managing&ipv4&scarcity&when&using&ssl&cer7ficates&conference.apnic.net...
TRANSCRIPT
![Page 1: Managing&IPv4&scarcity&when&using&SSL&Cer7ficates&conference.apnic.net › data › 36 › multisslonip_apnic_v3...Sites can use all types of certificates (including EV) One SSL Certificate](https://reader033.vdocument.in/reader033/viewer/2022060408/5f0fec9c7e708231d44690cb/html5/thumbnails/1.jpg)
© GlobalSign. A GMO Internet Inc group company.
Authentication. Security. Trust.
Managing IPv4 scarcity when using SSL Cer7ficates Mul7ple SSL Cer7ficates on a single IP address
Paul van Brouwershaven Business Development Director EMEA, GlobalSign
@vanbroup on TwiGer
![Page 2: Managing&IPv4&scarcity&when&using&SSL&Cer7ficates&conference.apnic.net › data › 36 › multisslonip_apnic_v3...Sites can use all types of certificates (including EV) One SSL Certificate](https://reader033.vdocument.in/reader033/viewer/2022060408/5f0fec9c7e708231d44690cb/html5/thumbnails/2.jpg)
www.globalsign.com Authentication. Security. Trust.
Paul van Brouwershaven
![Page 3: Managing&IPv4&scarcity&when&using&SSL&Cer7ficates&conference.apnic.net › data › 36 › multisslonip_apnic_v3...Sites can use all types of certificates (including EV) One SSL Certificate](https://reader033.vdocument.in/reader033/viewer/2022060408/5f0fec9c7e708231d44690cb/html5/thumbnails/3.jpg)
www.globalsign.com Authentication. Security. Trust.
Netherlands
![Page 4: Managing&IPv4&scarcity&when&using&SSL&Cer7ficates&conference.apnic.net › data › 36 › multisslonip_apnic_v3...Sites can use all types of certificates (including EV) One SSL Certificate](https://reader033.vdocument.in/reader033/viewer/2022060408/5f0fec9c7e708231d44690cb/html5/thumbnails/4.jpg)
www.globalsign.com Authentication. Security. Trust.
Business Development Director
Business Development Director for GlobalSign
Previously CTO of a European hos7ng company
Over 10 years of experience in the hos8ng industry
Expert in digital cer7ficate solu7ons
Dedicated to increasing awareness of the requirements for online security
Thinking out of the box, detec7ng problems and providing solu7ons
![Page 5: Managing&IPv4&scarcity&when&using&SSL&Cer7ficates&conference.apnic.net › data › 36 › multisslonip_apnic_v3...Sites can use all types of certificates (including EV) One SSL Certificate](https://reader033.vdocument.in/reader033/viewer/2022060408/5f0fec9c7e708231d44690cb/html5/thumbnails/5.jpg)
www.globalsign.com Authentication. Security. Trust.
Mul8ple SSL Cer8ficates on a single IP address
![Page 6: Managing&IPv4&scarcity&when&using&SSL&Cer7ficates&conference.apnic.net › data › 36 › multisslonip_apnic_v3...Sites can use all types of certificates (including EV) One SSL Certificate](https://reader033.vdocument.in/reader033/viewer/2022060408/5f0fec9c7e708231d44690cb/html5/thumbnails/6.jpg)
www.globalsign.com Authentication. Security. Trust.
More demands and requirements for SSL
![Page 7: Managing&IPv4&scarcity&when&using&SSL&Cer7ficates&conference.apnic.net › data › 36 › multisslonip_apnic_v3...Sites can use all types of certificates (including EV) One SSL Certificate](https://reader033.vdocument.in/reader033/viewer/2022060408/5f0fec9c7e708231d44690cb/html5/thumbnails/7.jpg)
www.globalsign.com Authentication. Security. Trust.
Each SSL Cer8ficate needs its own IP
![Page 8: Managing&IPv4&scarcity&when&using&SSL&Cer7ficates&conference.apnic.net › data › 36 › multisslonip_apnic_v3...Sites can use all types of certificates (including EV) One SSL Certificate](https://reader033.vdocument.in/reader033/viewer/2022060408/5f0fec9c7e708231d44690cb/html5/thumbnails/8.jpg)
www.globalsign.com Authentication. Security. Trust.
