WEBVTT 1 00:00:00.000 --> 00:00:03.399 I ever feel like the Internet is well held together 2 00:00:03.480 --> 00:00:05.960 with like digital duct tape and hope. 3 00:00:06.160 --> 00:00:07.200 Yeah, I know what you mean. 4 00:00:07.360 --> 00:00:10.039 But today we're going deep on one of the threads 5 00:00:10.080 --> 00:00:15.759 that actually keeps things secure, TLS or Transport layer security. 6 00:00:15.919 --> 00:00:19.920 Our guide for this deep dive is TLS Mastery. 7 00:00:20.160 --> 00:00:20.719 Great book. 8 00:00:20.760 --> 00:00:23.079 It's a book that I think even if you are 9 00:00:23.359 --> 00:00:27.320 completely tech averse, right, you'll still find something to enjoy 10 00:00:27.359 --> 00:00:27.879 in this book. 11 00:00:27.960 --> 00:00:28.719 It's fascinating. 12 00:00:28.800 --> 00:00:31.559 It really makes you appreciate all that goes on that 13 00:00:31.600 --> 00:00:33.679 you don't even think about when you're just like behind 14 00:00:33.679 --> 00:00:37.359 the scenes visiting a website. Yeah, exactly. So this deep 15 00:00:37.399 --> 00:00:40.600 dive is your shortcut to understanding not just what TLS is, 16 00:00:40.640 --> 00:00:43.520 but like why you should care about it in a 17 00:00:43.520 --> 00:00:45.759 world that's, you know, more and more online every day. 18 00:00:45.840 --> 00:00:47.960 Well, and what's so interesting about TLS is it's like 19 00:00:48.479 --> 00:00:51.000 the security you never see at a museum. You've got 20 00:00:51.000 --> 00:00:54.280 your velvet ropes, maybe some security guards, but behind the scenes, 21 00:00:54.320 --> 00:00:57.439 there's this whole system that makes sure those priceless artifacts 22 00:00:57.439 --> 00:00:59.640 are protected. That's what TLS is doing. 23 00:00:59.560 --> 00:01:03.920 For the inner Okay, so how does TLS work its magic? 24 00:01:04.239 --> 00:01:04.439 Yeah? 25 00:01:04.560 --> 00:01:07.959 I get that it keeps data safe, but I'll admit 26 00:01:08.079 --> 00:01:09.719 the how has always seemed a bit. 27 00:01:09.680 --> 00:01:10.840 Like a magic trick. 28 00:01:10.920 --> 00:01:12.040 Yeah, like a magic trick to me. 29 00:01:12.200 --> 00:01:16.640 Well, imagine a digital fingerprint, but it's for your data. Okay, 30 00:01:16.840 --> 00:01:19.760 that's hashing. Okay, that's like the first line of defense. 31 00:01:19.959 --> 00:01:23.519 So even the tiniest change to your information, like someone's 32 00:01:23.560 --> 00:01:27.359 trying to, you know, sneak an extra zero onto their 33 00:01:27.439 --> 00:01:32.000 bank transaction, it completely alters that fingerprint, and it's going 34 00:01:32.040 --> 00:01:33.840 to reveal that something's been tampered with. 35 00:01:33.959 --> 00:01:37.280 So it's like a tamperproof seal on like my digital packages. 36 00:01:37.359 --> 00:01:38.599 I like that exactly. 37 00:01:38.680 --> 00:01:42.840 That's reassuring. But what about actually keeping the information secret 38 00:01:43.040 --> 00:01:46.519 like during transit? Right, That's where encryption comes in exactly. Yeah, 39 00:01:46.760 --> 00:01:49.400 think of it this way. Symmetric encryption is like you've 40 00:01:49.439 --> 00:01:52.079 got one key to a safe okay, and both you 41 00:01:52.760 --> 00:01:56.319 and the the recipient need that same key so super fast. 42 00:01:56.799 --> 00:01:58.519 But how do you share that key securely in the 43 00:01:58.519 --> 00:02:00.319 first place? Yeah, that seems like a bit of a 44 00:02:00.400 --> 00:02:01.439 chicken and egg problem. 45 00:02:01.519 --> 00:02:04.560 That's where asymmetric encryption saves the day. This one is 46 00:02:04.599 --> 00:02:07.200 more like your traditional lock and key. You've got a 47 00:02:07.239 --> 00:02:10.360 public key that anyone can use to send you an 48 00:02:10.439 --> 00:02:14.719 encrypted message, but you're the only one with the private key. 49 00:02:14.840 --> 00:02:17.919 You guard that closely to unlock those messages. 