A tutorial on how you can host mul$ple SSL Cer$ficates on a single IP address without losing any backward compa6bility

Similar documents
Managing IPv4 scarcity when using SSL Cer7ficates Mul7ple SSL Cer7ficates on a single IP address

Multiple SSL Certificates on a single IP address without losing any backward compatibility

IPv4 Shortage Multiple SSL Certificates on a single IP address

GlobalSign Solutions

Best prac*ces in Cer*fying and Signing PDFs

Cleaning Encrypted Traffic

SSL EXPLAINED SSL EXPLAINED

The IceWarp SSL Certificate Process

Overview of Extended Validation (EV) SSL

IceWarp SSL Certificate Process

The Seven Habits of State-of-the-Art Mobile App Security

Basics of SSL Certification

Extended SSL Certificates

Secure Web Appliance. SSL Intercept

SSL Report: ebfl.srpskabanka.rs ( )

SSL BEST PRACTICES OVERVIEW

Software Defined Perimeter

Mobile Applica,on and BYOD (Bring Your Own Device) Security Implica,ons to Your Business. Dmitry Dessiatnikov

present the complete guide to ssl and seo

Is Your SSL Website and Mobile App Really Secure?

Crypto at Scale. Brian Sniffen

Secure Client Guide

Client Training Manual

BEGINNER S GUIDE TO SSL CERTIFICATES: Making the best choice when considering your online security options

Global SSL Certification Market

Cyclope Internet Filtering Proxy. - Installation Guide -

Introduction. Purpose. Background. Details

SSL Certificates 101

Bugzilla ID: Bugzilla Summary:

VoIP Security How to prevent eavesdropping on VoIP conversa8ons. Dmitry Dessiatnikov

LBSEC.

Fast, Scalable And Secure Web Hosting For Entrepreneurs

BHARAT HEAVY ELECTRICALS LIMITED

How to connect to the Middle Country Public Library Wireless Network (mcpl-ap) using Windows XP

Maximizing Performance with SPDY & SSL. Billy Hoffman

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

Securing your Microsoft Internet Information Services (MS IIS) Web Server with a thawte Digital Certificate thawte thawte thawte thawte thawte 10.

CSA SDP Working Group

Sophos Mobile Control Installation prerequisites form

Wavecrest Certificate

Cyclope Internet Filtering Proxy

Gain a New Level of Trust with Extended Validation SSL Certificates

Estée Lauder Companies Global Jobs Website Privacy Policy

BEGINNERS GUIDE TO SSL CERTIFICATES: Making the BEST choice when considering your online security options

bank zweiplus Gateway user manual

Send and receive encrypted s

How to Install SSL Certificates on Microsoft Servers

SSL Certificate Verification

Sophos UTM. Remote Access via PPTP. Configuring UTM and Client

Beginner s Guide to SSL Certificates

How to configure SSL proxying in Zorp 3 F5

Tidspunkt : : :59 (49 dag(e)) Operativsystem (OS) fordelt på browsere Total: Safari9 ios %

Configuring Secure Socket Layer (SSL)

Overview of Domain SSL

SSL Certificates and Bomgar

beginners guide Beginners Guide Certificates the best decision when considering your online security options.

GrandView. Web Client Software Requirements and Recommendations. Revision

Installing an SSL Certificate Provided by a Certificate Authority (CA) on the vwlan Appliance

Front-End Performance Testing and Optimization

Installation and Setup Guide


BEGINNERS GUIDE BEGINNERS GUIDE TO SSL CERTIFICATES: MAKING THE BEST CHOICE WHEN CONSIDERING YOUR ONLINE SECURITY OPTIONS

Sophos UTM. Remote Access via SSL. Configuring UTM and Client

Does your Organization Need a Managed SSL Service?