Why do I need a dedicated IP address?
![Page 9: Managing&IPv4&scarcity&when&using&SSL&Cer7ficates&conference.apnic.net › data › 36 › multisslonip_apnic_v3...Sites can use all types of certificates (including EV) One SSL Certificate](https://reader033.vdocument.in/reader033/viewer/2022060408/5f0fec9c7e708231d44690cb/html5/thumbnails/9.jpg)
www.globalsign.com Authentication. Security. Trust.
Request on a non-‐secure connec8on
Client
• HTTP Request: Can you please send me /contact.html on www.domain.com
Server
• HTTP Reply: Here is the content you requested.
![Page 10: Managing&IPv4&scarcity&when&using&SSL&Cer7ficates&conference.apnic.net › data › 36 › multisslonip_apnic_v3...Sites can use all types of certificates (including EV) One SSL Certificate](https://reader033.vdocument.in/reader033/viewer/2022060408/5f0fec9c7e708231d44690cb/html5/thumbnails/10.jpg)
www.globalsign.com Authentication. Security. Trust.
Host: www.domain.com
![Page 11: Managing&IPv4&scarcity&when&using&SSL&Cer7ficates&conference.apnic.net › data › 36 › multisslonip_apnic_v3...Sites can use all types of certificates (including EV) One SSL Certificate](https://reader033.vdocument.in/reader033/viewer/2022060408/5f0fec9c7e708231d44690cb/html5/thumbnails/11.jpg)
www.globalsign.com Authentication. Security. Trust.
Request on a secure connec8on
Client • (TLS Handshake) Hello, I support XYZ Encryp7on.
Server • (TLS Handshake) Hi there, here is my public cer7ficate, let’s use this encryp7on algorithm.
Client • (TLS Handshake) Sounds good to me.
Client • (Encrypted) HTTP Request: Can you please send me /contact.html on www.domain.com
Server • (Encrypted) HTTP Reply: Here is the content you requested.
![Page 12: Managing&IPv4&scarcity&when&using&SSL&Cer7ficates&conference.apnic.net › data › 36 › multisslonip_apnic_v3...Sites can use all types of certificates (including EV) One SSL Certificate](https://reader033.vdocument.in/reader033/viewer/2022060408/5f0fec9c7e708231d44690cb/html5/thumbnails/12.jpg)
www.globalsign.com Authentication. Security. Trust.
Request on a secure connec8on
![Page 13: Managing&IPv4&scarcity&when&using&SSL&Cer7ficates&conference.apnic.net › data › 36 › multisslonip_apnic_v3...Sites can use all types of certificates (including EV) One SSL Certificate](https://reader033.vdocument.in/reader033/viewer/2022060408/5f0fec9c7e708231d44690cb/html5/thumbnails/13.jpg)
www.globalsign.com Authentication. Security. Trust.
Server Name Indica8on (SNI)
Client • (TLS Handshake) Hello, I support XYZ Encryp7on, and I am trying to connect to ’www.domain.com'.
Server • (TLS Handshake) Hi there, here is my public Cer7ficate for www.domain.com, and let’s use this encryp7on algorithm.
Client • (TLS Handshake) Sounds good to me.
Client • (Encrypted) HTTP Request: Can you please send me /contact.html on www.domain.com
Server • (Encrypted) HTTP Reply: Here is the content you requested.
![Page 14: Managing&IPv4&scarcity&when&using&SSL&Cer7ficates&conference.apnic.net › data › 36 › multisslonip_apnic_v3...Sites can use all types of certificates (including EV) One SSL Certificate](https://reader033.vdocument.in/reader033/viewer/2022060408/5f0fec9c7e708231d44690cb/html5/thumbnails/14.jpg)
www.globalsign.com Authentication. Security. Trust.
The SSL/TLS handshake
![Page 15: Managing&IPv4&scarcity&when&using&SSL&Cer7ficates&conference.apnic.net › data › 36 › multisslonip_apnic_v3...Sites can use all types of certificates (including EV) One SSL Certificate](https://reader033.vdocument.in/reader033/viewer/2022060408/5f0fec9c7e708231d44690cb/html5/thumbnails/15.jpg)
www.globalsign.com Authentication. Security. Trust.
