Page 1
© GlobalSign. A GMO Internet Inc group company.
Authentication. Security. Trust.
A tutorial on how you can host multiple SSL Certificates on a single IP address without losing any backward compatibility
Paul van Brouwershaven Business Development Director EMEA, GlobalSign
@vanbroup on Twitter
Page 2
www.globalsign.comAuthentication. Security. Trust.
Paul van Brouwershaven
Page 3
www.globalsign.comAuthentication. Security. Trust.
Netherlands
Page 4
www.globalsign.comAuthentication. Security. Trust.
Business Development Director
Business Development Director for GlobalSign
Previously CTO of a European hosting company
Over 10 years of experience in the hosting industry
Expert in digital certificate solutions
Dedicated to increasing awareness of the requirements for online security
Thinking out of the box, detecting problems and providing solutions
Page 5
www.globalsign.comAuthentication. Security. Trust.
Multiple SSL Certificates on a single IP address
Page 6
www.globalsign.comAuthentication. Security. Trust.
More demands and requirements for SSL
Article 17 of Directive 95/46/EC of the European ParliamentSecurity of processing
Member States shall provide that the controller must implement appropriate technical and organizational
measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.
Page 7
www.globalsign.comAuthentication. Security. Trust.
Each SSL Certificate needs its own IP
Page 8
www.globalsign.comAuthentication. Security. Trust.
Why do I need a dedicated IP address?
Page 9
www.globalsign.comAuthentication. Security. Trust.
Request on a non-secure connection
Client
• HTTP Request: Can you please send me /contact.html on www.domain.com
Server
• HTTP Reply: Here is the content you requested.
Page 10
www.globalsign.comAuthentication. Security. Trust.
Host: www.domain.com
DEMO
Page 11
www.globalsign.comAuthentication. Security. Trust.
Request on a secure connection
Client
• (TLS Handshake) Hello, I support XYZ Encryption.
Server
• (TLS Handshake) Hi there, here is my public certificate, let’s use this encryption algorithm.
Client
• (TLS Handshake) Sounds good to me.
Client
• (Encrypted) HTTP Request: Can you please send me /contact.html on www.domain.com
Server
• (Encrypted) HTTP Reply: Here is the content you requested.
Page 12
www.globalsign.comAuthentication. Security. Trust.
Server Name Indication (SNI)
Client
• (TLS Handshake) Hello, I support XYZ Encryption, and I am trying to connect to ’www.domain.com'.
Server
• (TLS Handshake) Hi there, here is my public Certificate for www.domain.com, and let’s use this encryption algorithm.
Client
• (TLS Handshake) Sounds good to me.
Client
• (Encrypted) HTTP Request: Can you please send me /contact.html on www.domain.com
Server
• (Encrypted) HTTP Reply: Here is the content you requested.
Page 13
www.globalsign.comAuthentication. Security. Trust.
Request on a secure connection
74.125.136.103 : 443
www.google.com
12
3
4
5
- www.google.co.uk- www.google.gr- www.google.com- www.google.fr- www.google.de
www.google.com
Page 14
www.globalsign.comAuthentication. Security. Trust.
Testing SNI with OpenSSL
DEMO
Page 15
www.globalsign.comAuthentication. Security. Trust.
The SSL/TLS handshake
DEMO
Page 16
www.globalsign.comAuthentication. Security. Trust.
All versions of Internet Explorer on Windows XP Android 2.x [Gingerbread] default browser (other browsers like
Opera do support SNI on Android) BlackBerry Browser Windows Mobile up to 6.5
Applications with no SNI Support
Page 17
www.globalsign.comAuthentication. Security. Trust.
Windows XP with SNI
DEMO
Page 18
www.globalsign.comAuthentication. Security. Trust.
Operating System Usage - Win XP – per continent
Africa Asia Europe North America Oceania South America0
5
10
15
20
25
30
35
40
WinXP usage (July 2013)
WinxXP usage (July 2013)
Page 19
www.globalsign.comAuthentication. Security. Trust.
Worldwide Operating System Usage - Win XP: 21%
Page 20
www.globalsign.comAuthentication. Security. Trust.
Internet Explorer market share – Per continent
Africa Asia Europe North America Oceania South America0%
5%
10%
15%
20%
25%
30%
35%
IE market share (July 2013)
IE market share (July 2013)
Page 21
www.globalsign.comAuthentication. Security. Trust.
Worldwide Internet Explorer market share – 25%
Page 22
www.globalsign.comAuthentication. Security. Trust.
25% of 21% = 5.3% Internet Explorer Windows XP
+ mobile traffic
=
Or 8% of your world wide visitors?
8% of World Wide internet users do not support Server Name
Indication (SNI)
Page 23
www.globalsign.comAuthentication. Security. Trust.
There is no problem when you need to secure a website or portal that is used by a closed community or business that has no Windows XP users.
