docs/manual/howto/encrypt.xml - httpd - Git at Google

 <?xml version='1.0' encoding='UTF-8' ?>
 <!DOCTYPE manualpage SYSTEM "../style/manualpage.dtd">
 <?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
 <!-- $LastChangedRevision$ -->

 <!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
 -->

 <manualpage metafile="encrypt.xml.meta">
 <parentdocument href="./">How-To / Tutorials</parentdocument>

   <title>How to Encrypt Your Traffic</title>

   <summary>
     <p>This is the how to guide for making your Apache httpd use encryption to transfer
     data between you and your visitors. Instead of http: links, your site will use
     https: ones and, if everything is setup correctly, people visiting your site will
     have their privacy better protected.
     </p>
     <p>
     This How-To is intended for people that are not really into SSL/TLS and ciphers
     and all this crypto techno-babble (We are joking, it's a serious field with
     serious experts and real problems to solve - but it sounds like techno-babble to
     anyone not intimate with it). People who have heard that their http: server is
     not really secure enough nowadays. That spies and bad guys are listening. That even
     legitimate corporations are inserting data into their web pages and selling
     profiles of visitors.
     </p>
     <p>
     This guide wants to help you migrate your httpd server from serving insecure http: links
     to encrypted https: ones, without you becoming a SSL expert first. You might get
     fascinated by all this crypto things and study it more and become a real expert. But
     you also might not, run a reasonably secure web server nevertheless and do other
     things good for mankind with your time.
     </p>
     <p>
     You will get a rough idea what roles these mysterious things called "certificate" and
     "private key" play and how they are used to let your visitors be sure they are talking
     to your server. You will <em>not</em> be told <em>how</em> this works, just how it
     is used: it's basically about passports.
     </p>
   </summary>
   <seealso><a href="../ssl/ssl_howto.html">SSL How-To</a></seealso>
   <seealso><a href="../mod/mod_ssl.html">mod_ssl</a></seealso>
   <seealso><a href="../mod/mod_md.html">mod_md</a></seealso>

   <section id="protocol">
     <title>A short Introduction Certificates, e.g. Internet Passports</title>
     <p>
     The TLS protocol (formerly known as SSL) is a way a client and a server
     can talk to each other without anyone else listening, or better understanding
     a thing. It is what your browser uses when you open a https: link.
     </p>
     <p>
     In addition to having a private conversation with a server, your browser also needs
     to know that it really talks to the server - and not someone else acting like it. That,
     next to the encryption, is the other part of the TLS protocol.
     </p>
     <p>
     In order to do that, your server does not only need the software for TLS, e.g. the
     <a href="../mod/mod_http2.html">mod_ssl</a> module, but some sort of identity proof
     on the Internet. This is commonly referred to as a <em>certificate</em>. Basically, everyone
     has the same mod_ssl and can encrypt, but only your have <em>your</em> certificate
     and with that, you are you.
     </p>
     <p>
     A certificate is the digital equivalent of a passport. It contains two things: a stamp
     of approval from the people issuing the passport and a reference to your digital
     fingerprints, e.g. what is called a <em>private key</em> in encryption terms.
     </p>
     <p>
     When you configure your Apache httpd for https: links, you need to give it the certificate and
     the private key. If you never give the key to anyone else, only you will be able to prove
     to visitors that the certificate belongs to you. That way, a browser talking to your
     server a second time will be sure that it is indeed the very same server it talked
     to before.
     </p>
     <p>
     But how does it know that it is the real server, the first time it starts talking to
     someone? Here, the digital rubber stamping comes into play. The rubber stamp is done
     by someone else, using her own private key. That person has also a certificate, e.g.
     her own passport. The browser can make sure that this passport is based on the same
     key that was used to rubber stamp your server passport. Now, instead of making sure
     that your passport is correct, it must make sure that the passport of the person that
     says <em>your</em> passport is correct, is correct.
     </p>
     <p>
     And that passport is also rubber stamped digitally, by someone else with a key and a
     certificate. So the browser only needs to make sure that <em>that</em> one is correct
     that says it is correct to trust the one that says your server is correct. This trusting
     game can go to a few or many levels (usually less than 5).
     </p>
     <p>
     In the end, the browser will encounter a passport that is stamped by its own key. It's
     a Gloria Gaynor certificate that says "I am what I am!". The browser then either trust
     this Gloria or not. If not, your server is also not trusted. Otherwise, it is. Simple.
     </p>
     <p>
     The trust check for the Gloria Gaynors of the Internet is easy: your browser (or your
     operating system) comes with list of Gloria passports to trust, pre-installed. If it
     sees a Gloria certificate, it is either in this list or not to be trusted.
     </p>
     <p>
     This whole thing works as long as everyone keeps his private keys to himself. Anyone copying
     such a key can impersonate the key owner. And if the owner can rubber stamp passports, the
     impersonator can also do that. And all the passports stamped by an impersonator,
     all those certificates will look 100% valid, indistinguishable from the "real" ones.
     </p>
     <p>
     So, this trust model works, but it has its limits. That is why browser makers are so keen
     on having the correct Gloria Gaynor lists and threaten to expel anyone from it that
     is careless with her keys.
     </p>
   </section>

