 3:47who you think you are talking to you
know without HTTPS you can take -
3:47 - 3:52www.mozilla.org into your web browser and
you might get a site and it might look -
3:52 - 3:57like Mozilla dot org and you may click
to download Firefox and you might get a -
3:57 - 4:01file claims to be Firefox but because he
didn't use https you don't actually know -
4:01 - 4:05if that's the case that could have been
someone impersonating our website and -
4:05 - 4:10offering you up a Trojan version of
Firefox and what's more you also don't -
4:10 - 4:14have integrity, see, without HTTPs you
don't know if somebody is injecting -
4:14 - 4:18content in the things you are requesting
or sending so we see this a lot -
4:18 - 4:23especially with our providers all around
the world if you're here in the USA -
4:23 - 4:25might be familiar with the verizon
supercookie -
4:25 - 4:30I think a number of other companies are
doing this where if you are browsing -
4:30 - 4:31from your mobile phone
-
4:31 - 4:35all of your outgoing request would
contain a unique identifier identifying -
4:35 - 4:40who you were even, you know if you didn't opt into
this you just got you know you just got -
4:40 - 4:47identified it to your service providers
and strategic advertising partners and -
4:47 - 4:52we also see this a lot particularly in
Asia we see a lot of content injections -
4:52 - 4:58that put ads in the pages you are trying
to browse or those ads that were in the -
4:58 - 5:01page you're trying to get replaced with
different ads and that's pretty big deal -
5:01 - 5:08because you know if your are me and you
really like reddit.com and those -
5:08 - 5:12advertisements that they're offering to
replace with some other advertisements -
5:12 - 5:16than the sites that I really want to
continue to survive are not getting the -
5:16 - 5:21money from offering these advertisements
now it's been 21 years and you're -
5:21 - 5:22listening to me
-
5:22 - 5:26April King a security engineer and
Mozilla a company that makes a web -
5:26 - 5:30browser so I'm sure in your head you're
thinking April why haven't you -
5:30 - 5:36personally fixed this problem why
haven't you fixed it, Apirl? Why are only 43% -
5:36 - 5:43of requests done to websites done over
HTTPS and the answer if anybody is -
5:43 - 5:50curious is that money people yes indeed
in fact if you want to have a secure -
5:50 - 5:54website on the internet if you want to
use https you need to have a digital -
5:54 - 5:59certificate and a digital certificate
like a file kinda like a driver's -
5:59 - 6:03license it identifies you to the people
who are visiting your website and it -
6:03 - 6:09allows them to verify mathematically
cryptographically that they are in fact -
6:09 - 6:14talking to who they think they are now
these certificates are issued by about -
6:14 - 6:192,000 or so different entities around
the world and these energies are called -
6:19 - 6:22certificate authorities and the
certificate authorities want to make -
6:22 - 6:27money now money is pretty great if you
were to come up to me and be like April -
6:27 - 6:32would you like some more money I would
be like why yes I would I would indeed -
6:32 - 6:36enjoy some more money and I don't
blame these certificate authorities they -
6:36 - 6:37also want more money
-
6:37 - 6:42but the problem with money is that when
things cost money things tend to be like -
6:42 - 6:49difficult painful lousy experiences
see, you know, because when they're -
6:49 - 6:53lousy and painful you kinda get locked in
but it's a pain that you know right so -
6:53 - 6:56traditionally right if you want a
certificate -
6:56 - 7:00you know you type some arcane
commands into your computer and you get a -
7:00 - 7:04private key and then you type another
command and it generates a file called a -
7:04 - 7:08Certificate Signing Request and then you
take that file and you might copy it and -
7:08 - 7:11go to your certificate authority and
paste it in some web forms and then you -
7:11 - 7:16submit it and then a bunch of back and forth
they verify you are who you say you are -
7:16 - 7:20and then they give you a file and
you download that file and upload to your website -
7:20 - 7:26it's a pain in the but it really sucks I hate
doing it I do this professionally for a -
7:26 - 7:31living I get paid to do it I still hate
doing it while I have some good news to -
7:31 - 7:35everybody here in the audience watching
that is there's a new certificate -
7:35 - 7:40authority in town and it's called Let's
Encrypt and it's amazing and I'm gonna -
7:40 - 7:48tell you why it is in fact super duper
amazing now I'm not going to bury the -
7:48 - 7:52lead I'm gonna to be straight up and honest with
everybody watching Let's Encrypt is a -
7:52 - 7:58free certificate authority totally free
and what they mean is that regardless of -