Provide SNI support for free with an SSL Certificate− Users can decide to provide an unsecure connection and a warning to visitors
with an outdated system.
Calculate an additional fee for users that want to have full compatibility and thus a dedicated IP number
Should I use/offer SNI for SSL sites?
Page 24
www.globalsign.comAuthentication. Security. Trust.
Should I use/offer SNI for SSL sites?
Page 25
www.globalsign.comAuthentication. Security. Trust.
What are the alternative solutions?
Page 26
www.globalsign.comAuthentication. Security. Trust.
One SSL Certificate for multiple domain names from different organisations.
The certificate contains the hosting company’s details.
Domain control is verified for each domain.
A multi-domain SSL Certificate
Page 27
www.globalsign.comAuthentication. Security. Trust.
Multi-domain certificates
DEMO
Page 28
www.globalsign.comAuthentication. Security. Trust.
A multi-domain certificate usually runs on shared hosting server or reversed proxy DN
Domain control is validated for each SAN
SSL Certificate accessible by server or network administrator with root permissions
Information of the company that is responsible for the private key is listed in the certificate contents.
Control of the Private Key
Page 29
www.globalsign.comAuthentication. Security. Trust.
Test results based on number of SANs and characters Note: Average number of characters in a domain – 13/14* *Source: Nominet
Certificate size limit is browser dependent
Certificate Size
Page 30
www.globalsign.comAuthentication. Security. Trust.
Certificate Growth
1 SAN 57 SAN 113 SAN169 SAN225 SAN281 SAN337 SAN393 SAN449 SAN505 SAN561 SAN617 SAN673 SAN729 SAN785 SAN841 SAN897 SAN953 SAN0.0
5.0
10.0
15.0
20.0
25.0
30.0
35.0
1 Char 2 Char 3 Char 4 Char 5 Char 6 Char 7 Char 8 Char 9 Char 10 Char
11 Char 12 Char 13 Char 14 Char 15 Char 16 Char 17 Char 18 Char 19 Char 20 Char
Page 31
www.globalsign.comAuthentication. Security. Trust.
Google Chrome, Mozilla Firefox & Opera have a limit of 174K.
Maximum Certificate Size
DEMO
Page 32
www.globalsign.comAuthentication. Security. Trust.
Internet Explorer on Windows XP SP3 till Windows 7 has a certificate size limit of 44k.
Windows XP without any service packs is limited to 22k.
An average OCSP stapling response is about 1k
Other TLS overhead is about 0.5k
Maximum Certificate Size
Page 33
www.globalsign.comAuthentication. Security. Trust.
Performance of multi-domain certificates
750 names:
716 ms
450 names:
518 ms
1 name:
198 ms
Page 34
www.globalsign.comAuthentication. Security. Trust.
Every 100ms delaycosts 1% of sales
Page 35
www.globalsign.comAuthentication. Security. Trust.
No support for OV, EV
One certificate shared by many websites
Many hostnames are visible in the certificate
Visitor needs to download a bigger certificate (slower)
The disadvantages of multi-domain certs
Page 36
www.globalsign.comAuthentication. Security. Trust.
What if we could use the best of both solutions?
92% SNI / 8% CloudSSL
Page 37
www.globalsign.comAuthentication. Security. Trust.
SNI combined with CloudSSLUser requests website
Secure website delivered
Page 38
www.globalsign.comAuthentication. Security. Trust.
With SNI support
DEMO
Page 39
www.globalsign.comAuthentication. Security. Trust.
Windows XP (has no SNI support)
DEMO
Page 40
www.globalsign.comAuthentication. Security. Trust.
DEMO
How Google Implemented this
Page 41
www.globalsign.comAuthentication. Security. Trust.
No additional costs
Sites can use all types of certificates (including EV)
One SSL Certificate installed via the regular way, a second SSL Certificate (one per IP) can be updated automatically.
Two SSL Certificates for one site!
Page 42
www.globalsign.comAuthentication. Security. Trust.
Environment and Platform independent
Page 43
www.globalsign.comAuthentication. Security. Trust.
How does it work?
1 2 3
4
Page 44
www.globalsign.comAuthentication. Security. Trust.
Lets create a few sites in DirectAdmin
DEMO
Page 45
www.globalsign.comAuthentication. Security. Trust.
Completely Automated Process
DEMO
Page 46
www.globalsign.comAuthentication. Security. Trust.
Automated domain control validation
Page 47
www.globalsign.comAuthentication. Security. Trust.
User Agent Redirect
Page 48
www.globalsign.comAuthentication. Security. Trust.
Same site, Different content
Page 49
www.globalsign.comAuthentication. Security. Trust.
Using meta-tag authentication
Page 50
www.globalsign.comAuthentication. Security. Trust.
Using meta-tag authentication
Page 51
www.globalsign.comAuthentication. Security. Trust.
Thank you
Paul van [email protected]
@vanbroup