IPv4 Shortage Multiple SSL Certificates on a single IP address

advertisement
Authentication. Security. Trust.
A tutorial on how you can host multiple SSL Certificates on a
single IP address without losing any backward compatibility
Paul van Brouwershaven
Business Development Director EMEA, GlobalSign
@vanbroup on Twitter
© GlobalSign. A GMO Internet Inc group
company.
Paul van Brouwershaven
Authentication. Security. Trust.
www.globalsign.com
Netherlands
Authentication. Security. Trust.
www.globalsign.com
Business Development Director
 Business Development Director for
GlobalSign
 Previously CTO of a European hosting
company
 Over 10 years of experience in the
hosting industry
 Expert in digital certificate solutions
 Dedicated to increasing awareness of the
requirements for online security
 Thinking out of the box, detecting
problems and providing solutions
Authentication. Security. Trust.
www.globalsign.com
Multiple SSL Certificates on
a single IP address
Authentication. Security. Trust.
www.globalsign.com
More demands and requirements for SSL
Article 17 of Directive 95/46/EC of the European Parliament
Security of processing
must implement appropriate technical and organizational
measures to protect personal data against accidental or unlawful destruction or accidental loss,
alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of
data over a network, and against all other unlawful forms of processing. Having regard to the state of the art and the
Member States shall provide that the controller
cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and
the nature of the data to be protected.
Authentication. Security. Trust.
www.globalsign.com
Each SSL Certificate needs its own IP
Authentication. Security. Trust.
www.globalsign.com
Why do I need a
dedicated IP address?
Authentication. Security. Trust.
www.globalsign.com
Request on a non-secure connection
• HTTP Request: Can you please send me /contact.html on
www.domain.com
Client
• HTTP Reply: Here is the content you requested.
Server
Authentication. Security. Trust.
www.globalsign.com
Host: www.domain.com
Authentication. Security. Trust.
www.globalsign.com
Request on a secure connection
Client
Server
Client
Client
Server
• (TLS Handshake) Hello, I support XYZ Encryption.
• (TLS Handshake) Hi there, here is my public certificate, let’s use this
encryption algorithm.
• (TLS Handshake) Sounds good to me.
• (Encrypted) HTTP Request: Can you please send me /contact.html
on www.domain.com
• (Encrypted) HTTP Reply: Here is the content you requested.
Authentication. Security. Trust.
www.globalsign.com
Server Name Indication (SNI)
Client
• (TLS Handshake) Hello, I support XYZ Encryption, and I am trying to
connect to ’www.domain.com'.
Server
• (TLS Handshake) Hi there, here is my public Certificate for
www.domain.com, and let’s use this encryption algorithm.
Client
Client
Server
• (TLS Handshake) Sounds good to me.
• (Encrypted) HTTP Request: Can you please send me /contact.html
on www.domain.com
• (Encrypted) HTTP Reply: Here is the content you requested.
Authentication. Security. Trust.
www.globalsign.com
Request on a secure connection
www.google.com
1
- www.google.co.uk
- www.google.gr
- www.google.com
- www.google.fr
- www.google.de
74.125.136.103 : 443
2
3
4
www.google.com
5
Authentication. Security. Trust.
www.globalsign.com
Testing SNI with OpenSSL
Authentication. Security. Trust.
www.globalsign.com
The SSL/TLS handshake
Authentication. Security. Trust.
www.globalsign.com
Applications with no SNI Support
 All versions of Internet Explorer on Windows XP
 Android 2.x [Gingerbread] default browser (other browsers like
Opera do support SNI on Android)
 BlackBerry Browser
 Windows Mobile up to 6.5
Authentication. Security. Trust.
www.globalsign.com
Windows XP with SNI
Authentication. Security. Trust.
www.globalsign.com
Operating System Usage - Win XP – per continent
WinXP usage (July 2013)
40
35
30
Africa
Asia
Europe
North America
Oceania
South America
25
20
15
10
5
0
Africa
Authentication. Security. Trust.
Asia
Europe
North America
Oceania
South America
www.globalsign.com
Worldwide Operating System Usage - Win XP: 21%
Authentication. Security. Trust.
www.globalsign.com
Internet Explorer market share – Per continent
IE market share (July 2013)
35%
30%
25%
Africa
Asia
Europe
North America
Oceania
South America
20%
15%
10%
5%
0%
Africa
Authentication. Security. Trust.
Asia
Europe
North America
Oceania
South America
www.globalsign.com
Worldwide Internet Explorer market share – 25%
Authentication. Security. Trust.
www.globalsign.com
Or 8% of your world wide visitors?
25% of 21% = 5.3%
Internet Explorer
Windows XP
+ mobile traffic
=
8% of World Wide internet users
do not support Server Name
Indication (SNI)
Authentication. Security. Trust.
www.globalsign.com
Should I use/offer SNI for SSL sites?
 There is no problem when you need to secure a website or
portal that is used by a closed community or business that has
no Windows XP users.
 Provide SNI support for free with an SSL Certificate
− Users can decide to provide an unsecure connection and a warning to visitors
with an outdated system.