7:58 - 8:01your ability to pay you can get a
digital certificate if you are well -
8:01 - 8:06known multi billionaire Bill Gates and
you want a free digital certificates why -
8:06 - 8:12I say to you good sir you may have a
free digital certificate or you know if -
8:12 - 8:15you're an eight-year-old girl setting up
your first website for the first time -
8:15 - 8:19will you young lady you also can get a
digital certificate it doesn't matter where -
8:19 - 8:24you are or how much money you have you
can get a digital certificate that's a -
8:24 - 8:28really big deal because you know when things
cost money there's a whole lot of -
8:28 - 8:32restrictions around it right there's
taxes and there's international law -
8:32 - 8:36and it's really really complicated you
know if you live in a place where you -
8:36 - 8:39don't necessarily have a local certificate
authority or you don't have money then -
8:39 - 8:44you know not be able to get a free
certificate can really make it so you -
8:44 - 8:47just can't have a secure website but
with Let's Encrypt you can have a free -
8:47 - 8:50certificate and a secure website
-
8:49 - 8:55so not only is Let's Encrypt free but it's also
automated now I'll talk a little bit more about -
8:55 - 9:01this more later and how this all works
but see most of the difficulty in requesting -
9:01 - 9:06and receiving a certificate is in the
process of verifying that you are who -
9:06 - 9:11you say you are right i mean you don't
want to be able to issue a certificate to just -
9:11 - 9:17anybody who comes along for any website but
Let's Encrypts uses a protocol -
9:17 - 9:20that's in the process of being
standardized to just do all this -
9:20 - 9:24automatically for you it really does
appears like magic -
9:24 - 9:27you just automatically get a certificate if you want
to revoke you certificate it's just like magic -
9:27 - 9:31your certificate is revoked and if you want to
renew it it's like magic again you just -
9:31 - 9:37get a brand new certificate it's pretty
cool so not only is Let's Encrypt free and automated -
9:37 - 9:44but it's also a transparent what that
means is that every certificate the Let's Encrypt -
9:44 - 9:48issues is logged in a system
called the certificate transparency -
9:48 - 9:56system meaning that there's no way for
Let's Encrypt to like issue certificates -
9:56 - 9:59for sites it wasn't authorized for if
we did it would show up in the system if -
9:59 - 10:04you have a site and you want to be
monitoring you know any authority has -
10:04 - 10:07issued a certificate for you and you
don't requested you can look at these -
10:07 - 10:12lives and be sure that lets encrypt
didn't issue a search for your site and -
10:12 - 10:17not only that but if a cert does appear
in the wild from what some crepes and it -
10:17 - 10:20isn't there then you know immediately
that they're not being honest but they -
10:20 - 10:24are being honest they're amazing and
that's why they're using certificate -
10:24 - 10:30transparency alright so they're also an
open certificate authority see -
10:29 - 10:34everything about let's encrypt that they
do is open source that's amazing see -
10:34 - 10:38that includes not just the the the
software runs certificate authority and -
10:38 - 10:41issues a certificate but it also
includes after that you can put on your -
10:41 - 10:45computer or your server to get a
certificate and it's even this very -
10:45 - 10:49presentation as amazing as it is is also
open source you can download it from I -
10:49 - 10:51get hungry power
-
10:51 - 10:56requests are happily ignore it it's
great alright but such a totally I'll -
10:56 - 10:58totally take a look
-
10:58 - 11:04in addition to all those things but is a
cooperative certificate authorities see -
11:04 - 11:08couple years ago and Mozilla went out
and decided that this is the real the -
11:08 - 11:11need to be needed to be met on the
internet you know we found some like -
11:11 - 11:16really great partners to work with us
including Akamai Cisco and the eff and I -
11:16 - 11:21thought this is an amazing idea and you
know they helped build the software that -
11:21 - 11:26issued the search and receive the search
and it was really great and as it went -
11:26 - 11:31timeline on many other organizations
said oh my gosh this is a great idea -
11:31 - 11:35this is making the internet a way better
place and we want to help so they've -
11:35 - 11:39joined us and become sponsors as well
which means LSU campus in a stable -
11:39 - 11:44supply of middle-income to ensure that
it can be around for many many many -
11:44 - 11:50years into the future now because it's
so cooperative and the softer is so open -
11:50 - 11:58and the protocol that uses is also open
a lot of people have participated in -
11:58 - 12:02this whole process run with the crypt