All versions of Internet Explorer on Windows XP Android 2.x [Gingerbread] default browser (other browsers like Opera do support SNI on Android)
BlackBerry Browser Windows Mobile up to 6.5
Applica8ons with no SNI Support
![Page 16: Managing&IPv4&scarcity&when&using&SSL&Cer7ficates&conference.apnic.net › data › 36 › multisslonip_apnic_v3...Sites can use all types of certificates (including EV) One SSL Certificate](https://reader033.vdocument.in/reader033/viewer/2022060408/5f0fec9c7e708231d44690cb/html5/thumbnails/16.jpg)
www.globalsign.com Authentication. Security. Trust.
Opera8ng System Usage -‐ Windows XP
0
5
10
15
20
25
30
35
40
Africa Asia Europe North America
Oceania South America
WinXP usage (July 2013)
Asia: 30.18%
Oceania: 9.85%
![Page 17: Managing&IPv4&scarcity&when&using&SSL&Cer7ficates&conference.apnic.net › data › 36 › multisslonip_apnic_v3...Sites can use all types of certificates (including EV) One SSL Certificate](https://reader033.vdocument.in/reader033/viewer/2022060408/5f0fec9c7e708231d44690cb/html5/thumbnails/17.jpg)
www.globalsign.com Authentication. Security. Trust.
Worldwide Opera8ng System Usage -‐ Win XP: 21%
![Page 18: Managing&IPv4&scarcity&when&using&SSL&Cer7ficates&conference.apnic.net › data › 36 › multisslonip_apnic_v3...Sites can use all types of certificates (including EV) One SSL Certificate](https://reader033.vdocument.in/reader033/viewer/2022060408/5f0fec9c7e708231d44690cb/html5/thumbnails/18.jpg)
www.globalsign.com Authentication. Security. Trust.
Internet Explorer market share – Per con8nent
0.00%
5.00%
10.00%
15.00%
20.00%
25.00%
30.00%
35.00%
Africa Asia Europe North America
Oceania South America
IE market share (July 2013)
Asia: 25.23%
Oceania: 26.08%
![Page 19: Managing&IPv4&scarcity&when&using&SSL&Cer7ficates&conference.apnic.net › data › 36 › multisslonip_apnic_v3...Sites can use all types of certificates (including EV) One SSL Certificate](https://reader033.vdocument.in/reader033/viewer/2022060408/5f0fec9c7e708231d44690cb/html5/thumbnails/19.jpg)
www.globalsign.com Authentication. Security. Trust.
Worldwide Internet Explorer market share – 25%
![Page 20: Managing&IPv4&scarcity&when&using&SSL&Cer7ficates&conference.apnic.net › data › 36 › multisslonip_apnic_v3...Sites can use all types of certificates (including EV) One SSL Certificate](https://reader033.vdocument.in/reader033/viewer/2022060408/5f0fec9c7e708231d44690cb/html5/thumbnails/20.jpg)
www.globalsign.com Authentication. Security. Trust.
25% of 30% = 7.3% Internet Explorer Windows XP
+ mobile traffic =
Do you want to lose 10% of your visitors?
10% of internet users in Asia do not support Server Name
Indication (SNI)
![Page 21: Managing&IPv4&scarcity&when&using&SSL&Cer7ficates&conference.apnic.net › data › 36 › multisslonip_apnic_v3...Sites can use all types of certificates (including EV) One SSL Certificate](https://reader033.vdocument.in/reader033/viewer/2022060408/5f0fec9c7e708231d44690cb/html5/thumbnails/21.jpg)
www.globalsign.com Authentication. Security. Trust.
25% of 21% = 5.3% Internet Explorer Windows XP
+ mobile traffic =
Or 8% of your worldwide visitors?
8% of Worldwide internet users do not support Server Name
Indication (SNI)
![Page 22: Managing&IPv4&scarcity&when&using&SSL&Cer7ficates&conference.apnic.net › data › 36 › multisslonip_apnic_v3...Sites can use all types of certificates (including EV) One SSL Certificate](https://reader033.vdocument.in/reader033/viewer/2022060408/5f0fec9c7e708231d44690cb/html5/thumbnails/22.jpg)
www.globalsign.com Authentication. Security. Trust.