   <section id="buycert">
     <title>Buy a Certificate</title>
     <p>
     Well, you can buy one. There are a lot of companies selling Internet Passports as a service. In
     <a href="https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReport">this list
     from Mozilla</a> you find all companies that the Firefox browser trusts. Pick one, visit their
     website and they will tell you what it costs. And how you need to prove that you are who
     you claim to be so they can rubber stamp your passport with confidence.
     </p>
     <p>
     They all have their own methods, also depending on what kind of passport you apply for, and
     it's probably some sort of click web interface in a browser. They may send you an email that
     you need to answer or do something else. In the end, they will show you how to generate
     your own, unique private key and issue you a stamped passport matching it.
     </p>
     <p>
     You then place the key in one file, the certificate in another. Put these on your server, make
     sure that only a trusted user can read the key file and add it to your httpd configuration.
     This is extensively covered in the <a href="../ssl/ssl_howto.html">SSL How-To</a>.
     </p>
     <p>
     </p>
   </section>

   <section id="freecert">
     <title>Get a Free Certificate</title>
     <p>
     There are also companies that offer certificates for web servers free of charge. The pioneer
     in this is <a href="https://letsencrypt.org">Let's Encrypt</a> which is a service of the
     <a href="https://www.abetterinternet.org/">Internet Security Research Group (ISRG)</a>, a not-for-profit organization to
     "reduce financial, technological, and education barriers to secure communication over the
     Internet."
     </p>
     <p>
     They not only offer free certificates, they also developed an interface that can be used by
     your Apache httpd to get one. This is where <a href="../mod/mod_md.html">mod_md</a>
     comes in.
     </p>
     <p>
     (zoom out the camera on how to configure mod_md and virtual host...)
     </p>
   </section>

 </manualpage>
	<?xml version='1.0' encoding='UTF-8' ?>
	<!DOCTYPE manualpage SYSTEM "../style/manualpage.dtd">
	<?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
	<!-- $LastChangedRevision$ -->

	<!--
	Licensed to the Apache Software Foundation (ASF) under one or more
	contributor license agreements. See the NOTICE file distributed with
	this work for additional information regarding copyright ownership.
	The ASF licenses this file to You under the Apache License, Version 2.0
	(the "License"); you may not use this file except in compliance with
	the License. You may obtain a copy of the License at

	http://www.apache.org/licenses/LICENSE-2.0

	Unless required by applicable law or agreed to in writing, software
	distributed under the License is distributed on an "AS IS" BASIS,
	WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	See the License for the specific language governing permissions and
	limitations under the License.
	-->

	<manualpage metafile="encrypt.xml.meta">
	<parentdocument href="./">How-To / Tutorials</parentdocument>

	<title>How to Encrypt Your Traffic</title>

	<summary>
	<p>This is the how to guide for making your Apache httpd use encryption to transfer
	data between you and your visitors. Instead of http: links, your site will use
	https: ones and, if everything is setup correctly, people visiting your site will
	have their privacy better protected.
	</p>
	<p>
	This How-To is intended for people that are not really into SSL/TLS and ciphers
	and all this crypto techno-babble (We are joking, it's a serious field with
	serious experts and real problems to solve - but it sounds like techno-babble to
	anyone not intimate with it). People who have heard that their http: server is
	not really secure enough nowadays. That spies and bad guys are listening. That even
	legitimate corporations are inserting data into their web pages and selling
	profiles of visitors.
	</p>
	<p>
	This guide wants to help you migrate your httpd server from serving insecure http: links
	to encrypted https: ones, without you becoming a SSL expert first. You might get
	fascinated by all this crypto things and study it more and become a real expert. But
	you also might not, run a reasonably secure web server nevertheless and do other
	things good for mankind with your time.
	</p>
	<p>
	You will get a rough idea what roles these mysterious things called "certificate" and
	"private key" play and how they are used to let your visitors be sure they are talking
	to your server. You will <em>not</em> be told <em>how</em> this works, just how it
	is used: it's basically about passports.
	</p>
	</summary>
	<seealso><a href="../ssl/ssl_howto.html">SSL How-To</a></seealso>
	<seealso><a href="../mod/mod_ssl.html">mod_ssl</a></seealso>
	<seealso><a href="../mod/mod_md.html">mod_md</a></seealso>

