multiple ssl certificates on a single ip address
TRANSCRIPT
© GlobalSign. A GMO Internet Inc group company.
Authentication. Security. Trust.
IPv4 Shortage Multiple SSL Certificates on a single IP address
Paul van Brouwershaven Business Development Director EMEA, GlobalSign
@vanbroup on Twitter
www.globalsign.com Authentication. Security. Trust.
INTERNATIONAL FOOTPRINT Customers spanning all industries
www.globalsign.com Authentication. Security. Trust.
GlobalSign Solutions | Visible Trust in an online world
Server, Database & Network Security
SSL Certificates Managed SSL
Developer Solutions Code Signing
Embedded SSL
Secure Email Digital IDs for Individuals Digital IDs for Departments Managed Digital IDs
eDocument /File Security & Compliance Adobe CDS for PDF Microsoft Office Encrypting File System (EFS)
Automated SSL for Web Hosts
SSL Reseller Program OneClickSSL
PKI & Root Signing Trusted Root for CAs
www.globalsign.com Authentication. Security. Trust.
Innovation | We keep improving!
www.globalsign.com Authentication. Security. Trust.
More demands and requirements for SSL
Article 17 of Directive 95/46/EC of the European Parliament Security of processing
Member States shall provide that the controller must implement appropriate technical and
organizational measures to protect personal data against accidental or unlawful destruction or
accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the
transmission of data over a network, and against all other unlawful forms of processing. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.
www.globalsign.com Authentication. Security. Trust.
Each SSL Certificate needs its own IP
www.globalsign.com Authentication. Security. Trust.
We are running out of IPv4 addresses
www.globalsign.com Authentication. Security. Trust.
How much time is left?
www.globalsign.com Authentication. Security. Trust.
CA IPv6 Revocation Compatibility
www.globalsign.com Authentication. Security. Trust.
As long as you select a CA who provides revocation checks (CRL, OCSP) over IPv6. But it won’t solve your IPv4 problem!
Can we use IPv6?
www.globalsign.com Authentication. Security. Trust.
Why should my CA do revocation over IPv6?
www.globalsign.com Authentication. Security. Trust.
Why do I need a dedicated IP address?
www.globalsign.com Authentication. Security. Trust.
Request on a non-secure connection
Client
• HTTP Request: Can you please send me /contact.html on www.globalsign.com
Server
• HTTP Reply: Here is the content you requested.
www.globalsign.com Authentication. Security. Trust.
Request on a secure connection
Client • (TLS Handshake) Hello, I support XYZ Encryption.
Server
• (TLS Handshake) Hi there, here is my public certificate, let’s use this encryption algorithm.
Client • (TLS Handshake) Sounds good to me.
Client
• (Encrypted) HTTP Request: Can you please send me /contact.html on www.globalsign.com
Server • (Encrypted) HTTP Reply: Here is the content you requested.
www.globalsign.com Authentication. Security. Trust.
Server Name Indication (SNI)
Client
• (TLS Handshake) Hello, I support XYZ Encryption, and I am trying to connect to ’www.globalsign.com'.
Server
• (TLS Handshake) Hi there, here is my public Certificate for www.globalsign.com, and lets use this encryption algorithm.
Client • (TLS Handshake) Sounds good to me.
Client
• (Encrypted) HTTP Request: Can you please send me /contact.html on www.globalsign.com
Server • (Encrypted) HTTP Reply: Here is the content you requested.
www.globalsign.com Authentication. Security. Trust.
The SSL/TLS handshake
www.globalsign.com Authentication. Security. Trust.
All versions of Internet Explorer on Windows XP Android 2.x default browser (other browsers like Opera
do support SNI on Android) BlackBerry Browser Windows Mobile up to 6.5
Applications with no SNI Support
www.globalsign.com Authentication. Security. Trust.
Operating System Usage - Win XP: 24%
www.globalsign.com Authentication. Security. Trust.
Internet Explorer has 30% market share
www.globalsign.com Authentication. Security. Trust.
30% of 24% = 7.2% Internet Explorer Windows XP
of internet users do not support Server Name Indication (SNI)
Do you want to lose 10% of your visitors?
www.globalsign.com Authentication. Security. Trust.
There is no problem when you need to secure a website or portal that is used by a closed community or business that has no Windows XP users. Provide SNI support for free with an SSL Certificate
− Users can decide to provide an unsecure connection and a warning to visitors with an outdated system.
Calculate an additional fee for users that want to have full compatibility and thus a dedicated IP number
Should I use/offer SNI for SSL sites?
www.globalsign.com Authentication. Security. Trust.
Should I use/offer SNI for SSL sites?
www.globalsign.com Authentication. Security. Trust.
What are the alternative solutions?
www.globalsign.com Authentication. Security. Trust.
One SSL Certificate for multiple domain names from different organisations. The certificate contains the
hosting company’s details. Domain control is verified for
each domain.
CloudSSL: One certificate, multiple domains
www.globalsign.com Authentication. Security. Trust.
No support for OV, EV One certificate shared by
many websites Many hostnames are
visible in the certificate Visitor needs to
download a bigger certificate (slower)
The disadvantages of CloudSSL
www.globalsign.com Authentication. Security. Trust.
What if we could use the best of both worlds?
90% SNI
/ 10% CloudSSL
www.globalsign.com Authentication. Security. Trust.
SNI combined with CloudSSL User requests website
Secure website delivered
www.globalsign.com Authentication. Security. Trust.
With SNI support
www.globalsign.com Authentication. Security. Trust.
Windows XP (has no SNI support)
www.globalsign.com Authentication. Security. Trust.
No additional costs Sites can use all types of certificates (including EV)
Fully automated provisioning of the legacy CloudSSL
Certificate No email verification needed
All domain control checks performed automatically
by the program.
Two SSL Certificates for one site!
www.globalsign.com Authentication. Security. Trust.
Completely Automated Process
www.globalsign.com Authentication. Security. Trust.
Thank you
Paul van Brouwershaven [email protected]