50 00:02:18.039 --> 00:02:20.639 So it's like a digital signature. Not only is the 51 00:02:20.680 --> 00:02:22.879 message protected, but you also know who it. 52 00:02:22.840 --> 00:02:25.520 Came from exactly you've got it and TLS. The really 53 00:02:25.520 --> 00:02:28.039 cool thing is it combines these methods. Okay, so you 54 00:02:28.080 --> 00:02:30.840 get the speed, you get the integrity checks, you get 55 00:02:30.879 --> 00:02:35.199 the secure key exchange. It's all working together, seamlessly, seamlessly 56 00:02:35.280 --> 00:02:38.319 behind the scenes, bind the scenes. Yeah. Magic, But here's 57 00:02:38.360 --> 00:02:40.599 where things get a little fuzzy for me and I'm 58 00:02:40.599 --> 00:02:43.639 sure for some of our listeners. How do we actually 59 00:02:43.639 --> 00:02:45.240 know who we're talking to online? 60 00:02:45.280 --> 00:02:47.639 Oh? Yeah, that's a big one. I mean, anyone can 61 00:02:47.639 --> 00:02:49.400 set up a website, right, anyone. 62 00:02:49.159 --> 00:02:51.199 Can set up a website. Yeah, So how does TLS 63 00:02:51.240 --> 00:02:54.199 make sure I'm not like giving my credit card info 64 00:02:54.840 --> 00:02:56.719 to some shady operation. 65 00:02:57.319 --> 00:02:59.639 You've hit on a very crucial point, and that's where 66 00:02:59.680 --> 00:03:03.080 digital certificates come in. Think of it like the website 67 00:03:03.159 --> 00:03:06.680 is showing you their ID card and it's issued. 68 00:03:06.360 --> 00:03:10.000 By a trusted authority called a certificate authority or CA. 69 00:03:10.199 --> 00:03:13.080 So it's like the Internet's passport control. To make sure 70 00:03:13.120 --> 00:03:15.080 that websites are who they say they are. 71 00:03:15.000 --> 00:03:18.960 Precisely, and just like passports, there are different levels of verification. 72 00:03:19.080 --> 00:03:21.360 So tell me more about these levels. What makes one 73 00:03:21.439 --> 00:03:23.840 digital certificate more trustworthy than another. 74 00:03:24.080 --> 00:03:28.639 Well, the most basic is domain validation or DV, and 75 00:03:28.680 --> 00:03:32.479 it simply confirms that the website owns the domain name. 76 00:03:32.800 --> 00:03:35.159 So it's kind of like checking that the name on 77 00:03:35.199 --> 00:03:37.680 the passport matches the person holding it. 78 00:03:37.919 --> 00:03:39.520 Right, that's a good start, but I don't know if 79 00:03:39.560 --> 00:03:43.599 i'd hand over like my life's savings based on that exactly. 80 00:03:43.639 --> 00:03:45.840 It's a good start, but not foolproof. 81 00:03:46.000 --> 00:03:46.120 Right. 82 00:03:46.199 --> 00:03:49.800 That's where organization validated or OV certificates come in. Okay, 83 00:03:50.159 --> 00:03:53.159 this involves a little bit more rigorous checks on the 84 00:03:53.280 --> 00:03:56.360 organization behind the website, so they're digging a little deeper 85 00:03:57.080 --> 00:03:58.360 looking at their credentials. 86 00:03:58.400 --> 00:04:00.680 It's kind of like they're checking those vs A stamps 87 00:04:00.719 --> 00:04:02.039 in the passport. 88 00:04:01.759 --> 00:04:03.840 Exactly where they've been, what they've been up to, are 89 00:04:03.840 --> 00:04:07.759 they legit? And finally, for the highest level of assurance, 90 00:04:08.039 --> 00:04:12.159 we've got extended validation or EV certificates. Okay, this is 91 00:04:12.199 --> 00:04:13.280 like the gold standard. 92 00:04:13.439 --> 00:04:16.399 So if a website has an EV certificate, they're basically 93 00:04:16.560 --> 00:04:19.800 handing me their you know, detailed personal history to prove 94 00:04:19.879 --> 00:04:20.959 that they're the real deal. 95 00:04:21.199 --> 00:04:25.079 Yes, you've got it, okay. And this whole system relies 96 00:04:25.160 --> 00:04:28.040 on what's called a chain of trust. Okay, So each 97 00:04:28.079 --> 00:04:31.560 certificate links back to the CAA that issued it, all 98 00:04:31.600 --> 00:04:33.920 the way up to a root CAA that's trusted by 99 00:04:33.920 --> 00:04:34.480 your browser. 100 00:04:34.560 --> 00:04:37.519 So it's like a family tree of trust exactly, ensuring 101 00:04:37.560 --> 00:04:40.439 that everything can be traced back to like a source 102 00:04:40.480 --> 00:04:41.519 that we already. 