 Calculate an additional fee for users that want to have full
compatibility and thus a dedicated IP number
Authentication. Security. Trust.
www.globalsign.com
Should I use/offer SNI for SSL sites?
Authentication. Security. Trust.
www.globalsign.com
What are the alternative
solutions?
Authentication. Security. Trust.
www.globalsign.com
A multi-domain SSL Certificate
 One SSL Certificate for multiple
domain names from different
organisations.
 The certificate contains the
hosting company’s details.
 Domain control is verified for
each domain.
Authentication. Security. Trust.
www.globalsign.com
Multi-domain certificates
Authentication. Security. Trust.
www.globalsign.com
Control of the Private Key
 A multi-domain certificate usually runs on shared hosting server
or reversed proxy DN
 Domain control is validated for each SAN
 SSL Certificate accessible by server or network administrator
with root permissions
 Information of the company that is responsible for the private
key is listed in the certificate contents.
Authentication. Security. Trust.
www.globalsign.com
Certificate Size
 Test results based on number of SANs and characters
 Note: Average number of characters in a domain – 13/14*
*Source: Nominet
 Certificate size limit is browser dependent
Authentication. Security. Trust.
www.globalsign.com
1 SAN
17 SAN
33 SAN
49 SAN
65 SAN
81 SAN
97 SAN
113 SAN
129 SAN
145 SAN
161 SAN
177 SAN
193 SAN
209 SAN
225 SAN
241 SAN
257 SAN
273 SAN
289 SAN
305 SAN
321 SAN
337 SAN
353 SAN
369 SAN
385 SAN
401 SAN
417 SAN
433 SAN
449 SAN
465 SAN
481 SAN
497 SAN
513 SAN
529 SAN
545 SAN
561 SAN
577 SAN
593 SAN
609 SAN
625 SAN
641 SAN
657 SAN
673 SAN
689 SAN
705 SAN
721 SAN
737 SAN
753 SAN
769 SAN
785 SAN
801 SAN
817 SAN
833 SAN
849 SAN
865 SAN
881 SAN
897 SAN
913 SAN
929 SAN
945 SAN
961 SAN
977 SAN
993 SAN
Certificate Growth
35.0
30.0
25.0
20.0
15.0
10.0
5.0
0.0
1 Char
2 Char
3 Char
4 Char
5 Char
6 Char
7 Char
8 Char
9 Char
10 Char
11 Char
12 Char
13 Char
14 Char
15 Char
16 Char
17 Char
18 Char
19 Char
20 Char
Authentication. Security. Trust.
www.globalsign.com
Maximum Certificate Size
 Google Chrome, Mozilla Firefox & Opera have a limit of
174K.
Authentication. Security. Trust.
www.globalsign.com
Maximum Certificate Size
 Internet Explorer on Windows XP SP3 till Windows 7 has
a certificate size limit of 44k.
 Windows XP without any service packs is limited to 22k.
 An average OCSP stapling response is about 1k
 Other TLS overhead is about 0.5k
Authentication. Security. Trust.
www.globalsign.com
Performance of multi-domain certificates
 750 names:
716 ms
 450 names:
518 ms
 1 name:
198 ms
Authentication. Security. Trust.
www.globalsign.com
Every 100ms delay
costs 1% of sales
Authentication. Security. Trust.
www.globalsign.com
The disadvantages of multi-domain certs
 No support for OV, EV
 One certificate shared by
many websites
 Many hostnames are visible
in the certificate
 Visitor needs to download a
bigger certificate (slower)
Authentication. Security. Trust.
www.globalsign.com
What if we could use the
best of both solutions?
92% SNI
/ 8% CloudSSL
Authentication. Security. Trust.
www.globalsign.com
SNI combined with CloudSSL
User requests website
Secure website delivered
Authentication. Security. Trust.
www.globalsign.com
With SNI support
Authentication. Security. Trust.
www.globalsign.com
Windows XP (has no SNI support)
Authentication. Security. Trust.
www.globalsign.com
How Google Implemented this
Authentication. Security. Trust.
www.globalsign.com
Two SSL Certificates for one site!
 No additional costs
 Sites can use all types of certificates (including EV)
 One SSL Certificate installed via the regular way, a
second SSL Certificate (one per IP) can be updated
automatically.
Authentication. Security. Trust.
www.globalsign.com
Environment and Platform independent
Authentication. Security. Trust.
www.globalsign.com
How does it work?
1
2
3
4
Authentication. Security. Trust.
www.globalsign.com
Lets create a few sites in DirectAdmin
Authentication. Security. Trust.
www.globalsign.com
Completely Automated Process
Authentication. Security. Trust.
www.globalsign.com
Automated domain control validation
Authentication. Security. Trust.
www.globalsign.com
User Agent Redirect
Authentication. Security. Trust.
www.globalsign.com
Same site, Different content
Authentication. Security. Trust.
www.globalsign.com
Using meta-tag authentication
Authentication. Security. Trust.
www.globalsign.com
Using meta-tag authentication
Authentication. Security. Trust.
www.globalsign.com
Thank you
Paul van Brouwershaven
paul.vanbrouwershaven@globalsign.com
@vanbroup
Authentication. Security. Trust.
www.globalsign.com
Download