GlobalSign. A GMO Internet Inc group company. IPv4 Shortage Multiple SSL Certificates on a single IP address Paul van Brouwershaven EMEA Business Development Director
GLOBALSIGN SOLUTIONS Visible Trust in an online world
GlobalSign Solutions Visible Trust in an online world Server, Database & Network Security SSL Certificates Managed SSL Automated SSL for Web Hosts SSL Reseller Program OneClickSSL Developer Solutions Code Signing Embedded SSL Secure Email Digital IDs for Individuals Digital IDs for Departments Managed Digital IDs edocument /File Security & Compliance Adobe CDS for PDF Microsoft Office Encrypting File System (EFS) PKI & Root Signing Trusted Root for CAs
More demands and requirements for SSL
Innovation We keep improving!
Each SSL Certificate needs its own IP
We are running out of IPv4 addresses
How much time is left?
CA IPv6 Revocation Compatibility
Can we use IPv6? As long as you select a CA who provides revocation checks (CRL, OCSP) over IPv6. But it won t solve your IPv4 problem!
Why should my CA do revocation over IPv6?
Why do I need a dedicated IP address?
Request on a non-secure connection Client HTTP Request: Can you please send me /contact.html on HTTP Reply: Here is the content you requested. Server
Request on a secure connection Client (TLS Handshake) Hello, I support XYZ Encryption. Server (TLS Handshake) Hi there, here is my public certificate, let s use this encryption algorithm. Client (TLS Handshake) Sounds good to me. Client (Encrypted) HTTP Request: Can you please send me /contact.html on Server (Encrypted) HTTP Reply: Here is the content you requested.
Server Name Indication (SNI) Client (TLS Handshake) Hello, I support XYZ Encryption, and I am trying to connect to '. Server (TLS Handshake) Hi there, here is my public Certificate for, and lets use this encryption algorithm. Client (TLS Handshake) Sounds good to me. Client (Encrypted) HTTP Request: Can you please send me /contact.html on Server (Encrypted) HTTP Reply: Here is the content you requested.
The SSL/TLS handshake
Applications with no SNI Support All versions of Internet Explorer on Windows XP Android 2.x default browser (other browsers like Opera do support SNI on Android) BlackBerry Browser Windows Mobile up to 6.5
Operating System Usage - Win XP: 21%
Internet Explorer has 30% market share
Do you want to lose 10% of your visitors? 30% of 21% = 6.3% Internet Explorer Windows XP + mobile traffic = 10% of internet users do not support Server Name Indication (SNI)
Should I use/offer SNI for SSL sites? There is no problem when you need to secure a website or portal that is used by a closed community or business that has no Windows XP users. Provide SNI support for free with an SSL Certificate Users can decide to provide an unsecure connection and a warning to visitors with an outdated system. Calculate an additional fee for users that want to have full compatibility and thus a dedicated IP number
Should I use/offer SNI for SSL sites?
What are the alternative solutions?
CloudSSL: One certificate, multiple domains One SSL Certificate for multiple domain names from different organisations. The certificate contains the hosting company s details. Domain control is verified for each domain.
The disadvantages of CloudSSL No support for OV, EV One certificate shared by many websites Many hostnames are visible in the certificate Visitor needs to download a bigger certificate (slower)
What if we could use the best of both worlds? 90% SNI / 10% CloudSSL
SNI combined with CloudSSL User requests website Secure website delivered
With SNI support
Windows XP (has no SNI support)
Two SSL Certificates for one site! No additional costs Sites can use all types of certificates (including EV) Fully automated provisioning of the legacy CloudSSL Certificate No email verification needed All domain control checks performed automatically by the program.
How does it work? 1 2 3 4
Completely Automated Process
Thank you Paul van Brouwershaven paul.vanbrouwershaven@globalsign.com