103 00:04:41.120 --> 00:04:43.800 Trust, Yes, a reliable source, that makes sense. 104 00:04:44.000 --> 00:04:46.160 But what happens when that trust is broken? Like what 105 00:04:46.240 --> 00:04:50.480 if a certificate gets compromised or a website you know, 106 00:04:50.560 --> 00:04:52.000 just goes completely rogue. 107 00:04:52.079 --> 00:04:55.079 That's where certificate revocation comes into play. It's like having 108 00:04:55.079 --> 00:04:57.279 to change the locks if a key gets stolen. 109 00:04:57.399 --> 00:05:01.160 Okay, So certificate revocation. Okay, So certificate revocation. It sounds 110 00:05:01.160 --> 00:05:05.120 crucial but kind of messy at the same time. Yeah, 111 00:05:05.120 --> 00:05:08.319 it's a necessary evil, right, So how does the Internet 112 00:05:08.399 --> 00:05:11.360 actually deal with the website going rogue? Like is there 113 00:05:11.439 --> 00:05:13.639 some big digital off switch. 114 00:05:13.759 --> 00:05:14.759 Wouldn't that be nice? 115 00:05:14.959 --> 00:05:15.160 Right? 116 00:05:15.480 --> 00:05:18.399 The reality is it's a little more complicated. Think of 117 00:05:18.439 --> 00:05:21.319 it like issuing a recall for a physical key. You 118 00:05:21.399 --> 00:05:24.800 need a way to tell everyone who might have that 119 00:05:24.920 --> 00:05:26.800 key that it's no longer any good. 120 00:05:27.040 --> 00:05:30.199 Okay, So how does that work online? Does my browser 121 00:05:30.319 --> 00:05:34.160 like download this massive list of revoked certificates every time 122 00:05:34.199 --> 00:05:35.519 I go to a new website. 123 00:05:35.560 --> 00:05:37.920 Well, that was one way of doing it, using something 124 00:05:37.920 --> 00:05:41.199 called Certificate Revocation lists or CRLs. Ok but you can 125 00:05:41.279 --> 00:05:44.759 imagine with today's Internet, downloading a whole phone book just 126 00:05:44.800 --> 00:05:47.040 to check one number is not very efficient. 127 00:05:47.319 --> 00:05:49.720 Yeah, that sounds about as fun as dial up. There's 128 00:05:49.720 --> 00:05:50.759 got to be a better way. 129 00:05:50.839 --> 00:05:53.519 There is. There is. It's called OCSP. It stands for 130 00:05:53.639 --> 00:05:57.519 Online Certificates Status Protocol okay, and it basically lets your 131 00:05:57.560 --> 00:06:00.319 browser do a quick check okay, in real time time 132 00:06:00.560 --> 00:06:03.319 to see if a specific certificate is still valid without 133 00:06:03.360 --> 00:06:04.839 needing that huge download. 134 00:06:05.000 --> 00:06:07.759 That makes a lot more sense. So okay, we've got 135 00:06:07.800 --> 00:06:10.560 our digital envelopes, we've got our cryptographic locks and keys. 136 00:06:10.639 --> 00:06:14.040 We've even got ways to like revoke access if things 137 00:06:14.120 --> 00:06:16.560 go sideways. But how does all this play out like 138 00:06:16.839 --> 00:06:19.279 in the real world? What's actually happening when I like 139 00:06:19.560 --> 00:06:20.959 hit enter on a website? 140 00:06:21.079 --> 00:06:25.279 It's a carefully choreographed dance we call the TLS handshake. 141 00:06:25.560 --> 00:06:25.959 Okay. 142 00:06:26.160 --> 00:06:29.600 So imagine you've got two secret agents meeting, okay, and 143 00:06:29.639 --> 00:06:32.120 they need to make sure they can trust each other. First, 144 00:06:32.160 --> 00:06:34.680 they're going to exchange these coded greetings, make sure they 145 00:06:34.680 --> 00:06:37.560 both speak TLS right. Then they're going to flash their 146 00:06:37.560 --> 00:06:40.600 digital certificates, you know, verify their identities. 147 00:06:40.680 --> 00:06:42.639 It's like checking each other's badges to make sure they're 148 00:06:42.680 --> 00:06:44.800 not imposters exactly exactly. 149 00:06:45.240 --> 00:06:48.240 Then comes the negotiation, so they agree on which version 150 00:06:48.240 --> 00:06:50.720 of TLS they're going to use, kind of like picking 151 00:06:50.720 --> 00:06:51.879 the right tools for the job. 152 00:06:52.519 --> 00:06:55.040 So they both make sure they're speaking the same like 153 00:06:55.480 --> 00:06:57.560 security language basically precisely. 