--- /dev/null
+<?xml version='1.0' encoding='UTF-8' ?>
+<!DOCTYPE manualpage SYSTEM "../style/manualpage.dtd">
+<?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
+<!-- $LastChangedRevision: 1779744 $ -->
+
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<manualpage metafile="encrypt.xml.meta">
+<parentdocument href="./">How-To / Tutorials</parentdocument>
+
+ <title>How to Encrypt Your Traffic</title>
+
+ <summary>
+ <p>This is the how to guide for making your Apache httpd use encryption to transfer
+ data between you and your visitors. Instead of http: links, your site will use
+ https: ones and, if everything is setup correctly, people visiting your site will
+ have their privacy better protected.
+ </p>
+ <p>
+ This How-To is intended for people that are not really into SSL/TLS and ciphers
+ and all this crypto techno-babble (We are joking, it's a serious field with
+ serious experts and real problems to solve - but it sounds like techno-babble to
+ anyone not intimate with it). People who have heard that their http: server is
+ not really secure enough nowadays. That spies and bad guys are listening. That even
+ legitimate corporations are inserting data into their web pages and selling
+ profiles of visitors.
+ </p>
+ <p>
+ This guide wants to help you migrate your httpd server from serving insecure http: links
+ to encrypted https: ones, without you becoming a SSL expert first. You might get
+ fascinated by all this crypto things and study it more and become a real expert. But
+ you also might not, run a reasonably secure web server nevertheless and do other
+ things good for mankind with your time.
+ </p>
+ <p>
+ You will get a rough idea what roles these mysterious things called "certificate" and
+ "private key" play and how they are used to let your visitors be sure they are talking
+ to your server. You will <em>not</em> be told <em>how</em> this works, just how it
+ is used: it's basically about passports.
+ </p>
+ </summary>
+ <seealso><a href="../ssl/ssl_howto.html">SSL How-To</a></seealso>
+ <seealso><a href="../mod/mod_ssl.html">mod_ssl</a></seealso>
+ <seealso><a href="../mod/mod_md.html">mod_md</a></seealso>
+
+ <section id="protocol">
+ <title>A short Introduction Certificates, e.g. Internet Passports</title>
+ <p>
+ The TLS protocol (formerly known as SSL) is a way a client and a server
+ can talk to each other without anyone else listening, or better understanding
+ a thing. It is what your browser uses when you open a https: link.
+ </p>
+ <p>
+ In addition to having a private conversation with a server, your browser also needs
+ to know that it really talks to the server - and not someone else acting like it. That,
+ next to the encryption, is the other part of the TLS protocol.
+ </p>
+ <p>
+ In order to do that, your server does not only need the software for TLS, e.g. the
+ <a href="../mod/mod_http2.html">mod_ssl</a> module, but some sort of identity proof
+ on the Internet. This is commonly referred to as a <em>certificate</em>. Basically, everyone
+ has the same mod_ssl and can encrypt, but only your have <em>your</em> certificate
+ and with that, you are you.
+ </p>
+ <p>
+ A certificate is the digital equivalent of a passport. It contains two things: a stamp
+ of approval from the people issuing the passport and a reference to your digital
+ fingerprints, e.g. what is called a <em>private key</em> in encryption terms.
+ </p>
+ <p>
+ When you configure your Apache httpd for https: links, you need to give it the certificate and
+ the private key. If you never give the key to anyone else, only you will be able to prove
+ to visitors that the certificate belongs to you. That way, a browser talking to your
+ server a second time will be sure that it is indeed the very same server it talked
+ to before.
+ </p>
+ <p>
+ But how does it know that it is the real server, the first time it starts talking to
+ someone? Here, the digital rubber stamping comes into play. The rubber stamp is done
+ by someone else, using her own private key. That person has also a certificate, e.g.
+ her own passport. The browser can make sure that this passport is based on the same
+ key that was used to rubber stamp your server passport. Now, instead of making sure
+ that your passport is correct, it must make sure that the passport of the person that
+ says <em>your</em> passport is correct, is correct.
+ </p>
+ <p>
+ And that passport is also rubber stamped digitally, by someone else with a key and a
+ certificate. So the browser only needs to make sure that <em>that</em> one is correct
+ that says it is correct to trust the one that says your server is correct. This trusting
+ game can go to a few or many levels (usually less than 5).
+ </p>
+ <p>
+ In the end, the browser will encounter a passport that is stamped by its own key. It's
+ a Gloria Gaynor certificate that says "I am what I am!". The browser then either trust
+ this Gloria or not. If not, your server is also not trusted. Otherwise, it is. Simple.
+ </p>
+ <p>
+ The trust check for the Gloria Gaynors of the Internet is easy: your browser (or your
+ operating system) comes with list of Gloria passports to trust, pre-installed. If it
+ sees a Gloria certificate, it is either in this list or not to be trusted.
+ </p>
+ <p>
+ This whole thing works as long as everyone keeps his private keys to himself. Anyone copying
+ such a key can impersonate the key owner. And if the owner can rubber stamp passports, the
+ impersonator can also do that. And all the passports stamped by an impersonator,
+ all those certificates will look 100% valid, indistinguishable from the "real" ones.
+ </p>
+ <p>
+ So, this trust model works, but it has its limits. That is why browser makers are so keen
+ on having the correct Gloria Gaynor lists and threaten to expel anyone from it that
+ is careless with her keys.
+ </p>
+ </section>
+
+ <section id="buycert">
+ <title>Buy a Certificate</title>
+ <p>
+ Well, you can buy one. There are a lot of companies selling Internet Passports as a service. In
+ <a href="https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReport">this list
+ from Mozilla</a> you find all companies that the Firefox browser trusts. Pick one, visit their
+ website and they will tell you what it costs. And how you need to prove that you are who
+ you claim to be so they can rubber stamp your passport with confidence.
+ </p>
+ <p>
+ They all have their own methods, also depending on what kind of passport you apply for, and
+ it's probably some sort of click web interface in a browser. They may send you an email that
+ you need to answer or do something else. In the end, they will show you how to generate
+ your own, unique private key and issue you a stamped passport matching it.
+ </p>
+ <p>
+ You then place the key in one file, the certificate in another. Put these on your server, make
+ sure that only a trusted user can read the key file and add it to your httpd configuration.
+ This is extensively covered in the <a href="../ssl/ssl_howto.html">SSL How-To</a>.
+ </p>
+ <p>
+ </p>
+ </section>
+
+ <section id="freecert">
+ <title>Get a Free Certificate</title>
+ <p>
+ There are also companies that offer certificates for web servers free of charge. The pioneer
+ in this is <a href="https://letsencrypt.org">Let's Encrypt</a> which is a service of the
+ <a href="">Internet Security Research Group (ISRG)</a>, a not-for-profit organization to
+ "reduce financial, technological, and education barriers to secure communication over the
+ Internet."
+ </p>
+ <p>
+ They not offer free certificates, they also developed a interface that can be used by
+ your Apache httpd to get one. This is where <a href="../mod/mod_md.html">mod_md</a>
+ comes in.
+ </p>
+ <p>
+ (zoom out the camera on how to configure mod_md and virtual host...)
+ </p>
+ </section>
+
+ <section id="">
+ <title></title>
+ <p>
+ </p>
+ </section>
+
+</manualpage>
projects / thirdparty / apache / httpd.git / commitdiff
