Insert Name Here
Insert Job Title Here
Insert Company Here
Insert
Social Media
Here
A Moment of Historic Reflection
- In 1995, Netscape released a browser with HTTPS
- For the first time, everyone had easy access to encrypted communications
21 Years Later
- Not enough HTTPS on the Internet
Security is Important
- Confidentiality: Prevent spying on what you're doing
- Authenticity: Ensure you're talking to the real site and not part of a DDoS or being served malware
- Integrity: Prevent injected advertising or tracking cookies
HTTP Injection from Network Operators
"We reveal 14 groups of content injections that primarily aim to impose advertisements or even maliciously compromise the client. Most of the financially-motivated false content injection we observed originated from China. Our analysis found indications that numerous injections originated from networks operated by China Telecom and China Unicom – two of the largest network operators in Asia."
23 Feb 2016, Website-Targeted False Content Injection by Network Operators, Nakibly, Schcolnik, and Rubin
Why has this been so hard to fix?
It Costs Money
- Certificates are required to set up a secure website
- The entities selling them want to make money
The User Experience is Hard
- Manual process, different for every provider
- This leads to things being expensive, difficult, and proprietary
is here to save the day
A Free CA
Things that don't matter:
- Ability to pay
- Where you reside
- Individual, organization, or corporation
An Automated CA
- Most of the work in issuing a certificate is in verifying domain control
- Let's Encrypt uses a standard protocol to verify domain control automatically prior to certificate generation
- Certificate renewals use this same process
A Transparent CA
All certificates are publicly logged through
the Certificate Transparency system
An Open CA
Everything Let's Encrypt uses is open source:
- The software that runs the certificate authority
- The software you use to get a certificate
- Even this presentation!
Pull requests welcome!
A Cooperative CA
- Wide industry sponsorship
- Community development and support
- Built on an open standard for all CAs
Automated Certificate Management Environment (ACME)
- Suppose someone asks for a certificate for example.com
- How do you know they actually own example.com?
Domain Validation
Give them a challenge that only
the domain owner can complete:
- Provision a DNS record for
_acme-challenge.example.com - Provision a file at
http://example.com/.well-known/acme-challenge/ - Configure a TLS server on example.com
An Upcoming Standard
- The ACME protocol is in the process being standardized by the IETF so that it can be used by all CAs
- Support for ACME is spreading: StartCom is switching to ACME after multiple security issues with their custom API
- Help for users is provided by an open community support system
Automated Validation
- Having a standard protocol means that you can build tools
- The vision is for ACME to be built into web servers, to auto-configure HTTPS
Platform Integration
- Increasing numbers of web hosts (Dreamhost, Akamai, Wordpress.com, Shopify, Cyon.ch, and many more...)
- Dozens of community-written clients, written in languages from Golang to BASH
- Future: mod-acme for Apache? nginx patch?
- Caddy HTTP/2 server
The Power of ACME Integration
This Line Keeps Going Upward
How Big Is Let's Encrypt?
- General availability began December 3, 2015 and is already the largest issuer of certificates on the web
- 21st most commonly encountered CA on the web
- Of sites secured with Let's Encrypt, about 94% have never had certificates before
Popular the World 'Round
- Greatest popularity is North America and Europe, perhaps reflecting availability of documentation, software, and internationalized domain support
Growing the Secure Web
- Large providers such as DreamHost, WordPress, Shopify, OVH, Akamai, and Bitly have rolled out large-scale deployments
- Widely used software such as cPanel / WHM now have integrated, automatic certificate generation
- Since its release, HTTPS usage has grown from 38% to 46%, an astounding jump
Past & Future
- 2016 (January): ACME DNS support
- 2016 (March): Full XP support
- 2016 (July): Full support for IPv6
- 2016 (August): Greater rate limits
- 2016 (November): Internationalized domain support
- 2016 (November): Firefox root integration
- 2017 (March): ECDSA intermediaries
“Who should use HTTPS?”
- Get every website using HTTPS
- Secure all the internet: email, chat, and more!
Questions & Answers