cell talk a little bit about the process -
12:02 - 12:07with which you can get a certificate
through lesson crepes now here's the -
12:07 - 12:12real question that all C A strugglers
rate this is the question behind request -
12:12 - 12:18and that is if I ask for certificate for
a website I say dear unnamed certificate -
12:18 - 12:22authority because I am being recorded
near unnamed certificate authority I -
12:22 - 12:27would like a certificate for amazon.com
I am a fucking but I'm also definitely -
12:27 - 12:32the owner of amazon.com now that's
significant authority to look at me and -
12:32 - 12:38say April you looked super shady I don't
think you actually own amazon.com items -
12:38 - 12:43and now and that's what they're supposed
to do they're not supposed to issue me -
12:43 - 12:47one of those certificates because if I
had that certificate I could be -
12:47 - 12:54amazon.com even if people did use https
now historically there's been a number -
12:54 - 12:56of different ways that we have verified
that somebody actually own the domain -
12:56 - 13:02that they claim they own for example you
might ask them to set up a DNS record -
13:02 - 13:08right that you know is a branch off of
their domain specific thing with a -
13:08 - 13:10special record inside it
-
13:10 - 13:15and you can reasonably say that some
controls DNS then they also control the -
13:15 - 13:19website right i mean if I control the
dinosaur amazon.com explain it any -
13:19 - 13:25server I wanted to you that's one way or
another way as they might say we want -
13:25 - 13:30you to place this particular file on a
particular spot on your web server and -
13:30 - 13:33then once it's there you can let us know
and we'll go out and check to see if -
13:33 - 13:37that fails there and if you have the
ability to place this file on amazon.com -
13:37 - 13:41web server and the specific location
then you probably actually do own -
13:41 - 13:46amazon.com and lastly underway as they
might say you know spin a web server -
13:46 - 13:50that uses GPS with a you know what they
saw us answered that will give to you -
13:50 - 13:55and then we'll go out and we'll connect
you right and if you can do that if you -
13:55 - 14:02can listen on port 443 on amazon.com
then you also probably on amazon.com is -
14:02 - 14:06a historically been kind of a three
primary methods that we've done this but -
14:06 - 14:11what's encrypt it kind of ties to
automate all that away and it does that -
14:11 - 14:16through and center call acne and acne
stands for the automated automatic -
14:16 - 14:20certificate management environment and
it's a protocol it's in the process of -
14:20 - 14:24being standardized by the IETF that
hopefully in the future -
14:25 - 14:29every CA every certificate authority can
use now the idea of having a -
14:29 - 14:35standardized protocol is that you can
build toting around it right now if you -
14:35 - 14:39make a web server right if you make a
patchy your engine acts or something -
14:39 - 14:43like that then you can build support for
this work all right into your web server -
14:43 - 14:49if you were trying to set up a doctor
container you can set it up so that it -
14:49 - 14:56goes out and it requests to do these do
this protocol because it exists -
14:56 - 15:01we've actually seen incredible adoption
across the industry and in fact an -
15:01 - 15:05increasing number of like web hosting
big web hosts relic DreamHost not -
15:05 - 15:11combine WordPress and the like I have a
Dr less equipped to add support for a -
15:11 - 15:15CBS across thousands of domains that
never had as two Bs before and they can -
15:15 - 15:16do that because of letting
-
15:16 - 15:22apps for their we're seeing tools for
pretty much everything with you you can -
15:22 - 15:26think of that support the acne protocol
to help you automate the process of -
15:26 - 15:31requesting certificates and a number of
web servers have begun the process of -
15:31 - 15:37adding support for Mitac mio or other
modules rate that support the crack me -
15:37 - 15:40so that like in the future you know you
can just put the URL for the acne thing -
15:40 - 15:44you know your web service configuration
and regardless of certificate authority -
15:44 - 15:48right you can just go out and get a
certificate when it starts up in fact -
15:48 - 15:54I'm gonna show you are a demo of that
and by a guy named Matt Holt and battled -
15:54 - 16:00writes a web server called caddy is the
primary author of it and he built in -
16:00 - 16:06support into his web server for lunch
and then and acne and he recorded a -
16:06 - 16:07video of himself
-
16:07 - 16:10setting up a web server getting a
certificate he put it up on YouTube for -
16:10 - 16:14us to for the whole world to see we
don't ask him to write the code we -
