Presentation is loading. Please wait.

Presentation is loading. Please wait.

© GlobalSign. A GMO Internet Inc group company. Authentication. Security. Trust. A tutorial on how you can host multiple SSL Certificates on a single IP.

Published byBernice McDaniel Modified over 9 years ago

Similar presentations

Presentation on theme: "© GlobalSign. A GMO Internet Inc group company. Authentication. Security. Trust. A tutorial on how you can host multiple SSL Certificates on a single IP."— Presentation transcript:

1 © GlobalSign. A GMO Internet Inc group company. Authentication. Security. Trust. A tutorial on how you can host multiple SSL Certificates on a single IP address without losing any backward compatibility Paul van Brouwershaven Business Development Director EMEA, GlobalSign @vanbroup on Twitter

2 www.globalsign.com Authentication. Security. Trust. Paul van Brouwershaven

3 www.globalsign.com Authentication. Security. Trust. Netherlands

4 www.globalsign.com Authentication. Security. Trust. Business Development Director  Business Development Director for GlobalSign  Previously CTO of a European hosting company  Over 10 years of experience in the hosting industry  Expert in digital certificate solutions  Dedicated to increasing awareness of the requirements for online security  Thinking out of the box, detecting problems and providing solutions

5 www.globalsign.com Authentication. Security. Trust. Multiple SSL Certificates on a single IP address

6 www.globalsign.com Authentication. Security. Trust. More demands and requirements for SSL Article 17 of Directive 95/46/EC of the European Parliament Security of processing Member States shall provide that the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.

7 www.globalsign.com Authentication. Security. Trust. Each SSL Certificate needs its own IP

8 www.globalsign.com Authentication. Security. Trust. Why do I need a dedicated IP address?

9 www.globalsign.com Authentication. Security. Trust. Request on a non-secure connection Client HTTP Request: Can you please send me /contact.html on www.domain.com Server HTTP Reply: Here is the content you requested.

10 www.globalsign.com Authentication. Security. Trust. Host: www.domain.com

11 www.globalsign.com Authentication. Security. Trust. Request on a secure connection Client (TLS Handshake) Hello, I support XYZ Encryption. Server (TLS Handshake) Hi there, here is my public certificate, let’s use this encryption algorithm. Client (TLS Handshake) Sounds good to me. Client (Encrypted) HTTP Request: Can you please send me /contact.html on www.domain.com Server (Encrypted) HTTP Reply: Here is the content you requested.

12 www.globalsign.com Authentication. Security. Trust. Server Name Indication (SNI) Client (TLS Handshake) Hello, I support XYZ Encryption, and I am trying to connect to ’www.domain.com'. Server (TLS Handshake) Hi there, here is my public Certificate for www.domain.com, and let’s use this encryption algorithm. Client (TLS Handshake) Sounds good to me. Client (Encrypted) HTTP Request: Can you please send me /contact.html on www.domain.com Server (Encrypted) HTTP Reply: Here is the content you requested.

13 www.globalsign.com Authentication. Security. Trust. Request on a secure connection 74.125.136.103 : 443 www.google.com 1 2 3 4 5 - www.google.co.uk - www.google.gr - www.google.com - www.google.fr - www.google.de www.google.com

14 www.globalsign.com Authentication. Security. Trust. Testing SNI with OpenSSL

15 www.globalsign.com Authentication. Security. Trust. The SSL/TLS handshake

16 www.globalsign.com Authentication. Security. Trust.  All versions of Internet Explorer on Windows XP  Android 2.x [Gingerbread] default browser (other browsers like Opera do support SNI on Android)  BlackBerry Browser  Windows Mobile up to 6.5 Applications with no SNI Support

17 www.globalsign.com Authentication. Security. Trust. Windows XP with SNI

18 www.globalsign.com Authentication. Security. Trust. Operating System Usage - Win XP – per continent

19 www.globalsign.com Authentication. Security. Trust. Worldwide Operating System Usage - Win XP: 21%

20 www.globalsign.com Authentication. Security. Trust. Internet Explorer market share – Per continent

21 www.globalsign.com Authentication. Security. Trust. Worldwide Internet Explorer market share – 25%

22 www.globalsign.com Authentication. Security. Trust. 25% of 21% = 5.3% Internet Explorer Windows XP + mobile traffic = Or 8% of your world wide visitors? 8% of World Wide internet users do not support Server Name Indication (SNI)

23 www.globalsign.com Authentication. Security. Trust.  There is no problem when you need to secure a website or portal that is used by a closed community or business that has no Windows XP users.  Provide SNI support for free with an SSL Certificate − Users can decide to provide an unsecure connection and a warning to visitors with an outdated system.  Calculate an additional fee for users that want to have full compatibility and thus a dedicated IP number Should I use/offer SNI for SSL sites?

24 www.globalsign.com Authentication. Security. Trust. Should I use/offer SNI for SSL sites?

25 www.globalsign.com Authentication. Security. Trust. What are the alternative solutions?

