Hackviking He killed Chuck Norris, he ruled dancing so he took up a new hobby…

20Jul/170

Free SSL certificates

StartSSL certificates isn't trusted by several major browsers anymore and will probably lose all credibility and disappear from the market completely. In it's place we have seen Let's Encrypt growth explode for the last 18 months. This post will cover some background and how to use setup Let's Encrypt on your Amazon EC2 Apache based server.

StartSSL - from start to finish

Eddy Nigg founded StartCom certificate authority back in 2005 but it took until 2009 before there root certificate was trusted and included in major browsers. They offered free SSL certificates and very affordable extended validation and was great for small site projects. Their business model was to only charge for the authentication and then provide the certificates for free. That is all good and well but somewhere it went wrong.

On August 17 2016 Google and Mozilla started a joint investigation into WoSign.  The investigation started after GitHub's security team noticed that WoSign issued a certificate for one of thee domains without there authorization. The investigation uncovered a number of issues and intentional breaches of security on WoSigns part. They also discovered that WoSign purchased StartCom which they tried to deny and hide.

So from Chrome version 56 they started distrusting WoSign and StartCom certificates issued after October 21 2016. Since then it has been escalated into a complete distrust of all there certificates. These days they even admit to it on there own site that not all major browsers trust them...

Do you really need a proper certificate?

I have been having this discussion with countless people over the years. Many people argue that the encryption is the important part and that is only half of the truth. If you are using https site wide it will make your visitors think twice before they visit your site since they will get a warning in there browser that your site is insecure. But what if you only use it for your admin pages? It's encrypted right?

You can use a distrusted certificate or self signed certificate for your admin pages if you like. It will encrypt the traffic but to what end point? When you get the warning you can look at the certificate information and verify that you are actually talking to the correct server. But why wouldn't you be? If it doesn't verify it can be a faked certificate and someone can be doing a man in the middle attack against you.

I actually performed just such an attack on a coworker a few years ago. He used a self signed certificate for is WordPress admin pages so that his username and password wouldn't be transferred in clear text over the network. I pointed out that it was just slightly better then no cert at all but he just told me that I was wrong. So I put up a fake WordPress login page on my laptop, ARP poisoned his machine to intercept the traffic and issued a new self signed certificate. When he went to logon to his blog I redirected the traffic to my fake login page and recorded the password. If he reviewed the certificate in the warning he might have caught the certificate. It was a bad fake, new issue date etc. But he did was he always does and clicked right through the certificate warning.

Let's Encrypt

This service is provided for free by the Internet Security Research group. It basically provides free SSL certificates for anyone who owns a domain. The twist here is that you don't apply for the certificate the old fashioned way but it's an automated process that renews the certificate every 3 months. All certificates that they issue is only valid for 3 months at a time. They verify ownership of the domain by the certificate management daemon you install on your server. Simplified: when it contacts the Let's Encrypt servers to issue a certificate or renew a certificate it communicates back and makes sure that the domain resolves to that specific server.

Let's Encrypt on Amazon EC2

I have read a number of blog posts on this topic and all seem to have issues getting it to work properly on Amazon EC2 servers. I agree it's more streamlined on Googles servers, not surprising since they are involved in the project, but with a few minor changes it works just fine on Amazon EC2 servers as well. Here is a quick break down of what I did to get it to work.

First step is to split up the virtual host configurations in Apache to two different files. If the http and https config are in the same file the daemon will fail to detect your sites. So very simply just split the <VirtualHost> tags for http and https into two files located in /etc/httpd/conf.d/. I named my files domain.com.conf and domain.com.ssl.conf just to keep easy track of them. In the same folder you have ssl.conf make sure to comment out the <VirtualHost> block in that file as well. When it's all done restart apache and test that everything is working. Of course you made copies of the config files before changing?

You can also take this opportunity to look over the SSL protocol and cipher settings in the ssl.conf file. By running a test on your site from SSLLabs you will get a good idea of what you want to run. Simplified you could say that as the site becomes more secure it loses back compatibility with older browsers and operating systems so it's a balance between security and what your users actually use to browse your site.

Then you can install the prerequisite and the Let's Encrypt daemon.

sudo yum install python27-devel git
sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
sudo /opt/letsencrypt/letsencrypt-auto -- debug

It will ask you for your e-mail and accepting the terms of service. Then your site should be configured with a proper SSL certificate. Then just add the auto renew to run daily or at least monthly. If the certificate has less then 1 month of validity left it will be renewed. To do this open up crontab.

30 18 * * * sudo /opt/letsencrypt/letsencrypt-auto renew

Hope this clarified a few things for you!

Comments (0) Trackbacks (0)

No comments yet.


Leave a Reply

No trackbacks yet.