A tutorial on how you can host mul$ple SSL Cer$ficates on a single IP address without losing any backward compa6bility

(1)

Authentication. Security. Trust.

A tutorial on how you can host

mul$ple SSL Cer$ﬁcates on a

single IP

address without losing any backward compa6bility

Paul van Brouwershaven

Business Development Director EMEA, GlobalSign @vanbroup on TwiBer

(2)

(3)

www.globalsign.com

(4)

Business Development Director

§  Business Development Director for

GlobalSign

§  Previously CTO of a European hos6ng

company

§  Over 10 years of experience in the hos$ng industry

§  Expert in digital cer6ﬁcate solu6ons

§  Dedicated to increasing awareness of the

requirements for online security

§  Thinking out of the box, detec6ng

(5)

www.globalsign.com

Mul$ple

SSL Cer$ﬁcates on

(6)

More demands and requirements for SSL

Article 17 of Directive 95/46/EC of the European Parliament

Security of processing

Member States shall provide that the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss,

alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of

data over a network, and against all other unlawful forms of processing. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.

(7)

www.globalsign.com

(8)

Why do I need a

(9)

www.globalsign.com

Request on a non-‐secure connec$on

Client

•  HTTP Request: Can you please send me /contact.html on

www.domain.com

Server

(10)

(11)

www.globalsign.com

Request on a secure connec$on

Client •  (TLS Handshake) Hello, I support XYZ Encryp6on.

Server

•  (TLS Handshake) Hi there, here is my public cer6ﬁcate, let’s use this encryp6on algorithm.

Client •  (TLS Handshake) Sounds good to me.

Client

•  (Encrypted) HTTP Request: Can you please send me /contact.html on www.domain.com

(12)

Server Name Indica$on (SNI)

Client

•  (TLS Handshake) Hello, I support XYZ Encryp6on, and I am trying to connect to ’www.domain.com'.

Server

•  (TLS Handshake) Hi there, here is my public Cer6ﬁcate for

www.domain.com, and let’s use this encryp6on algorithm.

Client •  (TLS Handshake) Sounds good to me.

Client

•  (Encrypted) HTTP Request: Can you please send me /contact.html on www.domain.com

(13)

www.globalsign.com

Request on a secure connec$on

74.125.136.103 : 443 www.google.com 1 2 3 4 5 - www.google.co.uk - www.google.gr - www.google.com - www.google.fr - www.google.de www.google.com

(14)

(15)

www.globalsign.com

(16)

§  All versions of Internet Explorer on Windows XP

§  Android 2.x [Gingerbread] default browser (other browsers

like Opera do support SNI on Android)

§  BlackBerry Browser

§  Windows Mobile up to 6.5

(17)

www.globalsign.com

(18)

Opera$ng System Usage -‐

Win XP – per con$nent

5 10 15 20 25 30 35 40

WinXP usage (July 2013)

Africa Asia Europe North America Oceania South America

(19)

www.globalsign.com

(20)

Internet Explorer market share – Per con$nent

5% 10% 15% 20% 25% 30% 35%

IE market share (July 2013)

Africa Asia Europe North America Oceania South America

(21)

www.globalsign.com

(22)

25% of 21% = 5.3%

Internet Explorer Windows XP

+ mobile traffic

=

Or 8% of your world wide visitors?

8%

of World Wide internet users

do not support

Server Name

(23)

www.globalsign.com

§  There is no problem when you need to secure a website or

portal that is used by a closed community or business that has no Windows XP users.

§  Provide SNI support for free with an SSL Cer6ﬁcate

−  Users can decide to provide an unsecure connec6on and a warning to visitors

with an outdated system.

§  Calculate an addi6onal fee for users that want to have full

compa6bility and thus a dedicated IP number

(24)

(25)

www.globalsign.com

What are the alterna$ve

solu$ons?

(26)

§  One SSL Cer6ﬁcate for mul6ple

domain names from diﬀerent organisa6ons.

§  The cer6ﬁcate contains the

hos6ng company’s details.

§  Domain control is veriﬁed for

each domain.

(27)

www.globalsign.com

(28)

§  A mul6-‐domain cer6ﬁcate usually runs on shared hos6ng server

or reversed proxy DN

§  Domain control is validated for each SAN

§  SSL Cer6ﬁcate accessible by server or network administrator

with root permissions

§  Informa6on of the company that is responsible for the private

key is listed in the cer6ﬁcate contents.

