KWLUG Meeting: Monday, February 6 2017, 7pm
Meeting Date
UPDATE: Unfortunately Mark was attacked by germs over the weekend, and won't be able to present today. His OSSIM presentation has been deferred.
Joff Voskamp will also review his recent experience with Let's Encrypt SSL certificates to secure his websites. He will describe the groups background, how the certificates work, and demonstrate how he is using it.
At the last minute, Jason Zvaniga has heroically volunteered to give a short introduction to cryptocurrencies and the Canada eCoin Project.
Presentation notes for Let's Encrypt
A few quick points:
- if you can point DNS to your webserver you can get a certificate.
- if you're pretty quick with DNS you don't need the webserver. :-)
- individual certificates are only good for 90 days, but the tools make renewing very easy
- there are limits, but they're very high
Year in Review:
- https://letsencrypt.org/2017/01/06/le-2016-in-review.html
- We've hit 50%
- It's not just for web pages any more - other things that can use certificates.
- Self-signed is fine: Anything in-house LDAP, MySQL
- Get yourself a real certificate: Things that face the world: IMAP, SMTP, NNTP
- Dozens more - "egrep 'SSL|TLS' /etc/services|more"
Cert in Brief:
- Self signed -
- Trust it if you trust the issuer
- $0 certs. Great for internal use
-
Domain Validation - you control the machine (DNS|webserver|etc)
- Easy to verify - no guaranttees that they are anyone in particular
- Easy to automate, "easy" to do for free
- Only usable for externally visible sites
-
Organizational Validation - you run the company that runs the machine
- Harder to verify but they are who they say they are
- You can't really automate verifying paperwork
-
Extended Validation - you run the company that runs the machine
You are vetted by the issuer
Hasn't really caught on
Let's encrypt went to public beta in December 2015.
Features:
- ACME DNS challenge enabled January 20, 2016. Support in certbot is coming (harder to automate)
- ECDSA signing enabled February 10, 2016 - full ECDSA chain hopefully by the end of March
- IPv6 enabled July 26, 2016
- Internationalized Domain Names enabled October 20, 2016
- Windows XP interoperability enabled March 25, 2016.
Annual budget for 2017 is expected to be about $2M (USD)
See also:
- https://letsencrypt.org
- https://twitter.com/letsencrypt
- https://certbot.eff.org/
- https://observatory.mozilla.org
- https://www.ssllabs.com/ssltest/
- https://codeascraft.com/2017/01/31/how-etsy-manages-https-and-ssl-certiā¦
Interested in helping:
Presentation notes for Let's Encrypt
Jason has posted his slides at https://f9ekkdjyuja1sh4cel2o.koad.sandcats.io/index.html#/