Portal Administration. Administrator Guide

Why Eve and Mallory Love Android An Analysis of Android SSL (In)Security

SSL Insight Certificate Installation Guide

Live Guide System Architecture and Security TECHNICAL ARTICLE

Astaro Security Gateway V8. Remote Access via L2TP over IPSec Configuring ASG and Client

VMware Identity Manager Connector Installation and Configuration

Public Key Infrastructure (PKI)

Filter Avoidance and Anonymous Proxy Guard

More on SHA-1 deprecation:

Configuring an Client to Connect to CASS Mail Servers

Using a custom certificate for SSL inspection

Privacy- Preserving P2P Data Sharing with OneSwarm. Presented by. Adnan Malik

How To Understand And Understand The Ssl Protocol ( And Its Security Features (Protocol)

Download and Launch Instructions for WLC Client App Program

CITRIX TROUBLESHOOTING TIPS

BlackBerry Enterprise Server for Microsoft Office 365 preinstallation checklist

Using EMC Unisphere in a Web Browsing Environment: Browser and Security Settings to Improve the Experience

Securing your Online Data Transfer with SSL

Installing an SSL Certificate Provided by a Certificate Authority (CA) on the BlueSecure Controller (BSC)

How to check if I care for the safety of my Clients?

What s new in AppliDis Fusion 4 Service Pack 3

Project X Mass interception of encrypted connections

Access to Front Office services

Grandstream Networks, Inc. UCM6100 Security Manual

HTTPS Inspection with Cisco CWS

Lepide Active Directory Self Service. Configuration Guide. Follow the simple steps given in this document to start working with

Deployment Guide Microsoft IIS 7.0

Transcription:

A tutorial on how you can host mul$ple SSL Cer$ficates on a single IP address without losing any backward compa6bility Paul van Brouwershaven Business Development Director EMEA, GlobalSign @vanbroup on TwiBer GlobalSign. A GMO Internet Inc group company.

Paul van Brouwershaven

Netherlands

Business Development Director Business Development Director for GlobalSign Previously CTO of a European hos6ng company Over 10 years of experience in the hos$ng industry Expert in digital cer6ficate solu6ons Dedicated to increasing awareness of the requirements for online security Thinking out of the box, detec6ng problems and providing solu6ons

Mul$ple SSL Cer$ficates on a single IP address

More demands and requirements for SSL Article 17 of Directive 95/46/EC of the European Parliament Security of processing Member States shall provide that the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.

Each SSL Cer$ficate needs its own IP

Why do I need a dedicated IP address?

Request on a non- secure connec$on Client HTTP Request: Can you please send me /contact.html on www.domain.com HTTP Reply: Here is the content you requested. Server

Host: www.domain.com

Request on a secure connec$on Client (TLS Handshake) Hello, I support XYZ Encryp6on. Server (TLS Handshake) Hi there, here is my public cer6ficate, let s use this encryp6on algorithm. Client (TLS Handshake) Sounds good to me. Client (Encrypted) HTTP Request: Can you please send me /contact.html on www.domain.com Server (Encrypted) HTTP Reply: Here is the content you requested.

Server Name Indica$on (SNI) Client (TLS Handshake) Hello, I support XYZ Encryp6on, and I am trying to connect to www.domain.com'. Server (TLS Handshake) Hi there, here is my public Cer6ficate for www.domain.com, and let s use this encryp6on algorithm. Client (TLS Handshake) Sounds good to me. Client (Encrypted) HTTP Request: Can you please send me /contact.html on www.domain.com Server (Encrypted) HTTP Reply: Here is the content you requested.

Request on a secure connec$on 1 2 www.google.com 74.125.136.103 : 443 3 - www.google.co.uk - www.google.gr - www.google.com - www.google.fr - www.google.de 4 www.google.com 5

Tes$ng SNI with OpenSSL

The SSL/TLS handshake

Applica$ons with no SNI Support All versions of Internet Explorer on Windows XP Android 2.x [Gingerbread] default browser (other browsers like Opera do support SNI on Android) BlackBerry Browser Windows Mobile up to 6.5

Windows XP with SNI

Opera$ng System Usage - Win XP per con$nent 40 WinXP usage (July 2013) 35 30 25 20 15 10 Africa Asia Europe North America Oceania South America 5 0 Africa Asia Europe North America Oceania South America

Worldwide Opera$ng System Usage - Win XP: 21%

Internet Explorer market share Per con$nent 35% IE market share (July 2013) 30% 25% 20% 15% 10% Africa Asia Europe North America Oceania South America 5% 0% Africa Asia Europe North America Oceania South America

