Feb 8th, 2018 - written by Kimserey with .
Few months ago I explained briefly how SSL could be setup with CloudFlare. Today I would like to share another way to get a SSL certificate for free via a browser based implementation of Let’s Encrypt.
SSL provides a secure layer on top of HTTP. It allows to encrypt communication between client and server in order to prevent man in the middle attacks and eavesdropping.
An SSL is composed by two pieces, a certificate and a private key. The private key must be securely kept by the server while the certificate is distributed to all client.
The goal of the SSL is to ensure two things:
The encryption is established by an asymetric key pair. The private key is held by the server while the public key is distributed to clients within the cert.
During the handshake process, a symmetric key is created and exchanged in a secure why via the encryption using the inital assymetric key pair. From then on every messages exchanged between server and client can only be decrypted by either the client or the server.
The symmetric key is necessary because if we were to use the asymetric key, any client would be able to decrypt messages sent to other clients using the public key in the cert.
In this manner all communications are encrypted. But nothing prevents someone to impersonate the server and provide the client with its own certificate and public key which the client will trust and send its data to this malicious server.
Here comes the certifacte authority.
Certificate authorities are the companies which manage SSL certificates. They are the police of certificates hence their name.
As explained in 1), anyone could create a certificate and deliver it to the client but what prevents it from happening is that browsers, Chrome, Firefox, Edge, etc… only trust certificates which were certified by certificate authorities.
Every certificate authorities have an asymetric key pair and use their private key to sign each certificates they deliver. The public key is held inside all browsers. Chrome, Firefox etc were installed with a big list of certificate authorities together with their public key. When an SSL connection tries to occur, the certificate is exchanged and the browser will use its CA public key to decrypt the signature and validate the content of the cert.
Asymetric keys are bidirectional, messages encrypted by the private key can only be decrypted by the public key and messages encrypted by the public key can only be decrypted by the public key.
It isn’t possible to forge the signature of the certificate without possessing the private key which is held by the certificate authority therefore it isn’t possible to forge a certificate at all which allows to protect against impersonation of the server.
As explained in 1) in order to protect a website we need an SSL certificate and we need to have that certificate from a CA in order for the browser to trust it. On top of that, CA services aren’t free.
Here come Let’s Encrypt. Let’s Encrypt allows us to remove the CA component by hosting our own CA. The protocol used is the ACME protocol which was develop for Let’s Encrypt service.
It allows complet automation of the CA part which has then allowed website to get SSL certs trusted for free.
In order to quickly get a SSL cert, it is possible to use a browser based implementation like https://www.sslforfree.com. SSL for free provides a signed certificate trusted. You do have to trust that they are not saving your private key. The site is referenced in Let’s Encrypt website in the browser based section.
If you wish to provide your own certificate to be sign by SSL for free, you can provide your CSR using the manual option. You will need to generate your own cerficate and then upload the CSR to SSL for free, this will allow you to be the only party handling the private key.
The goal of the CA being to sign a certificate which specify the domain and the source therefore you will have to prove to SSL for free that you own the domain for which you want to create a certificate for. There are 3 ways, one through the domain management, another through FTP and the last one through HTTP.
If like me, you are building on ASP.NET Core, a quick way is to provide the endpoint to serve the verification file. After that from SSL for free, request for a verification. SSL for free will verify that you have added the file they asked and therefore will know that you do have control over the resource under the domain name.
And that’s how you get a free SSL cert!
Over the past few years the world have learnt the difference between insecure and secure web browsing. We have learnt that sending data through HTTP can easily be seen by each parties in between. This can frequently occur as we are more and more connected everyday through public WIFI. We now know that whatever information we send through the wire should be encrypted by sending it through HTTPS. Chrome for example will prompt that the connection is unsecure when visiting non HTTPS website where data is exchanged from client to server. Thanks to Let’s Encrypt and ACME protocol, everyone can now get a free SSL cert. Today we saw how we could use a browser based implementation of the ACME protocol to enable HTTPS on our domain and enable secure browsing for our clients. Hope you like this post, see you next time!