16:14 - 16:17didn't ask you to put the video up and
he did it and I'm gonna show you all -
16:17 - 16:29what that looks like alright so here we
go I -
16:29 - 16:34here we are he is heading the file that
contains the host name of his server -
16:34 - 16:38that's it is gonna start of his web
server setup is going out to link up to -
16:38 - 16:44get a certificate and done it has a
digital certificates now he's just gonna -
16:44 - 16:49go to his website is going to see it is
unfortunately he's using ground but you -
16:49 - 16:52know what this works in Firefox it works
in edge works in Safari -
16:52 - 16:56Christopher gets to you and there you go
he's got a digital certificate is let's -
16:56 - 17:02say works at HTTPS and that was so easy
wasn't it was so easy you compared to -
17:02 - 17:07all the copy and paste in incomes
cryptic OpenSSL commands you take in the -
17:07 - 17:08past
-
17:08 - 17:13pretty great so lets the crib has been
around available to the public for about -
17:13 - 17:18three months so how well has left
encrypted been doing since it started a -
17:18 - 17:29few months ago and the answer is amazing
and in fact been over there is only one -
17:29 - 17:33over one million on expired certificates
issued by less equipped covering over -
17:33 - 17:37two and a half million domain names and
the reason why those numbers are not the -
17:37 - 17:41same as that advocating cover like you
know website aa.com and www.sedar.com -
17:41 - 17:48and so on and so forth and the coolest
thing about all of that is that the vast -
17:48 - 17:54majority of those sites have never had
sushi ps2 for an effect of those two -
17:54 - 17:56point six or whatever
-
17:56 - 18:012.6 million domains only about a hundred
and sixty-five thousand of them have -
18:01 - 18:04ever had a stiffer get it from a
different certificate authority that's -
18:04 - 18:05incredible
-
18:05 - 18:09we're actually making a huge difference
on the Internet tons of states that -
18:09 - 18:13never had a chance or couldn't afford a
GPS before now have HTTPS and in fact -
18:13 - 18:19you remember that I turn that sad but
you know delicious looking pipes are at -
18:19 - 18:25the beginning of the presentation of it
said only 43% of requested under a CPS -
18:25 - 18:29well before let the crib started three
months ago that number was only 40 per -
18:29 - 18:35sentence so in just a few months we have
moved the needle 3% on the internet -
18:35 - 18:39that's huge I know it only sounds like a
small percentage point three percent is -
18:39 - 18:41a ton
-
18:41 - 18:45of traffic on the internet that's
incredible now how big is letting crips -
18:45 - 18:52already the fourth largest issuer
certificates in the world behind komodo -
18:52 - 18:57some Mexican Go Daddy pretty cool but
this is only the beginning seeing -
18:57 - 19:04obviously I work at Mozilla and I love
the web and so I wanna see every website -
19:04 - 19:08using HTTPS and that's a great goal but
you know the Internet has a lot more -
19:08 - 19:14stuff on it than just web servers right
has mail servers has IRC servers and -
19:14 - 19:22many many many other protocols we want
to secure all of those as well so I'm -
19:22 - 19:24really looking forward to a day and I
think we're definitely moving there -
19:24 - 19:29thanks to let some crepes and and acne
and all of the community support that -
19:29 - 19:33has been built up around this where
everything that we do on the Internet is -
19:33 - 19:38to cure and its privates and you know
that when you are on the internet and -
19:38 - 19:41you were trying to talk to somebody that
your conversation is secure and private -
19:41 - 19:46so as this presentation has been
recorded in kind of talking to the whole -
19:46 - 19:49world I guess I have to tell everybody
hello world -
19:50 - 19:53crafts
-
19:58 - 20:09have any questions that I can answer yes
let's encrypt is not too wild card certs -
20:09 - 20:16and the reason for that is line is that
while there's can kind of read you a -
20:16 - 20:22number of security issues and two is
that it's just so easy to get a search -
20:22 - 20:26for whatever name you need with what's
incorrect like there's no real need to -
20:26 - 20:30get allows for certain you just start
the server and never got an answer for -
20:30 - 20:34you just run the command and you you
have a search that doesn't support while -
20:34 - 20:39cart sir another thing that people often
ask me can I get like a four I guess -
20:39 - 20:45three-year long certificate with I think
reps and you cannot do that either one -
20:45 - 20:52of the issues such as they get their
certificates for about three months and -
20:52 - 20:56because they only have three months it
tends to lead to a world where the sort -
20:56 - 21:00of stuff this certificate requesting and
web site configuration such as automated -