Worldwide Internet Explorer market share 25%

Or 8% of your world wide visitors? 25% of 21% = 5.3% Internet Explorer Windows XP + mobile traffic = 8% of World Wide internet users do not support Server Name Indication (SNI)

Should I use/offer SNI for SSL sites? There is no problem when you need to secure a website or portal that is used by a closed community or business that has no Windows XP users. Provide SNI support for free with an SSL Cer6ficate Users can decide to provide an unsecure connec6on and a warning to visitors with an outdated system. Calculate an addi6onal fee for users that want to have full compa6bility and thus a dedicated IP number

Should I use/offer SNI for SSL sites?

What are the alterna$ve solu$ons?

A mul$- domain SSL Cer$ficate One SSL Cer6ficate for mul6ple domain names from different organisa6ons. The cer6ficate contains the hos6ng company s details. Domain control is verified for each domain.

Mul$- domain cer$ficates

Control of the Private Key A mul6- domain cer6ficate usually runs on shared hos6ng server or reversed proxy DN Domain control is validated for each SAN SSL Cer6ficate accessible by server or network administrator with root permissions Informa6on of the company that is responsible for the private key is listed in the cer6ficate contents.

Cer$ficate Size Test results based on number of SANs and characters Note: Average number of characters in a domain 13/14* *Source: Nominet Cer6ficate size limit is browser dependent

Cer$ficate Growth 35.0 30.0 25.0 20.0 15.0 10.0 5.0 0.0 1 SAN 17 SAN 33 SAN 49 SAN 65 SAN 81 SAN 97 SAN 113 SAN 129 SAN 145 SAN 161 SAN 177 SAN 193 SAN 209 SAN 225 SAN 241 SAN 257 SAN 273 SAN 289 SAN 305 SAN 321 SAN 337 SAN 353 SAN 369 SAN 385 SAN 401 SAN 417 SAN 433 SAN 449 SAN 465 SAN 481 SAN 497 SAN 513 SAN 529 SAN 545 SAN 561 SAN 577 SAN 593 SAN 609 SAN 625 SAN 641 SAN 657 SAN 673 SAN 689 SAN 705 SAN 721 SAN 737 SAN 753 SAN 769 SAN 785 SAN 801 SAN 817 SAN 833 SAN 849 SAN 865 SAN 881 SAN 897 SAN 913 SAN 929 SAN 945 SAN 961 SAN 977 SAN 993 SAN 1 Char 2 Char 3 Char 4 Char 5 Char 6 Char 7 Char 8 Char 9 Char 10 Char 11 Char 12 Char 13 Char 14 Char 15 Char 16 Char 17 Char 18 Char 19 Char 20 Char

Maximum Cer$ficate Size Google Chrome, Mozilla Firefox & Opera have a limit of 174K.

Maximum Cer$ficate Size Internet Explorer on Windows XP SP3 till Windows 7 has a certificate size limit of 44k. Windows XP without any service packs is limited to 22k. An average OCSP stapling response is about 1k Other TLS overhead is about 0.5k

Performance of mul$- domain cer$ficates 750 names: 716 ms 450 names: 518 ms 1 name: 198 ms

Every 100ms delay costs 1% of sales

The disadvantages of mul$- domain certs No support for OV, EV One cer6ficate shared by many websites Many hostnames are visible in the cer6ficate Visitor needs to download a bigger cer6ficate (slower)

What if we could use the best of both solu$ons? 92% SNI / 8% CloudSSL

SNI combined with CloudSSL User requests website Secure website delivered

With SNI support

Windows XP (has no SNI support)

How Google Implemented this

Two SSL Cer$ficates for one site! No additional costs Sites can use all types of certificates (including EV) One SSL Certificate installed via the regular way, a second SSL Certificate (one per IP) can be updated automatically.

Environment and Plaborm independent

How does it work? 1 2 3 4

Lets create a few sites in DirectAdmin

Completely Automated Process

Automated domain control valida$on

User Agent Redirect

Same site, Different content

Using meta- tag authen$ca$on

Using meta- tag authen$ca$on

Thank you Paul van Brouwershaven paul.vanbrouwershaven@globalsign.com @vanbroup