Authentication. Security. Trust. A tutorial on how you can host multiple SSL Certificates on a single IP address without losing any backward compatibility Paul van Brouwershaven Business Development Director EMEA, GlobalSign @vanbroup on Twitter © GlobalSign. A GMO Internet Inc group company. Paul van Brouwershaven Authentication. Security. Trust. www.globalsign.com Netherlands Authentication. Security. Trust. www.globalsign.com Business Development Director Business Development Director for GlobalSign Previously CTO of a European hosting company Over 10 years of experience in the hosting industry Expert in digital certificate solutions Dedicated to increasing awareness of the requirements for online security Thinking out of the box, detecting problems and providing solutions Authentication. Security. Trust. www.globalsign.com Multiple SSL Certificates on a single IP address Authentication. Security. Trust. www.globalsign.com More demands and requirements for SSL Article 17 of Directive 95/46/EC of the European Parliament Security of processing must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Having regard to the state of the art and the Member States shall provide that the controller cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected. Authentication. Security. Trust. www.globalsign.com Each SSL Certificate needs its own IP Authentication. Security. Trust. www.globalsign.com Why do I need a dedicated IP address? Authentication. Security. Trust. www.globalsign.com Request on a non-secure connection • HTTP Request: Can you please send me /contact.html on www.domain.com Client • HTTP Reply: Here is the content you requested. Server Authentication. Security. Trust. www.globalsign.com Host: www.domain.com Authentication. Security. Trust. www.globalsign.com Request on a secure connection Client Server Client Client Server • (TLS Handshake) Hello, I support XYZ Encryption. • (TLS Handshake) Hi there, here is my public certificate, let’s use this encryption algorithm. • (TLS Handshake) Sounds good to me. • (Encrypted) HTTP Request: Can you please send me /contact.html on www.domain.com • (Encrypted) HTTP Reply: Here is the content you requested. Authentication. Security. Trust. www.globalsign.com Server Name Indication (SNI) Client • (TLS Handshake) Hello, I support XYZ Encryption, and I am trying to connect to ’www.domain.com'. Server • (TLS Handshake) Hi there, here is my public Certificate for www.domain.com, and let’s use this encryption algorithm. Client Client Server • (TLS Handshake) Sounds good to me. • (Encrypted) HTTP Request: Can you please send me /contact.html on www.domain.com • (Encrypted) HTTP Reply: Here is the content you requested. Authentication. Security. Trust. www.globalsign.com Request on a secure connection www.google.com 1 - www.google.co.uk - www.google.gr - www.google.com - www.google.fr - www.google.de 74.125.136.103 : 443 2 3 4 www.google.com 5 Authentication. Security. Trust. www.globalsign.com Testing SNI with OpenSSL Authentication. Security. Trust. www.globalsign.com The SSL/TLS handshake Authentication. Security. Trust. www.globalsign.com Applications with no SNI Support All versions of Internet Explorer on Windows XP Android 2.x [Gingerbread] default browser (other browsers like Opera do support SNI on Android) BlackBerry Browser Windows Mobile up to 6.5 Authentication. Security. Trust. www.globalsign.com Windows XP with SNI Authentication. Security. Trust. www.globalsign.com Operating System Usage - Win XP – per continent WinXP usage (July 2013) 40 35 30 Africa Asia Europe North America Oceania South America 25 20 15 10 5 0 Africa Authentication. Security. Trust. Asia Europe North America Oceania South America www.globalsign.com Worldwide Operating System Usage - Win XP: 21% Authentication. Security. Trust. www.globalsign.com Internet Explorer market share – Per continent IE market share (July 2013) 35% 30% 25% Africa Asia Europe North America Oceania South America 20% 15% 10% 5% 0% Africa Authentication. Security. Trust. Asia Europe North America Oceania South America www.globalsign.com Worldwide Internet Explorer market share – 25% Authentication. Security. Trust. www.globalsign.com Or 8% of your world wide visitors? 