154 00:06:57.800 --> 00:07:01.079 And then finally, once that connection is secure, they can 155 00:07:01.079 --> 00:07:05.560 get down to business exchange information safely and securely. 156 00:07:05.879 --> 00:07:10.199 That whole process sounds surprisingly fast for something so complex. 157 00:07:10.360 --> 00:07:13.040 It happens in the blink of an eye, but each 158 00:07:13.160 --> 00:07:15.920 step is crucial to making sure your data is protected. 159 00:07:16.240 --> 00:07:20.160 And actually TLS has this really cool trick called session resumption. 160 00:07:20.439 --> 00:07:23.720 Session session resumption, So imagine you go back to a 161 00:07:23.720 --> 00:07:26.680 website you visited recently. Okay, instead of doing that whole 162 00:07:26.720 --> 00:07:29.759 handshake all over again, TLS lets you reuse some of 163 00:07:29.759 --> 00:07:33.040 the secrets from the previous session. Oh, so the connection 164 00:07:33.079 --> 00:07:33.920 happens much faster. 165 00:07:34.000 --> 00:07:36.079 So it's like you've got a secret handshake now because 166 00:07:36.160 --> 00:07:38.199 speed things up with the sites that you visit all 167 00:07:38.240 --> 00:07:38.560 the time. 168 00:07:38.680 --> 00:07:39.079 Ready to go. 169 00:07:39.480 --> 00:07:42.519 I like that a lot. But speaking of speeding things up, 170 00:07:42.600 --> 00:07:45.399 let's talk about actually getting these certificates in the first place. 171 00:07:45.759 --> 00:07:49.759 I've heard whispers of this thing called ACME acmeme. Is 172 00:07:49.800 --> 00:07:51.000 it as awesome as it sounds? 173 00:07:51.040 --> 00:07:54.279 It is pretty great, Okay. ACME stands for Automated Certificate 174 00:07:54.319 --> 00:07:58.000 Management Environment Okay, and it's a game changer. Remember how 175 00:07:58.000 --> 00:08:01.279 we talked about certificates needed to be renewed, right ACME 176 00:08:02.120 --> 00:08:04.120 automates that entire process for you. 177 00:08:04.199 --> 00:08:08.759 So you're saying no more manually renewing certificates every few months. 178 00:08:09.079 --> 00:08:10.160 Ideally, not anymore. 179 00:08:10.240 --> 00:08:11.160 Okay, tell me more. 180 00:08:11.199 --> 00:08:14.800 It's basically like having a personal assistant for your website security. 181 00:08:14.959 --> 00:08:15.360 Okay. 182 00:08:15.560 --> 00:08:19.279 And the best part is it's often free and incredibly efficient. 183 00:08:19.480 --> 00:08:21.439 Okay. I like where this is going. 184 00:08:22.279 --> 00:08:27.040 ACME uses these things called challenge response mechanisms to verify 185 00:08:27.160 --> 00:08:28.639 that you actually own the domain. 186 00:08:29.040 --> 00:08:32.679 Challenge response that sounds kind of intense. 187 00:08:32.799 --> 00:08:35.200 It's not as intimidating as it sounds. Imagine you're trying 188 00:08:35.240 --> 00:08:37.240 to get into a castle okay, and you have to 189 00:08:37.399 --> 00:08:40.320 solve a riddle to prove you belong there okay. One 190 00:08:40.320 --> 00:08:43.639 of the common challenges is called HTTP zero one okay, 191 00:08:43.679 --> 00:08:47.159 where acme basically says, hey, I need you to put 192 00:08:47.159 --> 00:08:49.960 this specific file in this specific place on your server, 193 00:08:50.320 --> 00:08:52.440 and if it's there, boom ownership verified. 194 00:08:52.879 --> 00:08:55.279 So it's like leaving a sign at the castle gate 195 00:08:55.320 --> 00:08:56.679 to prove you actually have the. 196 00:08:56.720 --> 00:09:00.480 Key exactly exactly. And then there's DNS erro one, which 197 00:09:00.519 --> 00:09:03.559 is a little more involved. It involves creating a specific 198 00:09:03.679 --> 00:09:07.000 DNS record. Think of it like, I don't know, updating 199 00:09:07.039 --> 00:09:10.120 the castle registry with your information. A little more technical, 200 00:09:10.320 --> 00:09:13.559 but important for things like wild card certificates. 