managing&ipv4&scarcity&when&using&ssl&cer7ficates&conference.apnic.net...
TRANSCRIPT
© GlobalSign. A GMO Internet Inc group company.
Authentication. Security. Trust.
Managing IPv4 scarcity when using SSL Cer7ficates Mul7ple SSL Cer7ficates on a single IP address
Paul van Brouwershaven Business Development Director EMEA, GlobalSign
@vanbroup on TwiGer
www.globalsign.com Authentication. Security. Trust.
Paul van Brouwershaven
www.globalsign.com Authentication. Security. Trust.
Netherlands
www.globalsign.com Authentication. Security. Trust.
Business Development Director
Business Development Director for GlobalSign
Previously CTO of a European hos7ng company
Over 10 years of experience in the hos8ng industry
Expert in digital cer7ficate solu7ons
Dedicated to increasing awareness of the requirements for online security
Thinking out of the box, detec7ng problems and providing solu7ons
www.globalsign.com Authentication. Security. Trust.
Mul8ple SSL Cer8ficates on a single IP address
www.globalsign.com Authentication. Security. Trust.
More demands and requirements for SSL
www.globalsign.com Authentication. Security. Trust.
Each SSL Cer8ficate needs its own IP
www.globalsign.com Authentication. Security. Trust.
Why do I need a dedicated IP address?
www.globalsign.com Authentication. Security. Trust.
Request on a non-‐secure connec8on
Client
• HTTP Request: Can you please send me /contact.html on www.domain.com
Server
• HTTP Reply: Here is the content you requested.
www.globalsign.com Authentication. Security. Trust.
Host: www.domain.com
www.globalsign.com Authentication. Security. Trust.
Request on a secure connec8on
Client • (TLS Handshake) Hello, I support XYZ Encryp7on.
Server • (TLS Handshake) Hi there, here is my public cer7ficate, let’s use this encryp7on algorithm.
Client • (TLS Handshake) Sounds good to me.
Client • (Encrypted) HTTP Request: Can you please send me /contact.html on www.domain.com
Server • (Encrypted) HTTP Reply: Here is the content you requested.
www.globalsign.com Authentication. Security. Trust.
Request on a secure connec8on
www.globalsign.com Authentication. Security. Trust.
Server Name Indica8on (SNI)
Client • (TLS Handshake) Hello, I support XYZ Encryp7on, and I am trying to connect to ’www.domain.com'.
Server • (TLS Handshake) Hi there, here is my public Cer7ficate for www.domain.com, and let’s use this encryp7on algorithm.
Client • (TLS Handshake) Sounds good to me.
Client • (Encrypted) HTTP Request: Can you please send me /contact.html on www.domain.com
Server • (Encrypted) HTTP Reply: Here is the content you requested.
www.globalsign.com Authentication. Security. Trust.
The SSL/TLS handshake
www.globalsign.com Authentication. Security. Trust.
All versions of Internet Explorer on Windows XP Android 2.x [Gingerbread] default browser (other browsers like Opera do support SNI on Android)
BlackBerry Browser Windows Mobile up to 6.5
Applica8ons with no SNI Support
www.globalsign.com Authentication. Security. Trust.
Opera8ng System Usage -‐ Windows XP
0
5
10
15
20
25
30
35
40
Africa Asia Europe North America
Oceania South America
WinXP usage (July 2013)
Asia: 30.18%
Oceania: 9.85%
www.globalsign.com Authentication. Security. Trust.
Worldwide Opera8ng System Usage -‐ Win XP: 21%
www.globalsign.com Authentication. Security. Trust.
Internet Explorer market share – Per con8nent
0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
30.00%
35.00%
Africa Asia Europe North America
Oceania South America
IE market share (July 2013)
Asia: 25.23%
Oceania: 26.08%
www.globalsign.com Authentication. Security. Trust.
Worldwide Internet Explorer market share – 25%
www.globalsign.com Authentication. Security. Trust.
25% of 30% = 7.3% Internet Explorer Windows XP
+ mobile traffic =
Do you want to lose 10% of your visitors?
10% of internet users in Asia do not support Server Name
Indication (SNI)
www.globalsign.com Authentication. Security. Trust.
25% of 21% = 5.3% Internet Explorer Windows XP
+ mobile traffic =
Or 8% of your worldwide visitors?
8% of Worldwide internet users do not support Server Name
Indication (SNI)
www.globalsign.com Authentication. Security. Trust.
There is no problem when you need to secure a website or portal that is used by a closed community or business that has no Windows XP users.
Provide SNI support for free with an SSL Cer7ficate − Users can decide to provide an unsecure connec7on and a warning to
visitors with an outdated system.