21:00 - 21:01right
-
21:01 - 21:06expire every three months you can't deal
with the process we're like a beast rate -
21:06 - 21:09of piece of code that monitors all of
your sites and goes out every day and -
21:09 - 21:14thanks to expire inserts and then you go
and upload new ones because you never be -
21:14 - 21:20able to make it work so it forces people
to automate the issuance of certificates -
21:20 - 21:24under web server so that like you're
constantly getting new certs and you -
21:24 - 21:28know that you know you're constantly
safe under console using the most secure -
21:28 - 21:31methods of securing your sites
-
21:35 - 21:39so the same commanded that same single
command that it takes to issue a -
21:39 - 21:43certificate is basically the exact same
to come and you use to get a brand new -
21:43 - 21:50so I know just how I got a process that
runs every couple months I don't -
21:50 - 21:53recommend it is everybody thinks the
first of the month is the best day but -
21:53 - 21:56they just have a process that runs every
month or two that just goes out and just -
21:56 - 22:16get really really is the question is why
would anyone so I mean like trying to -
22:16 - 22:21take over the world like their you know
their goal is to make certificates -
22:21 - 22:26available to everybody but you know
these use cases that what's encrypt -
22:26 - 22:30meets are not like every possible use
case like you know there's a lot of -
22:30 - 22:37hardware on the internets alot of
devices that you just can't do not -
22:37 - 22:40getting updates you can apply new
certificates to them but you you can -
22:40 - 22:43write new car from there's nothing ever
be support for actually built into them -
22:43 - 22:48and those cases like having the option
to be able to get a three-year long -
22:48 - 22:52certificate and go on an insult one can
be sure that it's fine for three years -
22:52 - 22:58is great and there's a number of use
cases that traditional meat and doesn't -
22:58 - 23:03and that's great you know but for the
average person who want to certificates -
23:03 - 23:07for their website he now has never been
able to get on the floor let script is -
23:07 - 23:12is the perfect solution for getting that
certificate yes -
23:29 - 23:33their features that need to be built to
you know kind of help support supporting -
23:33 - 23:40chats and email and other things like
that and the answer is yes so I -
23:40 - 23:44currently at what secret is a little bit
women didn't like how might actually -
23:44 - 23:50works as they either like other places
filing your webserver likes you don't -
23:50 - 23:57have to like restart it or it starts at
the server the lessons on port 443 and -
23:57 - 24:01you know what script will talk to that
system to verify the domain ownership -
24:01 - 24:07but for a lot of sense that's not
possible right I give you just have a -
24:07 - 24:11mail server you're not going to want to
also install a web server or something -
24:11 - 24:19on there to do that and so there is work
on possibly identify another part that -
24:19 - 24:24could be used as work on just the whole
Turner on all of the other tools that -
24:24 - 24:32people use now it's not too difficult in
my experience to make it work with those -
24:32 - 24:37things like the commanders lunch menu
can run as stand-alone right it doesn't -
24:37 - 24:40work in connection with any web servers
and all it does is it starts up and put -
24:40 - 24:44the stick it on your file system for
your domain so you know you just run -
24:44 - 24:48this one command in your mail server for
email download still adore it goes out -
24:48 - 24:53and gets a formality and all you have to
do is just you know that automated -
24:53 - 24:57update every couple months and you put
your mail server at that certificate -
24:57 - 25:02file that just get put on your file
system and just have it reload every -
25:02 - 25:06couple months as well and then you're
really too hard to get it working with -
25:06 - 25:14non rebbe things but certainly be a lot
better yes -
25:15 - 25:37why funds instead of one week for
exploration or one year or whatever why -
25:37 - 25:43I'm the answers they like two months is
kind of like a reasonable compromise so -
25:43 - 25:47one of the things that really is
terrible about issue BS on the internets -
25:47 - 25:52is that a certificate is that it's
really hard to revoke a significant one -
25:52 - 25:57ambien by revoking a certificate is
saying that the certificate if you see -
25:57 - 26:01it in the wild is no longer valid for my
websites right or my mail server or -
26:01 - 26:05whatever and there is a historically
been a number of different protocols to -
26:05 - 26:09make this work but they've also they're
all terrible they're all really really -
