Managing&IPv4&scarcity&when&using&SSL&Cer7ﬁcates&conference.apnic.net › data › 36 ›...

© GlobalSign. A GMO Internet Inc group company.

Authentication. Security. Trust.

Managing IPv4 scarcity when using SSL Cer7ficates Mul7ple SSL Cer7ficates on a single IP address

Paul van Brouwershaven Business Development Director EMEA, GlobalSign

@vanbroup on TwiGer

www.globalsign.com Authentication. Security. Trust.

Paul van Brouwershaven


Netherlands


Business Development Director

  Business Development Director for GlobalSign

  Previously CTO of a European hos7ng company

  Over 10 years of experience in the hos8ng industry

  Expert in digital cer7ficate solu7ons

  Dedicated to increasing awareness of the requirements for online security

  Thinking out of the box, detec7ng problems and providing solu7ons


Mul8ple SSL Cer8ficates on a single IP address


More demands and requirements for SSL


Each SSL Cer8ficate needs its own IP


Why do I need a dedicated IP address?


Request on a non-‐secure connec8on

Client

•  HTTP Request: Can you please send me /contact.html on www.domain.com

Server

•  HTTP Reply: Here is the content you requested.


Host: www.domain.com


Request on a secure connec8on

Client •  (TLS Handshake) Hello, I support XYZ Encryp7on.

Server •  (TLS Handshake) Hi there, here is my public cer7ficate, let’s use this encryp7on algorithm.

Client •  (TLS Handshake) Sounds good to me.

Client •  (Encrypted) HTTP Request: Can you please send me /contact.html on www.domain.com

Server •  (Encrypted) HTTP Reply: Here is the content you requested.


Request on a secure connec8on


Server Name Indica8on (SNI)

Client •  (TLS Handshake) Hello, I support XYZ Encryp7on, and I am trying to connect to ’www.domain.com'.

Server •  (TLS Handshake) Hi there, here is my public Cer7ficate for www.domain.com, and let’s use this encryp7on algorithm.

Client •  (TLS Handshake) Sounds good to me.

Client •  (Encrypted) HTTP Request: Can you please send me /contact.html on www.domain.com

Server •  (Encrypted) HTTP Reply: Here is the content you requested.


The SSL/TLS handshake


  All versions of Internet Explorer on Windows XP   Android 2.x [Gingerbread] default browser (other browsers like Opera do support SNI on Android)

  BlackBerry Browser  Windows Mobile up to 6.5

Applica8ons with no SNI Support


Opera8ng System Usage -‐ Windows XP

0

5

10

15

20

25

30

35

40

Africa Asia Europe North America

Oceania South America

WinXP usage (July 2013)

  Asia: 30.18%

 Oceania: 9.85%


Worldwide Opera8ng System Usage -‐ Win XP: 21%


Internet Explorer market share – Per con8nent

0.00%

5.00%

10.00%

15.00%

20.00%

25.00%

30.00%

35.00%

Africa Asia Europe North America

Oceania South America

IE market share (July 2013)

  Asia: 25.23%

 Oceania: 26.08%


Worldwide Internet Explorer market share – 25%


25% of 30% = 7.3% Internet Explorer Windows XP

+ mobile traffic =

Do you want to lose 10% of your visitors?

10% of internet users in Asia do not support Server Name

Indication (SNI)


25% of 21% = 5.3% Internet Explorer Windows XP

+ mobile traffic =

Or 8% of your worldwide visitors?

8% of Worldwide internet users do not support Server Name

Indication (SNI)


  There is no problem when you need to secure a website or portal that is used by a closed community or business that has no Windows XP users.

  Provide SNI support for free with an SSL Cer7ficate −  Users can decide to provide an unsecure connec7on and a warning to

visitors with an outdated system.

  Calculate an addi7onal fee for users that want to have full compa7bility and thus a dedicated IP number

Should I use/offer SNI for SSL sites?


Should I use/offer SNI for SSL sites?


What are the alterna8ve solu8ons?


 One SSL Cer7ficate for mul7ple domain names from different organisa7ons.

  The cer7ficate contains the hos7ng company’s details.

  Domain control is verified for each domain.

A mul8-‐domain SSL Cer8ficate


  A mul7-‐domain cer7ficate usually runs on shared hos7ng server or reversed proxy DN

  Domain control is validated for each SAN

  SSL Cer7ficate accessible by server or network administrator with root permissions

  Informa7on of the company that is responsible for the private key is listed in the cer7ficate contents.

Control of the Private Key


  Test results based on number of SANs and characters   Note: Average number of characters in a domain – 13/14* *Source: Nominet

  Cer7ficate size limit is browser dependent

Cer8ficate Size


Cer8ficate Growth

0.0

5.0

10.0

15.0

20.0

25.0

30.0

35.0

1 S

AN

18

SA

N

35 S

AN

52

SA

N

69 S

AN

86

SA

N

103

SA

N

120

SA

N

137

SA

N

154

SA

N

171

SA

N

188

SA

N

205

SA

N

222

SA

N

239

SA

N

256

SA

N

273

SA

N

290

SA

N

307

SA

N

324

SA

N

341

SA

N

358

SA

N

375

SA

N

392

SA

N

409

SA

N

426

SA

N

443

SA

N

460

SA

N

477

SA

N

494

SA

N

511

SA

N

528

SA

N

545

SA

N

562

SA

N

579

SA

N

596

SA

N

613

SA

N

630

SA

N

647

SA

N

664

SA

N

681

SA

N

698

SA

N

715

SA

N

732

SA

N

749

SA

N

766

SA

N

783

SA

N

800

SA

N

817

SA

N

834

SA

N

851

SA

N

868

SA

N

885

SA

N

902

SA

N

919

SA

N

936

SA

N

953

SA

N

970

SA

N

987

SA

N

1 Char 2 Char 3 Char 4 Char 5 Char 6 Char 7 Char 8 Char 9 Char 10 Char

11 Char 12 Char 13 Char 14 Char 15 Char 16 Char 17 Char 18 Char 19 Char 20 Char


 Google Chrome, Mozilla Firefox & Opera have a limit of 174K.

Maximum Cer8ficate Size


  Internet Explorer on Windows XP SP3 till Windows 7 has a certificate size limit of 44k.

 Windows XP without any service packs is limited to 22k.

 An average OCSP stapling response is about 1k

 Other TLS overhead is about 0.5k

Maximum Cer8ficate Size


Performance of mul8-‐domain cer8ficates

  750 names:

716 ms

  450 names:

518 ms

  1 name:

198 ms


Every 100ms delay costs 1% of sales


  No support for OV, EV

 One cer7ficate shared by many websites

 Many hostnames are visible in the cer7ficate

  Visitor needs to download a bigger cer7ficate (slower)

The disadvantages of mul8-‐domain certs


What if we could use the best of both worlds?

90% SNI / 10% CloudSSL


SNI combined with CloudSSL User requests website

Secure website delivered


With SNI support


Windows XP (has no SNI support)


 No additional costs

 Sites can use all types of certificates (including EV)

 One SSL Certificate installed via the regular way, a second SSL Certificate (one per IP) can be updated automatically.

Two SSL Cer8ficates for one site!


Environment and Plaborm independent


How does it work?

1 2 3

4


Completely Automated Process


Thank you

Paul van Brouwershaven [email protected]

@vanbroup

Managing&IPv4&scarcity&when&using&SSL&Cer7ﬁcates&conference.apnic.net › data › 36 ›...

Documents

Transcript of Managing&IPv4&scarcity&when&using&SSL&Cer7ﬁcates&conference.apnic.net › data › 36 ›...