	<section id="protocol">
	<title>A short Introduction Certificates, e.g. Internet Passports</title>
	<p>
	The TLS protocol (formerly known as SSL) is a way a client and a server
	can talk to each other without anyone else listening, or better understanding
	a thing. It is what your browser uses when you open a https: link.
	</p>
	<p>
	In addition to having a private conversation with a server, your browser also needs
	to know that it really talks to the server - and not someone else acting like it. That,
	next to the encryption, is the other part of the TLS protocol.
	</p>
	<p>
	In order to do that, your server does not only need the software for TLS, e.g. the
	<a href="../mod/mod_http2.html">mod_ssl</a> module, but some sort of identity proof
	on the Internet. This is commonly referred to as a <em>certificate</em>. Basically, everyone
	has the same mod_ssl and can encrypt, but only your have <em>your</em> certificate
	and with that, you are you.
	</p>
	<p>
	A certificate is the digital equivalent of a passport. It contains two things: a stamp
	of approval from the people issuing the passport and a reference to your digital
	fingerprints, e.g. what is called a <em>private key</em> in encryption terms.
	</p>
	<p>
	When you configure your Apache httpd for https: links, you need to give it the certificate and
	the private key. If you never give the key to anyone else, only you will be able to prove
	to visitors that the certificate belongs to you. That way, a browser talking to your
	server a second time will be sure that it is indeed the very same server it talked
	to before.
	</p>
	<p>
	But how does it know that it is the real server, the first time it starts talking to
	someone? Here, the digital rubber stamping comes into play. The rubber stamp is done
	by someone else, using her own private key. That person has also a certificate, e.g.
	her own passport. The browser can make sure that this passport is based on the same
	key that was used to rubber stamp your server passport. Now, instead of making sure
	that your passport is correct, it must make sure that the passport of the person that
	says <em>your</em> passport is correct, is correct.
	</p>
	<p>
	And that passport is also rubber stamped digitally, by someone else with a key and a
	certificate. So the browser only needs to make sure that <em>that</em> one is correct
	that says it is correct to trust the one that says your server is correct. This trusting
	game can go to a few or many levels (usually less than 5).
	</p>
	<p>
	In the end, the browser will encounter a passport that is stamped by its own key. It's
	a Gloria Gaynor certificate that says "I am what I am!". The browser then either trust
	this Gloria or not. If not, your server is also not trusted. Otherwise, it is. Simple.
	</p>
	<p>
	The trust check for the Gloria Gaynors of the Internet is easy: your browser (or your
	operating system) comes with list of Gloria passports to trust, pre-installed. If it
	sees a Gloria certificate, it is either in this list or not to be trusted.
	</p>
	<p>
	This whole thing works as long as everyone keeps his private keys to himself. Anyone copying
	such a key can impersonate the key owner. And if the owner can rubber stamp passports, the
	impersonator can also do that. And all the passports stamped by an impersonator,
	all those certificates will look 100% valid, indistinguishable from the "real" ones.
	</p>
	<p>
	So, this trust model works, but it has its limits. That is why browser makers are so keen
	on having the correct Gloria Gaynor lists and threaten to expel anyone from it that
	is careless with her keys.
	</p>
	</section>

	<section id="buycert">
	<title>Buy a Certificate</title>
	<p>
	Well, you can buy one. There are a lot of companies selling Internet Passports as a service. In
	<a href="https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReport">this list
	from Mozilla</a> you find all companies that the Firefox browser trusts. Pick one, visit their
	website and they will tell you what it costs. And how you need to prove that you are who
	you claim to be so they can rubber stamp your passport with confidence.
	</p>
	<p>
	They all have their own methods, also depending on what kind of passport you apply for, and
	it's probably some sort of click web interface in a browser. They may send you an email that
	you need to answer or do something else. In the end, they will show you how to generate
	your own, unique private key and issue you a stamped passport matching it.
	</p>
	<p>
	You then place the key in one file, the certificate in another. Put these on your server, make
	sure that only a trusted user can read the key file and add it to your httpd configuration.
	This is extensively covered in the <a href="../ssl/ssl_howto.html">SSL How-To</a>.
	</p>
	<p>
	</p>
	</section>

	<section id="freecert">
	<title>Get a Free Certificate</title>
	<p>
	There are also companies that offer certificates for web servers free of charge. The pioneer
	in this is <a href="https://letsencrypt.org">Let's Encrypt</a> which is a service of the
	<a href="https://www.abetterinternet.org/">Internet Security Research Group (ISRG)</a>, a not-for-profit organization to
	"reduce financial, technological, and education barriers to secure communication over the
	Internet."
	</p>
	<p>
	They not only offer free certificates, they also developed an interface that can be used by
	your Apache httpd to get one. This is where <a href="../mod/mod_md.html">mod_md</a>
	comes in.
	</p>
	<p>
	(zoom out the camera on how to configure mod_md and virtual host...)
	</p>
	</section>

	</manualpage>