26 www.globalsign.com Authentication. Security. Trust.  One SSL Certificate for multiple domain names from different organisations.  The certificate contains the hosting company’s details.  Domain control is verified for each domain. A multi-domain SSL Certificate

27 www.globalsign.com Authentication. Security. Trust. Multi-domain certificates

28 www.globalsign.com Authentication. Security. Trust.  A multi-domain certificate usually runs on shared hosting server or reversed proxy DN  Domain control is validated for each SAN  SSL Certificate accessible by server or network administrator with root permissions  Information of the company that is responsible for the private key is listed in the certificate contents. Control of the Private Key

29 www.globalsign.com Authentication. Security. Trust.  Test results based on number of SANs and characters  Note: Average number of characters in a domain – 13/14* *Source: Nominet  Certificate size limit is browser dependent Certificate Size

30 www.globalsign.com Authentication. Security. Trust. Certificate Growth

31 www.globalsign.com Authentication. Security. Trust.  Google Chrome, Mozilla Firefox & Opera have a limit of 174K. Maximum Certificate Size

32 www.globalsign.com Authentication. Security. Trust.  Internet Explorer on Windows XP SP3 till Windows 7 has a certificate size limit of 44k.  Windows XP without any service packs is limited to 22k.  An average OCSP stapling response is about 1k  Other TLS overhead is about 0.5k Maximum Certificate Size

33 www.globalsign.com Authentication. Security. Trust. Performance of multi-domain certificates  750 names: 716 ms  450 names: 518 ms  1 name: 198 ms

34 www.globalsign.com Authentication. Security. Trust. Every 100ms delay costs 1% of sales

35 www.globalsign.com Authentication. Security. Trust.  No support for OV, EV  One certificate shared by many websites  Many hostnames are visible in the certificate  Visitor needs to download a bigger certificate (slower) The disadvantages of multi-domain certs

36 www.globalsign.com Authentication. Security. Trust. What if we could use the best of both solutions? 92% SNI / 8% CloudSSL

37 www.globalsign.com Authentication. Security. Trust. SNI combined with CloudSSL User requests website Secure website delivered

38 www.globalsign.com Authentication. Security. Trust. With SNI support

39 www.globalsign.com Authentication. Security. Trust. Windows XP (has no SNI support)

40 www.globalsign.com Authentication. Security. Trust. How Google Implemented this

41 www.globalsign.com Authentication. Security. Trust.  No additional costs  Sites can use all types of certificates (including EV)  One SSL Certificate installed via the regular way, a second SSL Certificate (one per IP) can be updated automatically. Two SSL Certificates for one site!

42 www.globalsign.com Authentication. Security. Trust. Environment and Platform independent

43 www.globalsign.com Authentication. Security. Trust. How does it work? 1 2 3 4

44 www.globalsign.com Authentication. Security. Trust. Lets create a few sites in DirectAdmin

45 www.globalsign.com Authentication. Security. Trust. Completely Automated Process

46 www.globalsign.com Authentication. Security. Trust. Automated domain control validation

47 www.globalsign.com Authentication. Security. Trust. User Agent Redirect

48 www.globalsign.com Authentication. Security. Trust. Same site, Different content

49 www.globalsign.com Authentication. Security. Trust. Using meta-tag authentication

50 www.globalsign.com Authentication. Security. Trust. Using meta-tag authentication

51 www.globalsign.com Authentication. Security. Trust. Thank you Paul van Brouwershaven paul.vanbrouwershaven@globalsign.com @vanbroup

Download ppt "© GlobalSign. A GMO Internet Inc group company. Authentication. Security. Trust. A tutorial on how you can host multiple SSL Certificates on a single IP."

Similar presentations

3.02H Publishing a Website 3.02 Develop webpages..

3.02H Publishing a Website 3.02 Develop webpages..
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Network Security.

Network Security.
ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.

ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.
Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.

Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.
HTTPS Hypertext Transfer Protocol Secure Marcela López Hurtado.

HTTPS Hypertext Transfer Protocol Secure Marcela López Hurtado.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.

By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.
Secure Sockets Layer eXtended (SSLX) Next Generation Internet Security Overview Presentation April 2011.

Secure Sockets Layer eXtended (SSLX) Next Generation Internet Security Overview Presentation April 2011.
DNS and HTTPs ACN Presentation. Domain Names We refer to computers on the Internet (Internet hosts), by names like: sharda.ac.in These are called domain.

DNS and HTTPs ACN Presentation. Domain Names We refer to computers on the Internet (Internet hosts), by names like: sharda.ac.in These are called domain.
Lesson 4: Web Browsing.

Lesson 4: Web Browsing.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Introduction to the Secure SMTP Server service. Secure SMTP server is a secure, reliable SMTP mail relay server for your outgoing mail. Secure SMTP service.

Introduction to the Secure SMTP Server service. Secure SMTP server is a secure, reliable SMTP mail relay server for your outgoing mail. Secure SMTP service.
SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004

SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004
TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.

TLS/SSL Review. Transport Layer Security A 30-second history Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent.

Similar presentations

Ads by Google