25% of 21% = 5.3% Internet Explorer Windows XP + mobile traffic = 8% of World Wide internet users do not support Server Name Indication (SNI) Authentication. Security. Trust. www.globalsign.com Should I use/offer SNI for SSL sites? There is no problem when you need to secure a website or portal that is used by a closed community or business that has no Windows XP users. Provide SNI support for free with an SSL Certificate − Users can decide to provide an unsecure connection and a warning to visitors with an outdated system. Calculate an additional fee for users that want to have full compatibility and thus a dedicated IP number Authentication. Security. Trust. www.globalsign.com Should I use/offer SNI for SSL sites? Authentication. Security. Trust. www.globalsign.com What are the alternative solutions? Authentication. Security. Trust. www.globalsign.com A multi-domain SSL Certificate One SSL Certificate for multiple domain names from different organisations. The certificate contains the hosting company’s details. Domain control is verified for each domain. Authentication. Security. Trust. www.globalsign.com Multi-domain certificates Authentication. Security. Trust. www.globalsign.com Control of the Private Key A multi-domain certificate usually runs on shared hosting server or reversed proxy DN Domain control is validated for each SAN SSL Certificate accessible by server or network administrator with root permissions Information of the company that is responsible for the private key is listed in the certificate contents. Authentication. Security. Trust. www.globalsign.com Certificate Size Test results based on number of SANs and characters Note: Average number of characters in a domain – 13/14* *Source: Nominet Certificate size limit is browser dependent Authentication. Security. Trust. www.globalsign.com 1 SAN 17 SAN 33 SAN 49 SAN 65 SAN 81 SAN 97 SAN 113 SAN 129 SAN 145 SAN 161 SAN 177 SAN 193 SAN 209 SAN 225 SAN 241 SAN 257 SAN 273 SAN 289 SAN 305 SAN 321 SAN 337 SAN 353 SAN 369 SAN 385 SAN 401 SAN 417 SAN 433 SAN 449 SAN 465 SAN 481 SAN 497 SAN 513 SAN 529 SAN 545 SAN 561 SAN 577 SAN 593 SAN 609 SAN 625 SAN 641 SAN 657 SAN 673 SAN 689 SAN 705 SAN 721 SAN 737 SAN 753 SAN 769 SAN 785 SAN 801 SAN 817 SAN 833 SAN 849 SAN 865 SAN 881 SAN 897 SAN 913 SAN 929 SAN 945 SAN 961 SAN 977 SAN 993 SAN Certificate Growth 35.0 30.0 25.0 20.0 15.0 10.0 5.0 0.0 1 Char 2 Char 3 Char 4 Char 5 Char 6 Char 7 Char 8 Char 9 Char 10 Char 11 Char 12 Char 13 Char 14 Char 15 Char 16 Char 17 Char 18 Char 19 Char 20 Char Authentication. Security. Trust. www.globalsign.com Maximum Certificate Size Google Chrome, Mozilla Firefox & Opera have a limit of 174K. Authentication. Security. Trust. www.globalsign.com Maximum Certificate Size Internet Explorer on Windows XP SP3 till Windows 7 has a certificate size limit of 44k. Windows XP without any service packs is limited to 22k. An average OCSP stapling response is about 1k Other TLS overhead is about 0.5k Authentication. Security. Trust. www.globalsign.com Performance of multi-domain certificates 750 names: 716 ms 450 names: 518 ms 1 name: 198 ms Authentication. Security. Trust. www.globalsign.com Every 100ms delay costs 1% of sales Authentication. Security. Trust. www.globalsign.com The disadvantages of multi-domain certs No support for OV, EV One certificate shared by many websites Many hostnames are visible in the certificate Visitor needs to download a bigger certificate (slower) Authentication. Security. Trust. www.globalsign.com What if we could use the best of both solutions? 92% SNI / 8% CloudSSL Authentication. Security. Trust. www.globalsign.com SNI combined with CloudSSL User requests website Secure website delivered Authentication. Security. Trust. www.globalsign.com With SNI support Authentication. Security. Trust. www.globalsign.com Windows XP (has no SNI support) Authentication. Security. Trust. www.globalsign.com How Google Implemented this Authentication. Security. Trust. www.globalsign.com Two SSL Certificates for one site! No additional costs Sites can use all types of certificates (including EV) One SSL Certificate installed via the regular way, a second SSL Certificate (one per IP) can be updated automatically. Authentication. Security. Trust. www.globalsign.com Environment and Platform independent Authentication. Security. Trust. www.globalsign.com How does it work? 1 2 3 4 Authentication. Security. Trust. www.globalsign.com Lets create a few sites in DirectAdmin Authentication. Security. Trust. www.globalsign.com Completely Automated Process Authentication. Security. Trust. www.globalsign.com Automated domain control validation Authentication. Security. Trust. www.globalsign.com User Agent Redirect Authentication. Security. Trust. www.globalsign.com Same site, Different content Authentication. Security. Trust. www.globalsign.com Using meta-tag authentication Authentication. Security. Trust. www.globalsign.com Using meta-tag authentication Authentication. Security. Trust. www.globalsign.com Thank you Paul van Brouwershaven paul.vanbrouwershaven@globalsign.com @vanbroup Authentication. Security. Trust. www.globalsign.com