There is no problem when you need to secure a website or portal that is used by a closed community or business that has no Windows XP users.
Provide SNI support for free with an SSL Cer7ficate − Users can decide to provide an unsecure connec7on and a warning to
visitors with an outdated system.
Calculate an addi7onal fee for users that want to have full compa7bility and thus a dedicated IP number
Should I use/offer SNI for SSL sites?
![Page 23: Managing&IPv4&scarcity&when&using&SSL&Cer7ficates&conference.apnic.net › data › 36 › multisslonip_apnic_v3...Sites can use all types of certificates (including EV) One SSL Certificate](https://reader033.vdocument.in/reader033/viewer/2022060408/5f0fec9c7e708231d44690cb/html5/thumbnails/23.jpg)
www.globalsign.com Authentication. Security. Trust.
Should I use/offer SNI for SSL sites?
![Page 24: Managing&IPv4&scarcity&when&using&SSL&Cer7ficates&conference.apnic.net › data › 36 › multisslonip_apnic_v3...Sites can use all types of certificates (including EV) One SSL Certificate](https://reader033.vdocument.in/reader033/viewer/2022060408/5f0fec9c7e708231d44690cb/html5/thumbnails/24.jpg)
www.globalsign.com Authentication. Security. Trust.
What are the alterna8ve solu8ons?
![Page 25: Managing&IPv4&scarcity&when&using&SSL&Cer7ficates&conference.apnic.net › data › 36 › multisslonip_apnic_v3...Sites can use all types of certificates (including EV) One SSL Certificate](https://reader033.vdocument.in/reader033/viewer/2022060408/5f0fec9c7e708231d44690cb/html5/thumbnails/25.jpg)
www.globalsign.com Authentication. Security. Trust.
One SSL Cer7ficate for mul7ple domain names from different organisa7ons.
The cer7ficate contains the hos7ng company’s details.
Domain control is verified for each domain.
A mul8-‐domain SSL Cer8ficate
![Page 26: Managing&IPv4&scarcity&when&using&SSL&Cer7ficates&conference.apnic.net › data › 36 › multisslonip_apnic_v3...Sites can use all types of certificates (including EV) One SSL Certificate](https://reader033.vdocument.in/reader033/viewer/2022060408/5f0fec9c7e708231d44690cb/html5/thumbnails/26.jpg)
www.globalsign.com Authentication. Security. Trust.
A mul7-‐domain cer7ficate usually runs on shared hos7ng server or reversed proxy DN
Domain control is validated for each SAN
SSL Cer7ficate accessible by server or network administrator with root permissions
Informa7on of the company that is responsible for the private key is listed in the cer7ficate contents.
Control of the Private Key
![Page 27: Managing&IPv4&scarcity&when&using&SSL&Cer7ficates&conference.apnic.net › data › 36 › multisslonip_apnic_v3...Sites can use all types of certificates (including EV) One SSL Certificate](https://reader033.vdocument.in/reader033/viewer/2022060408/5f0fec9c7e708231d44690cb/html5/thumbnails/27.jpg)
www.globalsign.com Authentication. Security. Trust.
Test results based on number of SANs and characters Note: Average number of characters in a domain – 13/14* *Source: Nominet
Cer7ficate size limit is browser dependent
Cer8ficate Size
![Page 28: Managing&IPv4&scarcity&when&using&SSL&Cer7ficates&conference.apnic.net › data › 36 › multisslonip_apnic_v3...Sites can use all types of certificates (including EV) One SSL Certificate](https://reader033.vdocument.in/reader033/viewer/2022060408/5f0fec9c7e708231d44690cb/html5/thumbnails/28.jpg)
www.globalsign.com Authentication. Security. Trust.
