Version Tomorrow is the first day of the rest of your life
lecture: Moving towards fully encrypted web
Checkpoint on the road towards inevitable
In this talk I'm going to go through the problems people are facing in moving from HTTP to HTTPS, why it's sometimes not seen as worthy of the time investment. Which things are broken in web TLS at the moment, but moreover how we actually already have the tools addressing most of the problems and how to use them effectively. I'll also cover the plumbing behind the transactions, the protocols used and different possibilities to automate it all...
We tend to expect a certain level of security and privacy on the wire in the communication methods we use today. Instant messaging and email - encrypted of course. Web on the other hand still goes widely unencrypted. Why is that? Are we lazy? Well, yes and no.
Obtaining TLS certificates has been a tedious process, and you've had to jump through the hoops again every time your certificate is about to expire, going through the same forest of pain every time.
TLS configuration is similarily painful, the initial setup and cleaning up the broken bits of configuration every now and then in a constantly changing vulnerability landscape is a constant pain. This easily results in skipping TLS altogether when it's not absolutely needed and critical. However we keep forgetting this, and way too often refuse to think of plain text data transferred over HTTP not being trustworthy.
Subjects I'm planning to touch in the talk:
- ACME (Automated Certificate Management Environment) protocol currently used by Let's Encrypt, and hopefully other CA's in the future
- Problems with TLS adaptation, and how we're speeding it up
- Broken standards behind common TLS implementations
- Automating most if not all of the tedious work
- Bliss of certificate transparency
- Mishaps of CA's and the reasons behind them.