201 00:09:13.600 --> 00:09:15.000 Wild card certificates, what are those? 202 00:09:15.480 --> 00:09:19.039 So imagine you have one certificate that secures all the 203 00:09:19.080 --> 00:09:22.759 subdomains of your website. Oh wow, that's the power of 204 00:09:22.799 --> 00:09:23.480 wild cards. 205 00:09:23.600 --> 00:09:24.879 That's amazing. 206 00:09:24.919 --> 00:09:27.679 But like any powerful tool, you got to use it responsibily, 207 00:09:27.759 --> 00:09:28.080 right right. 208 00:09:28.080 --> 00:09:29.960 You don't want to give everyone the master key to 209 00:09:30.000 --> 00:09:31.960 the castle exactly exactly. 210 00:09:32.000 --> 00:09:36.120 It's super important when you're using acme. It's free, it's accessible. 211 00:09:36.720 --> 00:09:39.720 You've got to have really strong security measures in place 212 00:09:40.159 --> 00:09:40.679 because of that. 213 00:09:40.759 --> 00:09:42.679 So what kind of security measures are we talking about? 214 00:09:42.720 --> 00:09:44.080 What should people keep in mind? 215 00:09:44.360 --> 00:09:48.639 Well, one thing is rate limiting. So ACMEA providers they 216 00:09:48.720 --> 00:09:50.720 often have limits on how many times you can request 217 00:09:50.759 --> 00:09:53.519 a certificate. They don't want you going crazy, right. 218 00:09:53.399 --> 00:09:55.879 So don't just hit the quest certificate button a thousand 219 00:09:55.960 --> 00:09:57.200 times in a row exactly. 220 00:09:57.639 --> 00:10:00.679 For most regular users, it's not an issue, but it's 221 00:10:00.759 --> 00:10:02.919 just something to be aware of, especially when you're setting 222 00:10:02.960 --> 00:10:04.080 up your acme client. 223 00:10:04.320 --> 00:10:08.159 Gotcha, so pace yourself. Any other like ACME pro tips 224 00:10:08.240 --> 00:10:09.080 for our listeners. 225 00:10:09.159 --> 00:10:13.039 Yeah, always always test your ACME setup in a staging 226 00:10:13.120 --> 00:10:13.919 environment first. 227 00:10:14.120 --> 00:10:14.480 Okay. 228 00:10:14.720 --> 00:10:17.240 Think of it like a dress reversal before the big show, 229 00:10:17.639 --> 00:10:20.000 right right. You can work out all the kinks that 230 00:10:20.080 --> 00:10:22.039 affect in your live website. 231 00:10:21.600 --> 00:10:25.080 Test before you deploy golden rule. All right, So ACME 232 00:10:25.399 --> 00:10:29.200 sounds like a total game changer for managing certificates. But 233 00:10:29.279 --> 00:10:33.679 what about these other acronyms I keep hearing HSTS and CAA. 234 00:10:34.039 --> 00:10:36.799 Are these part of the TLS superhero team as well? 235 00:10:36.799 --> 00:10:40.200 Oh they are, they are, okay. HSTS stands for HTTP 236 00:10:40.759 --> 00:10:44.360 Strict Transport Security okay, and it's basically like putting a 237 00:10:44.360 --> 00:10:47.360 permanent sign on your website that says HTTPS only. 238 00:10:47.519 --> 00:10:47.840 Okay. 239 00:10:48.080 --> 00:10:51.279 Once it's enabled, it tells browsers, hey, only talk to 240 00:10:51.320 --> 00:10:54.440 my site over a secure connection, even if someone tries 241 00:10:54.440 --> 00:10:56.200 to get there through insecure HTTP. 242 00:10:56.440 --> 00:10:59.720 So like no more accidentally stumbling onto an insecure version 243 00:10:59.720 --> 00:11:00.360 of a way site. 244 00:11:00.440 --> 00:11:02.519 Exactly. It forces that extra level of security. 245 00:11:02.559 --> 00:11:05.000 I like it. What about CAA what's that all about? 246 00:11:05.200 --> 00:11:09.240 CIA sands for certificate authority authorization and it's like choosing 247 00:11:09.279 --> 00:11:11.440 which bouncers you want at the door of your website. 248 00:11:11.480 --> 00:11:13.279 Okay, I like that analogy a lot. So I can 249 00:11:13.320 --> 00:11:17.639 actually like specify which certificate authorities are even allowed to 250 00:11:17.720 --> 00:11:19.519 issue certificates for my domain? 