Cer8ficate Growth
0.0
5.0
10.0
15.0
20.0
25.0
30.0
35.0
1 S
AN
18
SA
N
35 S
AN
52
SA
N
69 S
AN
86
SA
N
103
SA
N
120
SA
N
137
SA
N
154
SA
N
171
SA
N
188
SA
N
205
SA
N
222
SA
N
239
SA
N
256
SA
N
273
SA
N
290
SA
N
307
SA
N
324
SA
N
341
SA
N
358
SA
N
375
SA
N
392
SA
N
409
SA
N
426
SA
N
443
SA
N
460
SA
N
477
SA
N
494
SA
N
511
SA
N
528
SA
N
545
SA
N
562
SA
N
579
SA
N
596
SA
N
613
SA
N
630
SA
N
647
SA
N
664
SA
N
681
SA
N
698
SA
N
715
SA
N
732
SA
N
749
SA
N
766
SA
N
783
SA
N
800
SA
N
817
SA
N
834
SA
N
851
SA
N
868
SA
N
885
SA
N
902
SA
N
919
SA
N
936
SA
N
953
SA
N
970
SA
N
987
SA
N
1 Char 2 Char 3 Char 4 Char 5 Char 6 Char 7 Char 8 Char 9 Char 10 Char
11 Char 12 Char 13 Char 14 Char 15 Char 16 Char 17 Char 18 Char 19 Char 20 Char
![Page 29: Managing&IPv4&scarcity&when&using&SSL&Cer7ficates&conference.apnic.net › data › 36 › multisslonip_apnic_v3...Sites can use all types of certificates (including EV) One SSL Certificate](https://reader033.vdocument.in/reader033/viewer/2022060408/5f0fec9c7e708231d44690cb/html5/thumbnails/29.jpg)
www.globalsign.com Authentication. Security. Trust.
Google Chrome, Mozilla Firefox & Opera have a limit of 174K.
Maximum Cer8ficate Size
![Page 30: Managing&IPv4&scarcity&when&using&SSL&Cer7ficates&conference.apnic.net › data › 36 › multisslonip_apnic_v3...Sites can use all types of certificates (including EV) One SSL Certificate](https://reader033.vdocument.in/reader033/viewer/2022060408/5f0fec9c7e708231d44690cb/html5/thumbnails/30.jpg)
www.globalsign.com Authentication. Security. Trust.
Internet Explorer on Windows XP SP3 till Windows 7 has a certificate size limit of 44k.
Windows XP without any service packs is limited to 22k.
An average OCSP stapling response is about 1k
Other TLS overhead is about 0.5k
Maximum Cer8ficate Size
![Page 31: Managing&IPv4&scarcity&when&using&SSL&Cer7ficates&conference.apnic.net › data › 36 › multisslonip_apnic_v3...Sites can use all types of certificates (including EV) One SSL Certificate](https://reader033.vdocument.in/reader033/viewer/2022060408/5f0fec9c7e708231d44690cb/html5/thumbnails/31.jpg)
www.globalsign.com Authentication. Security. Trust.
Performance of mul8-‐domain cer8ficates
750 names:
716 ms
450 names:
518 ms
1 name:
198 ms
![Page 32: Managing&IPv4&scarcity&when&using&SSL&Cer7ficates&conference.apnic.net › data › 36 › multisslonip_apnic_v3...Sites can use all types of certificates (including EV) One SSL Certificate](https://reader033.vdocument.in/reader033/viewer/2022060408/5f0fec9c7e708231d44690cb/html5/thumbnails/32.jpg)
www.globalsign.com Authentication. Security. Trust.
Every 100ms delay costs 1% of sales
![Page 33: Managing&IPv4&scarcity&when&using&SSL&Cer7ficates&conference.apnic.net › data › 36 › multisslonip_apnic_v3...Sites can use all types of certificates (including EV) One SSL Certificate](https://reader033.vdocument.in/reader033/viewer/2022060408/5f0fec9c7e708231d44690cb/html5/thumbnails/33.jpg)
www.globalsign.com Authentication. Security. Trust.
No support for OV, EV
One cer7ficate shared by many websites
Many hostnames are visible in the cer7ficate
Visitor needs to download a bigger cer7ficate (slower)
The disadvantages of mul8-‐domain certs
![Page 34: Managing&IPv4&scarcity&when&using&SSL&Cer7ficates&conference.apnic.net › data › 36 › multisslonip_apnic_v3...Sites can use all types of certificates (including EV) One SSL Certificate](https://reader033.vdocument.in/reader033/viewer/2022060408/5f0fec9c7e708231d44690cb/html5/thumbnails/34.jpg)
www.globalsign.com Authentication. Security. Trust.