Calculate an addi7onal fee for users that want to have full compa7bility and thus a dedicated IP number
Should I use/offer SNI for SSL sites?
www.globalsign.com Authentication. Security. Trust.
Should I use/offer SNI for SSL sites?
www.globalsign.com Authentication. Security. Trust.
What are the alterna8ve solu8ons?
www.globalsign.com Authentication. Security. Trust.
One SSL Cer7ficate for mul7ple domain names from different organisa7ons.
The cer7ficate contains the hos7ng company’s details.
Domain control is verified for each domain.
A mul8-‐domain SSL Cer8ficate
www.globalsign.com Authentication. Security. Trust.
A mul7-‐domain cer7ficate usually runs on shared hos7ng server or reversed proxy DN
Domain control is validated for each SAN
SSL Cer7ficate accessible by server or network administrator with root permissions
Informa7on of the company that is responsible for the private key is listed in the cer7ficate contents.
Control of the Private Key
www.globalsign.com Authentication. Security. Trust.
Test results based on number of SANs and characters Note: Average number of characters in a domain – 13/14* *Source: Nominet
Cer7ficate size limit is browser dependent
Cer8ficate Size
www.globalsign.com Authentication. Security. Trust.
Cer8ficate Growth
0.0
5.0
10.0
15.0
20.0
25.0
30.0
35.0
1 S
AN
18
SA
N
35 S
AN
52
SA
N
69 S
AN
86
SA
N
103
SA
N
120
SA
N
137
SA
N
154
SA
N
171
SA
N
188
SA
N
205
SA
N
222
SA
N
239
SA
N
256
SA
N
273
SA
N
290
SA
N
307
SA
N
324
SA
N
341
SA
N
358
SA
N
375
SA
N
392
SA
N
409
SA
N
426
SA
N
443
SA
N
460
SA
N
477
SA
N
494
SA
N
511
SA
N
528
SA
N
545
SA
N
562
SA
N
579
SA
N
596
SA
N
613
SA
N
630
SA
N
647
SA
N
664
SA
N
681
SA
N
698
SA
N
715
SA
N
732
SA
N
749
SA
N
766
SA
N
783
SA
N
800
SA
N
817
SA
N
834
SA
N
851
SA
N
868
SA
N
885
SA
N
902
SA
N
919
SA
N
936
SA
N
953
SA
N
970
SA
N
987
SA
N
1 Char 2 Char 3 Char 4 Char 5 Char 6 Char 7 Char 8 Char 9 Char 10 Char
11 Char 12 Char 13 Char 14 Char 15 Char 16 Char 17 Char 18 Char 19 Char 20 Char
www.globalsign.com Authentication. Security. Trust.
Google Chrome, Mozilla Firefox & Opera have a limit of 174K.
Maximum Cer8ficate Size
www.globalsign.com Authentication. Security. Trust.
Internet Explorer on Windows XP SP3 till Windows 7 has a certificate size limit of 44k.
Windows XP without any service packs is limited to 22k.
An average OCSP stapling response is about 1k
Other TLS overhead is about 0.5k
Maximum Cer8ficate Size
www.globalsign.com Authentication. Security. Trust.
Performance of mul8-‐domain cer8ficates
750 names:
716 ms
450 names:
518 ms
1 name:
198 ms
www.globalsign.com Authentication. Security. Trust.
Every 100ms delay costs 1% of sales
www.globalsign.com Authentication. Security. Trust.
No support for OV, EV
One cer7ficate shared by many websites
Many hostnames are visible in the cer7ficate
Visitor needs to download a bigger cer7ficate (slower)
The disadvantages of mul8-‐domain certs
www.globalsign.com Authentication. Security. Trust.
What if we could use the best of both worlds?
90% SNI / 10% CloudSSL
www.globalsign.com Authentication. Security. Trust.
SNI combined with CloudSSL User requests website
Secure website delivered
www.globalsign.com Authentication. Security. Trust.
With SNI support
www.globalsign.com Authentication. Security. Trust.
Windows XP (has no SNI support)
www.globalsign.com Authentication. Security. Trust.
No additional costs
Sites can use all types of certificates (including EV)
One SSL Certificate installed via the regular way, a second SSL Certificate (one per IP) can be updated automatically.
Two SSL Cer8ficates for one site!
www.globalsign.com Authentication. Security. Trust.
Environment and Plaborm independent
www.globalsign.com Authentication. Security. Trust.
How does it work?
1 2 3
4
www.globalsign.com Authentication. Security. Trust.
Completely Automated Process
www.globalsign.com Authentication. Security. Trust.
Thank you
Paul van Brouwershaven [email protected]
@vanbroup