251 00:11:19.679 --> 00:11:20.840 Yes, you got it. 252 00:11:21.000 --> 00:11:21.559 That's cool. 253 00:11:21.639 --> 00:11:24.279 It adds an extra layer of security, saying no, these 254 00:11:24.320 --> 00:11:26.399 are the good guys, These are the ones we trust 255 00:11:26.440 --> 00:11:27.159 to vouch for us. 256 00:11:27.240 --> 00:11:28.759 Right. If they're not on the less, they can't get in. 257 00:11:28.960 --> 00:11:29.480 Exactly. 258 00:11:29.639 --> 00:11:33.440 So HSTS and CIA you are both officially invited to 259 00:11:33.480 --> 00:11:37.240 my next security summit. But even with all these safeguards 260 00:11:37.240 --> 00:11:41.159 in place, things can still go wrong. Of course, what 261 00:11:41.320 --> 00:11:44.960 happens when we need to troubleshoot? You know, TLS issues 262 00:11:45.039 --> 00:11:46.000 are their tools for that. 263 00:11:46.720 --> 00:11:49.559 Absolutely, Yeah, it's always good to have a trusty toolkit 264 00:11:49.639 --> 00:11:52.480 for when your TLS engineers a little tune up right. 265 00:11:52.600 --> 00:11:55.080 One of my go tos is SSL Labs. It's online 266 00:11:55.120 --> 00:11:59.840 to search for it, and they have THISLSSL Configuration Tester. Okay, 267 00:12:00.039 --> 00:12:02.320 you literally type in your website address, it does a scan, 268 00:12:02.720 --> 00:12:05.159 gives you this report card the good, the bad, and 269 00:12:05.200 --> 00:12:07.759 the ugly of your TLS setup. I like it. 270 00:12:07.840 --> 00:12:10.519 No hiding from the vulnerabilities. 271 00:12:09.919 --> 00:12:12.720 No, not at all. And then for folks who like 272 00:12:12.799 --> 00:12:17.000 things a little more command line, there's tests sshole dot 273 00:12:17.120 --> 00:12:20.120 sh It's this really powerful script you can use to 274 00:12:20.200 --> 00:12:23.960 test for very specific vulnerabilities and make sure things are 275 00:12:23.960 --> 00:12:24.960 configured correctly. 276 00:12:25.039 --> 00:12:27.720 So I can use that to test different aspects of 277 00:12:27.799 --> 00:12:31.120 my TLS configuration and make sure everything is really buttoned 278 00:12:31.159 --> 00:12:32.679 up tight exactly. 279 00:12:33.039 --> 00:12:34.960 And then for those who really want to go down 280 00:12:34.960 --> 00:12:37.919 the rabbit hole, there's certificate transparency. 281 00:12:38.120 --> 00:12:40.240 Okay, you're going to have to elaborate on that one. 282 00:12:40.559 --> 00:12:43.159 What in the world I s certificate transparency? 283 00:12:43.279 --> 00:12:46.440 So imagine you've got this public ledger, but it's for 284 00:12:46.519 --> 00:12:50.120 certificates and it basically makes it much harder for these 285 00:12:50.600 --> 00:12:53.399 rogue certificates to slip through the cracks. 286 00:12:53.559 --> 00:12:56.159 Rogue certificates. Those sound kind of scary. 287 00:12:55.919 --> 00:12:57.879 They can be. Think of it like a fake ID, 288 00:12:58.039 --> 00:13:01.440 but for a website. Okay, So certificet transparency. Because it 289 00:13:01.480 --> 00:13:04.919 requires these certificates to be publicly logged, it makes it 290 00:13:05.000 --> 00:13:07.039 much easier to spot those fakes. 291 00:13:07.080 --> 00:13:10.720 So it's like a global neighborhood watch program exactly, but 292 00:13:10.799 --> 00:13:14.559 for the Internet, keeping an eye out for anything suspicious. Okay, 293 00:13:15.039 --> 00:13:17.240 that's reassuring. But here's a thought. 294 00:13:17.879 --> 00:13:18.840 You know, if we've. 295 00:13:18.639 --> 00:13:22.200 Got all these tools, all this technology to try to 296 00:13:22.240 --> 00:13:25.559 make sure that we can communicate securely online, why not 297 00:13:25.720 --> 00:13:28.960 just cut out the middleman and run our own WNCA. 298 00:13:29.000 --> 00:13:30.679 Isn't that like the ultimate control? 299 00:13:30.840 --> 00:13:32.960 That's an excellent question, and it's something that a lot 300 00:13:32.960 --> 00:13:35.720 of organizations think about, especially if they have, you know, 301 00:13:35.840 --> 00:13:38.279 internal networks, very specific use cases. 302 00:13:38.360 --> 00:13:40.360 So it's doable, but maybe not for everyone. 303 00:13:40.480 --> 00:13:43.159 It's doable, but it's not for the faint of heart. 