26:09 - 26:15bad and so and it's getting a little
better but still the process of -
26:15 - 26:19revocation is is kind of painful and so
when you have a short clip certificate -
26:19 - 26:25that one that kind of last for only a
few months or a couple weeks you kind of -
26:25 - 26:30get revocation for free right when I
mean by that is that if somebody breaks -
26:30 - 26:33in your system and they still a private
keys and is still your certificates -
26:33 - 26:37right that's difficult only to be valid
for very short period of time so well -
26:37 - 26:41that is super bad right it will expire
very quickly and those kids will no -
26:41 - 26:46longer be valid if that's what you get
with no longer be valid and now as to -
26:46 - 26:52why it is three months and not like a
week which would be better I mean if you -
26:52 - 26:56write if you have an automated you could
have to get a new search every night and -
26:56 - 27:01the answer is like for people's comfort
right if if people are used to -
27:01 - 27:05requesting a certificate the last 42
years right and I wasn't using an -
27:05 - 27:10erroneous to forget that last for a week
that people get really nervous when I -
27:10 - 27:16build system breaks right and for some
reason I just can't fix it in a week -
27:16 - 27:22right then you know you're gonna go bad
right so there's no reason -
27:22 - 27:27why it can't be sure and I think I think
in the future there might be the ability -
27:27 - 27:31to request sugar lips certificates but
like three weeks as art I few months is -
27:31 - 27:35considering I kind of like a reasonable
compromise between security and -
27:35 - 27:53usability yes I said the question was
what is the process for look like for -
27:53 - 27:59the answer is really really really good
so if you use any kind of modern browser -
27:59 - 28:08then you will have support for letting
crepes and the way they obviously you -
28:08 - 28:11think your selfless let's encrypt it was
called the ritz certificate authority to -
28:11 - 28:17issue certificates rights you know that
put into all these browsers behind you -
28:17 - 28:21go back and fix like you know how do you
go back and fix Firefox 38 right we -
28:21 - 28:26can't like to build an old version of
Firefox and goods less equipped and the -
28:26 - 28:29answer is that existing root certificate
authorities will sign with the crib -
28:29 - 28:34certificate authority like exists that
have been in browsers for a long time -
28:34 - 28:39will sign that 30 so that it shut the
chain a trust that is used to verify -
28:39 - 28:44saved goes up to something that has been
around for a long time so that means -
28:44 - 28:48that if you have a certain should be
less incorporate now it should work with -
28:48 - 28:53pretty much anything made in the last
quite awhile works on all the major web -
28:53 - 28:56browsers that works in Java works in
pretty much everything you would expect -
28:56 - 29:02I believe support for were very old
versions of Internet Explorer is coming -
29:02 - 29:09very soon if it hasn't already but by
and large if you have a site on the -
29:09 - 29:15internet you can be pretty comfortable
in fact that you will be able to connect -
29:15 - 29:18you just fine
-
29:18 - 29:30yes one more question the question is is
there anything that prevents you from -
29:30 - 29:33your questions for its more frequently
in the answer is no you can request more -
29:33 - 29:40frequently the only downside is that you
know what the craft has like a certain -
29:40 - 29:48amount of economic issues so many third
so quickly right so I eyewitness I -
29:48 - 29:51recommend whether crept to be used for
like you're building a container right -
29:51 - 29:55and just you know during your build
process server container and goes on -
29:55 - 30:00request a certain does all these tests
like I would recommend using my back -
30:00 - 30:04because there is there are those rate
limiting the African and Jamaican get -
30:04 - 30:08new certs but you know if you want to
request a third every month or so -
30:08 - 30:14there's nothing stopping you from doing
that I thank you all for coming I really -
30:14 - 30:14appreciate it
- Title:
- Introduction to Let's Encrypt
- Description:
-
Let's Encrypt is a free, automated, and open certificate authority (CA), run for the public's benefit.
I'm a Security Engineer at Mozilla, and in this presentation I discuss the past and future of SSL/TLS and HTTPS on the internet, and how Let's Encrypt is promising to make the internet a safer place for everyone.
- Video Language:
- English
- Duration:
- 30:27
Chih-cheng Yuan edited English subtitles for Introduction to Let's Encrypt | ||
Tom Farrow edited English subtitles for Introduction to Let's Encrypt | ||
Irvin Chen (MozTW) edited English subtitles for Introduction to Let's Encrypt |