(29)

www.globalsign.com

§  Test results based on number of SANs and characters

§  Note: Average number of characters in a domain – 13/14*

*Source: Nominet

§  Cer6ﬁcate size limit is browser dependent

(30)

Cer$ﬁcate Growth

0.0 5.0 10.0 15.0 20.0 25.0 30.0 35.0 1 SAN 17 SAN 33 SAN 49 SAN 65 SAN 81 SAN 97 SAN 11 3 SAN 12 9 SAN 14 5 SAN 16 1 SAN 17 7 SAN 19 3 SAN 20 9 SAN 22 5 SAN 24 1 SAN 25 7 SAN 27 3 SAN 28 9 SAN 30 5 SAN 32 1 SAN 33 7 SAN 35 3 SAN 36 9 SAN 38 5 SAN 40 1 SAN 41 7 SAN 43 3 SAN 44 9 SAN 46 5 SAN 48 1 SAN 49 7 SAN 51 3 SAN 52 9 SAN 54 5 SAN 56 1 SAN 57 7 SAN 59 3 SAN 60 9 SAN 62 5 SAN 64 1 SAN 65 7 SAN 67 3 SAN 68 9 SAN 70 5 SAN 72 1 SAN 73 7 SAN 75 3 SAN 76 9 SAN 78 5 SAN 80 1 SAN 81 7 SAN 83 3 SAN 84 9 SAN 86 5 SAN 88 1 SAN 89 7 SAN 91 3 SAN 92 9 SAN 94 5 SAN 96 1 SAN 97 7 SAN 99 3 SAN

(31)

www.globalsign.com

§  Google Chrome, Mozilla Firefox & Opera have a limit of

174K.

(32)

§  Internet Explorer on Windows XP SP3 till Windows 7 has

a certificate size limit of 44k.

§  Windows XP without any service packs is limited to 22k.

§  An average OCSP stapling response is about 1k

§  Other TLS overhead is about 0.5k

(33)

www.globalsign.com

Performance of mul$-‐domain cer$ﬁcates

§  750 names:

716 ms

§  450 names:

518 ms

§  1 name:

198 ms

(34)

Every

100ms

delay

(35)

www.globalsign.com

§  No support for OV, EV

§  One cer6ﬁcate shared by

many websites

§  Many hostnames are visible

in the cer6ﬁcate

§  Visitor needs to download a

bigger cer6ﬁcate (slower)

(36)

What if we could use the

best of both solu$ons?

92% SNI

(37)

www.globalsign.com

SNI combined with CloudSSL

User requests website

(38)

(39)

www.globalsign.com

(40)

(41)

www.globalsign.com

§  No additional costs

§  Sites can use all types of certificates (including EV)

§  One SSL Certificate installed via the regular way, a

second SSL Certificate (one per IP) can be updated automatically.

(42)

(43)

www.globalsign.com

How does it work?

1 2 3

(44)

(45)

www.globalsign.com

(46)

(47)

www.globalsign.com

(48)

(49)

www.globalsign.com

(50)

(51)

www.globalsign.com

Thank you

Paul van Brouwershaven

[email protected]

A tutorial on how you can host mul$ple SSL Cer$ficates on a single IP address without losing any backward compa6bility

mul$ple SSL Cer$ﬁcates on a

single IP

Business Development Director

Mul$ple

SSL Cer$ﬁcates on

More demands and requirements for SSL

Why do I need a

Request on a non-­‐secure connec$on

Request on a secure connec$on

Server Name Indica$on (SNI)

Request on a secure connec$on

Opera$ng System Usage -­‐

Win XP – per con$nent

Internet Explorer market share – Per con$nent

25% of 21% = 5.3%

+ mobile traffic

=

Or 8% of your world wide visitors?

8%

of World Wide internet users

do not support

Server Name

What are the alterna$ve

solu$ons?

Cer$ﬁcate Growth

Performance of mul$-­‐domain cer$ﬁcates

716 ms

518 ms

198 ms

Every

100ms

delay

What if we could use the

best of both solu$ons?

92% SNI

SNI combined with CloudSSL

How does it work?

Thank you

Request on a non-‐secure connec$on

Opera$ng System Usage -‐

Performance of mul$-‐domain cer$ﬁcates