304 00:13:43.200 --> 00:13:45.799 Let's put it that way. Okay, Running a CAA it's 305 00:13:45.799 --> 00:13:49.600 a big responsibility. It requires a really deep understanding of 306 00:13:50.080 --> 00:13:55.559 TLS cryptography security best practices. You're basically becoming your own 307 00:13:55.679 --> 00:13:59.360 passport office. You're issuing them, you're managing them. You have 308 00:13:59.399 --> 00:14:00.720 to deal with evoking them. 309 00:14:00.759 --> 00:14:02.519 So it's not just slapping up a website and calling 310 00:14:02.559 --> 00:14:05.320 it a day, No, not some serious thought that has 311 00:14:05.360 --> 00:14:06.039 to go into it. 312 00:14:06.320 --> 00:14:09.679 Definitely, you have to have certificate policies in place, key management, 313 00:14:10.000 --> 00:14:13.360 what are you going to do about revocation, auditing requirements. 314 00:14:13.399 --> 00:14:14.960 I mean, it's a whole other world. 315 00:14:15.240 --> 00:14:18.039 So it sounds like a fascinating world, but maybe one 316 00:14:18.039 --> 00:14:21.080 that's best left to the experts or people with very 317 00:14:21.200 --> 00:14:25.200 very specific needs, right right, But for listeners who are curious, 318 00:14:25.279 --> 00:14:27.320 who want to, you know, dip their toes in the 319 00:14:27.320 --> 00:14:30.480 CAA waters a little bit, ye, what options are out 320 00:14:30.480 --> 00:14:32.519 there for them? What kind of software is available if 321 00:14:32.559 --> 00:14:35.639 they wanted to, you know, at least understand how it 322 00:14:35.679 --> 00:14:36.639 works a little bit better. 323 00:14:36.919 --> 00:14:39.879 Well, if you're just starting out and you want to experiment, 324 00:14:40.039 --> 00:14:42.720 you know, in a safe environment, right, open ssl is 325 00:14:42.720 --> 00:14:45.480 a great option. It's free, it's incredibly powerful, It comes 326 00:14:45.519 --> 00:14:47.639 with everything you need to kind of set up this 327 00:14:48.039 --> 00:14:51.960 very basic CAA for testing, learning the ropes. 328 00:14:52.200 --> 00:14:55.000 That's like CAA in a box for you know, aspiring 329 00:14:55.200 --> 00:14:56.440 cryptographers exactly. 330 00:14:56.799 --> 00:15:00.240 But it's important to remember open ssl on its own, 331 00:15:00.600 --> 00:15:03.759 not really for production use. It's like practicing sword fighting 332 00:15:03.799 --> 00:15:07.360 with those you know, padded swords before you go into 333 00:15:07.360 --> 00:15:08.480 an actual battle. 334 00:15:08.360 --> 00:15:11.000 Ray, you need to get the real deal exactly. 335 00:15:11.120 --> 00:15:14.639 For more kind of robust, ready for the real world 336 00:15:14.799 --> 00:15:18.200 CAA solutions. There are other options out there, okay, and 337 00:15:18.240 --> 00:15:20.360 east one has, you know, its own strengths and its 338 00:15:20.360 --> 00:15:21.039 own quirks. 339 00:15:21.240 --> 00:15:24.600 So it sounds like there's a whole spectrum of CA 340 00:15:24.600 --> 00:15:27.519 solutions out there, from beginner friendly to something that you 341 00:15:27.559 --> 00:15:30.159 know an enterprise would use. Absolutely, but no matter which 342 00:15:30.240 --> 00:15:32.440 path you choose, it sounds like running a CA is 343 00:15:32.440 --> 00:15:34.000 not a decision to be made lightly. 344 00:15:34.320 --> 00:15:35.519 It is a responsibility. 345 00:15:35.639 --> 00:15:35.840 Yeah. 346 00:15:35.919 --> 00:15:37.399 But you know, before we get too caught up in 347 00:15:37.440 --> 00:15:40.279 all these kind of technical details of running a CA, 348 00:15:40.399 --> 00:15:42.679 let's step back for a second, right, Okay, because we're 349 00:15:42.720 --> 00:15:45.600 talking about certificates, we're talking about encryption. But at the 350 00:15:45.600 --> 00:15:48.879 heart of it, TLS is about trust, Okay. It's about 351 00:15:48.879 --> 00:15:52.879 making sure that the websites we visit, the information we 352 00:15:52.919 --> 00:15:55.960 share online, it's protected and it's legitimate trust. 353 00:15:56.000 --> 00:15:58.480 But verify as they say exactly. 