GlobalSign. A GMO Internet Inc group company. Managing IPv4 scarcity when using SSL Cer7ficates Mul7ple SSL Cer7ficates on a single IP address Paul van Brouwershaven Business Development Director EMEA, GlobalSign @vanbroup on TwiGer
Paul van Brouwershaven
Netherlands
Business Development Director Business Development Director for GlobalSign Previously CTO of a European hos7ng company Over 10 years of experience in the hos8ng industry Expert in digital cer7ficate solu7ons Dedicated to increasing awareness of the requirements for online security Thinking out of the box, detec7ng problems and providing solu7ons
Mul8ple SSL Cer8ficates on a single IP address
More demands and requirements for SSL
Each SSL Cer8ficate needs its own IP
Why do I need a dedicated IP address?
Request on a non- secure connec8on Client HTTP Request: Can you please send me / contact.html on www.domain.com HTTP Reply: Here is the content you requested. Server
Host: www.domain.com
Request on a secure connec8on Client (TLS Handshake) Hello, I support XYZ Encryp7on. Server (TLS Handshake) Hi there, here is my public cer7ficate, let s use this encryp7on algorithm. Client (TLS Handshake) Sounds good to me. Client (Encrypted) HTTP Request: Can you please send me / contact.html on www.domain.com Server (Encrypted) HTTP Reply: Here is the content you requested.
Request on a secure connec8on
Server Name Indica8on (SNI) Client (TLS Handshake) Hello, I support XYZ Encryp7on, and I am trying to connect to www.domain.com'. Server (TLS Handshake) Hi there, here is my public Cer7ficate for www.domain.com, and let s use this encryp7on algorithm. Client (TLS Handshake) Sounds good to me. Client (Encrypted) HTTP Request: Can you please send me / contact.html on www.domain.com Server (Encrypted) HTTP Reply: Here is the content you requested.
The SSL/TLS handshake
Applica8ons with no SNI Support All versions of Internet Explorer on Windows XP Android 2.x [Gingerbread] default browser (other browsers like Opera do support SNI on Android) BlackBerry Browser Windows Mobile up to 6.5
Opera8ng System Usage - Windows XP WinXP usage (July 2013) 40 35 30 25 20 15 10 Asia: 30.18% Oceania: 9.85% 5 0 Africa Asia Europe North America Oceania South America
Worldwide Opera8ng System Usage - Win XP: 21%
Internet Explorer market share Per con8nent IE market share (July 2013) 35.00% 30.00% 25.00% 20.00% 15.00% 10.00% Asia: 25.23% Oceania: 26.08% 5.00% 0.00% Africa Asia Europe North America Oceania South America
Worldwide Internet Explorer market share 25%
Do you want to lose 10% of your visitors? 25% of 30% = 7.3% Internet Explorer Windows XP + mobile traffic = 10% of internet users in Asia do not support Server Name Indication (SNI)
Or 8% of your worldwide visitors? 25% of 21% = 5.3% Internet Explorer Windows XP + mobile traffic = 8% of Worldwide internet users do not support Server Name Indication (SNI)
Should I use/offer SNI for SSL sites? There is no problem when you need to secure a website or portal that is used by a closed community or business that has no Windows XP users. Provide SNI support for free with an SSL Cer7ficate Users can decide to provide an unsecure connec7on and a warning to visitors with an outdated system. Calculate an addi7onal fee for users that want to have full compa7bility and thus a dedicated IP number
Should I use/offer SNI for SSL sites?
What are the alterna8ve solu8ons?
A mul8- domain SSL Cer8ficate One SSL Cer7ficate for mul7ple domain names from different organisa7ons. The cer7ficate contains the hos7ng company s details. Domain control is verified for each domain.
Control of the Private Key A mul7- domain cer7ficate usually runs on shared hos7ng server or reversed proxy DN Domain control is validated for each SAN SSL Cer7ficate accessible by server or network administrator with root permissions Informa7on of the company that is responsible for the private key is listed in the cer7ficate contents.
Cer8ficate Size Test results based on number of SANs and characters Note: Average number of characters in a domain 13/14* *Source: Nominet Cer7ficate size limit is browser dependent
Cer8ficate Growth 35.0 30.0 25.0 20.0 15.0 10.0 5.0 0.0 1 SAN 18 SAN 35 SAN 52 SAN 69 SAN 86 SAN 103 SAN 120 SAN 137 SAN 154 SAN 171 SAN 188 SAN 205 SAN 222 SAN 239 SAN 256 SAN 273 SAN 290 SAN 307 SAN 324 SAN 341 SAN 358 SAN 375 SAN 392 SAN 409 SAN 426 SAN 443 SAN 460 SAN 477 SAN 494 SAN 511 SAN 528 SAN 545 SAN 562 SAN 579 SAN 596 SAN 613 SAN 630 SAN 647 SAN 664 SAN 681 SAN 698 SAN 715 SAN 732 SAN 749 SAN 766 SAN 783 SAN 800 SAN 817 SAN 834 SAN 851 SAN 868 SAN 885 SAN 902 SAN 919 SAN 936 SAN 953 SAN 970 SAN 987 SAN 1 Char 2 Char 3 Char 4 Char 5 Char 6 Char 7 Char 8 Char 9 Char 10 Char 11 Char 12 Char 13 Char 14 Char 15 Char 16 Char 17 Char 18 Char 19 Char 20 Char
Maximum Cer8ficate Size Google Chrome, Mozilla Firefox & Opera have a limit of 174K.
Maximum Cer8ficate Size Internet Explorer on Windows XP SP3 till Windows 7 has a certificate size limit of 44k. Windows XP without any service packs is limited to 22k. An average OCSP stapling response is about 1k Other TLS overhead is about 0.5k
Performance of mul8- domain cer8ficates 750 names: 716 ms 450 names: 518 ms 1 name: 198 ms
Every 100ms delay costs 1% of sales
The disadvantages of mul8- domain certs No support for OV, EV One cer7ficate shared by many websites Many hostnames are visible in the cer7ficate Visitor needs to download a bigger cer7ficate (slower)
What if we could use the best of both worlds? 90% SNI / 10% CloudSSL
SNI combined with CloudSSL User requests website Secure website delivered
With SNI support
Windows XP (has no SNI support)
Two SSL Cer8ficates for one site! No additional costs Sites can use all types of certificates (including EV) One SSL Certificate installed via the regular way, a second SSL Certificate (one per IP) can be updated automatically.
Environment and Plaborm independent
How does it work? 1 2 3 4
Completely Automated Process
Thank you Paul van Brouwershaven paul.vanbrouwershaven@globalsign.com @vanbroup