1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
|
<?xml version='1.0' encoding='UTF-8' ?>
<!DOCTYPE manualpage SYSTEM "../style/manualpage.dtd">
<?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
<!-- $LastChangedRevision$ -->
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<manualpage metafile="encrypt.xml.meta">
<parentdocument href="./">How-To / Tutorials</parentdocument>
<title>How to Encrypt Your Traffic</title>
<summary>
<p>This is the how to guide for making your Apache httpd use encryption to transfer
data between you and your visitors. Instead of http: links, your site will use
https: ones and, if everything is setup correctly, people visiting your site will
have their privacy better protected.
</p>
<p>
This How-To is intended for people that are not really into SSL/TLS and ciphers
and all this crypto techno-babble (We are joking, it's a serious field with
serious experts and real problems to solve - but it sounds like techno-babble to
anyone not intimate with it). People who have heard that their http: server is
not really secure enough nowadays. That spies and bad guys are listening. That even
legitimate corporations are inserting data into their web pages and selling
profiles of visitors.
</p>
<p>
This guide wants to help you migrate your httpd server from serving insecure http: links
to encrypted https: ones, without you becoming a SSL expert first. You might get
fascinated by all this crypto things and study it more and become a real expert. But
you also might not, run a reasonably secure web server nevertheless and do other
things good for mankind with your time.
</p>
<p>
You will get a rough idea what roles these mysterious things called "certificate" and
"private key" play and how they are used to let your visitors be sure they are talking
to your server. You will <em>not</em> be told <em>how</em> this works, just how it
is used: it's basically about passports.
</p>
</summary>
<seealso><a href="../ssl/ssl_howto.html">SSL How-To</a></seealso>
<seealso><a href="../mod/mod_ssl.html">mod_ssl</a></seealso>
<seealso><a href="../mod/mod_md.html">mod_md</a></seealso>
<section id="protocol">
<title>A short Introduction Certificates, e.g. Internet Passports</title>
<p>
The TLS protocol (formerly known as SSL) is a way a client and a server
can talk to each other without anyone else listening, or better understanding
a thing. It is what your browser uses when you open a https: link.
</p>
<p>
In addition to having a private conversation with a server, your browser also needs
to know that it really talks to the server - and not someone else acting like it. That,
next to the encryption, is the other part of the TLS protocol.
</p>
<p>
In order to do that, your server does not only need the software for TLS, e.g. the
<a href="../mod/mod_http2.html">mod_ssl</a> module, but some sort of identity proof
on the Internet. This is commonly referred to as a <em>certificate</em>. Basically, everyone
has the same mod_ssl and can encrypt, but only your have <em>your</em> certificate
and with that, you are you.
</p>
<p>
A certificate is the digital equivalent of a passport. It contains two things: a stamp
of approval from the people issuing the passport and a reference to your digital
fingerprints, e.g. what is called a <em>private key</em> in encryption terms.
</p>
<p>
When you configure your Apache httpd for https: links, you need to give it the certificate and
the private key. If you never give the key to anyone else, only you will be able to prove
to visitors that the certificate belongs to you. That way, a browser talking to your
server a second time will be sure that it is indeed the very same server it talked
to before.
</p>
<p>
But how does it know that it is the real server, the first time it starts talking to
someone? Here, the digital rubber stamping comes into play. The rubber stamp is done
by someone else, using her own private key. That person has also a certificate, e.g.
her own passport. The browser can make sure that this passport is based on the same
key that was used to rubber stamp your server passport. Now, instead of making sure
that your passport is correct, it must make sure that the passport of the person that
says <em>your</em> passport is correct, is correct.
</p>
<p>
And that passport is also rubber stamped digitally, by someone else with a key and a
certificate. So the browser only needs to make sure that <em>that</em> one is correct
that says it is correct to trust the one that says your server is correct. This trusting
game can go to a few or many levels (usually less than 5).
</p>
<p>
In the end, the browser will encounter a passport that is stamped by its own key. It's
a Gloria Gaynor certificate that says "I am what I am!". The browser then either trust
this Gloria or not. If not, your server is also not trusted. Otherwise, it is. Simple.
</p>
<p>
The trust check for the Gloria Gaynors of the Internet is easy: your browser (or your
operating system) comes with list of Gloria passports to trust, pre-installed. If it
sees a Gloria certificate, it is either in this list or not to be trusted.
</p>
<p>
This whole thing works as long as everyone keeps his private keys to himself. Anyone copying
such a key can impersonate the key owner. And if the owner can rubber stamp passports, the
impersonator can also do that. And all the passports stamped by an impersonator,
all those certificates will look 100% valid, indistinguishable from the "real" ones.
</p>
<p>
So, this trust model works, but it has its limits. That is why browser makers are so keen
on having the correct Gloria Gaynor lists and threaten to expel anyone from it that
is careless with her keys.
</p>
</section>
<section id="buycert">
<title>Buy a Certificate</title>
<p>
Well, you can buy one. There are a lot of companies selling Internet Passports as a service. In
<a href="https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReport">this list
from Mozilla</a> you find all companies that the Firefox browser trusts. Pick one, visit their
website and they will tell you what it costs. And how you need to prove that you are who
you claim to be so they can rubber stamp your passport with confidence.
</p>
<p>
They all have their own methods, also depending on what kind of passport you apply for, and
it's probably some sort of click web interface in a browser. They may send you an email that
you need to answer or do something else. In the end, they will show you how to generate
your own, unique private key and issue you a stamped passport matching it.
</p>
<p>
You then place the key in one file, the certificate in another. Put these on your server, make
sure that only a trusted user can read the key file and add it to your httpd configuration.
This is extensively covered in the <a href="../ssl/ssl_howto.html">SSL How-To</a>.
</p>
<p>
</p>
</section>
<section id="freecert">
<title>Get a Free Certificate</title>
<p>
There are also companies that offer certificates for web servers free of charge. The pioneer
in this is <a href="https://letsencrypt.org">Let's Encrypt</a> which is a service of the
<a href="https://www.abetterinternet.org/">Internet Security Research Group (ISRG)</a>, a not-for-profit organization to
"reduce financial, technological, and education barriers to secure communication over the
Internet."
</p>
<p>
They not only offer free certificates, they also developed an interface that can be used by
your Apache httpd to get one. This is where <a href="../mod/mod_md.html">mod_md</a>
comes in.
</p>
<p>
(zoom out the camera on how to configure mod_md and virtual host...)
</p>
</section>
</manualpage>
|