354 00:15:58.200 --> 00:16:01.519 And understanding how TLS works, it gives you the power 355 00:16:01.799 --> 00:16:05.360 to actually make those informed decisions about your own online security. 356 00:16:05.519 --> 00:16:08.200 It helps you be a more discerning digital citizen. 357 00:16:08.559 --> 00:16:11.600 That's a really good point. It's not just about you know, 358 00:16:12.039 --> 00:16:15.840 blindly trusting that things are secure. It's about knowing how 359 00:16:16.240 --> 00:16:20.080 that security happens, right, and then demanding better protection for 360 00:16:20.159 --> 00:16:22.799 ourselves and our data exactly exactly. 361 00:16:22.840 --> 00:16:25.399 And that's something we can all strive for, regardless of 362 00:16:25.399 --> 00:16:26.519 our technical skill level. 363 00:16:26.799 --> 00:16:30.039 So we've talked about, you know, trust and how important 364 00:16:30.039 --> 00:16:32.360 it is in this digital world that we're living in, right, 365 00:16:32.399 --> 00:16:34.600 but how do we actually build that trust. Is it 366 00:16:34.679 --> 00:16:38.639 just about like relying on those big name certificate authorities 367 00:16:38.720 --> 00:16:40.919 that we see listed in our browser settings, or is 368 00:16:40.960 --> 00:16:41.919 there more to it than that. 369 00:16:42.120 --> 00:16:45.440 Well, those big names, they definitely play a crucial role, right, 370 00:16:45.480 --> 00:16:48.120 But it's kind of like imagine a network of trust, 371 00:16:48.720 --> 00:16:52.600 but it's this giant web and it spans the entire globe. Okay, 372 00:16:52.720 --> 00:16:55.120 so you've got your big CA's as like the central hubs, 373 00:16:55.600 --> 00:16:57.759 but they are all these smaller points of trust that 374 00:16:57.799 --> 00:16:58.759 are all interconnected. 375 00:16:58.840 --> 00:17:02.240 Okay, So it's not just about a few powerful entities 376 00:17:02.320 --> 00:17:05.279 like controlling everything. There's room for this more kind of 377 00:17:05.319 --> 00:17:07.960 decentralized trust to emerge exactly exactly. 378 00:17:08.160 --> 00:17:10.960 And we've been focusing on these publicly trusted CAAs the 379 00:17:10.960 --> 00:17:13.640 ones that are recognized by you know, browsers and operating 380 00:17:13.680 --> 00:17:15.000 systems all around. 381 00:17:14.759 --> 00:17:17.480 The world, right, the ones that come preinstall basically. 382 00:17:17.160 --> 00:17:21.759 Yeah, exactly. But what about organizations that have very specific 383 00:17:21.799 --> 00:17:25.359 security needs, right, or they want a bit more control 384 00:17:25.480 --> 00:17:27.200 over their certificate infrastructure. 385 00:17:27.440 --> 00:17:30.160 So you're talking about running your own private CAA. We 386 00:17:30.240 --> 00:17:32.920 touched on it a little earlier. Yes, but it sounded 387 00:17:33.920 --> 00:17:34.759 kind of intense. 388 00:17:35.440 --> 00:17:38.200 It can be. It can be, but it's also not 389 00:17:38.440 --> 00:17:40.880 as daunting as it might seem. Okay, think of it 390 00:17:40.920 --> 00:17:44.079 like you're creating this little circle of trust. Okay, but 391 00:17:44.160 --> 00:17:47.200 it's within your organization, right. You set the rules, you 392 00:17:47.240 --> 00:17:50.279 manage the keys. You have total control over who gets 393 00:17:50.319 --> 00:17:52.599 certificates and what they're allowed to do with them. 394 00:17:52.720 --> 00:17:56.680 So it's like a self governed digital nation, yes, issuing 395 00:17:56.720 --> 00:17:59.799 their own passports and visas exactly, Okay, And. 396 00:17:59.680 --> 00:18:03.039 This is really popular for things like you know, internal networks, 397 00:18:03.279 --> 00:18:05.960 where you might have devices or applications that need to 398 00:18:05.960 --> 00:18:08.559 be able to talk to each other securely, but they 399 00:18:08.559 --> 00:18:10.599 don't need to be publicly trusted. Yeah. 400 00:18:10.680 --> 00:18:12.720 Right, It's like their own little private check room that 401 00:18:12.759 --> 00:18:13.839