What if we could use the best of both worlds?
90% SNI / 10% CloudSSL
![Page 35: Managing&IPv4&scarcity&when&using&SSL&Cer7ficates&conference.apnic.net › data › 36 › multisslonip_apnic_v3...Sites can use all types of certificates (including EV) One SSL Certificate](https://reader033.vdocument.in/reader033/viewer/2022060408/5f0fec9c7e708231d44690cb/html5/thumbnails/35.jpg)
www.globalsign.com Authentication. Security. Trust.
SNI combined with CloudSSL User requests website
Secure website delivered
![Page 36: Managing&IPv4&scarcity&when&using&SSL&Cer7ficates&conference.apnic.net › data › 36 › multisslonip_apnic_v3...Sites can use all types of certificates (including EV) One SSL Certificate](https://reader033.vdocument.in/reader033/viewer/2022060408/5f0fec9c7e708231d44690cb/html5/thumbnails/36.jpg)
www.globalsign.com Authentication. Security. Trust.
With SNI support
![Page 37: Managing&IPv4&scarcity&when&using&SSL&Cer7ficates&conference.apnic.net › data › 36 › multisslonip_apnic_v3...Sites can use all types of certificates (including EV) One SSL Certificate](https://reader033.vdocument.in/reader033/viewer/2022060408/5f0fec9c7e708231d44690cb/html5/thumbnails/37.jpg)
www.globalsign.com Authentication. Security. Trust.
Windows XP (has no SNI support)
![Page 38: Managing&IPv4&scarcity&when&using&SSL&Cer7ficates&conference.apnic.net › data › 36 › multisslonip_apnic_v3...Sites can use all types of certificates (including EV) One SSL Certificate](https://reader033.vdocument.in/reader033/viewer/2022060408/5f0fec9c7e708231d44690cb/html5/thumbnails/38.jpg)
www.globalsign.com Authentication. Security. Trust.
No additional costs
Sites can use all types of certificates (including EV)
One SSL Certificate installed via the regular way, a second SSL Certificate (one per IP) can be updated automatically.
Two SSL Cer8ficates for one site!
![Page 39: Managing&IPv4&scarcity&when&using&SSL&Cer7ficates&conference.apnic.net › data › 36 › multisslonip_apnic_v3...Sites can use all types of certificates (including EV) One SSL Certificate](https://reader033.vdocument.in/reader033/viewer/2022060408/5f0fec9c7e708231d44690cb/html5/thumbnails/39.jpg)
www.globalsign.com Authentication. Security. Trust.
Environment and Plaborm independent
![Page 40: Managing&IPv4&scarcity&when&using&SSL&Cer7ficates&conference.apnic.net › data › 36 › multisslonip_apnic_v3...Sites can use all types of certificates (including EV) One SSL Certificate](https://reader033.vdocument.in/reader033/viewer/2022060408/5f0fec9c7e708231d44690cb/html5/thumbnails/40.jpg)
www.globalsign.com Authentication. Security. Trust.
How does it work?
1 2 3
4
![Page 41: Managing&IPv4&scarcity&when&using&SSL&Cer7ficates&conference.apnic.net › data › 36 › multisslonip_apnic_v3...Sites can use all types of certificates (including EV) One SSL Certificate](https://reader033.vdocument.in/reader033/viewer/2022060408/5f0fec9c7e708231d44690cb/html5/thumbnails/41.jpg)
www.globalsign.com Authentication. Security. Trust.
Completely Automated Process
![Page 42: Managing&IPv4&scarcity&when&using&SSL&Cer7ficates&conference.apnic.net › data › 36 › multisslonip_apnic_v3...Sites can use all types of certificates (including EV) One SSL Certificate](https://reader033.vdocument.in/reader033/viewer/2022060408/5f0fec9c7e708231d44690cb/html5/thumbnails/42.jpg)
www.globalsign.com Authentication. Security. Trust.
Thank you
Paul van Brouwershaven [email protected]
@vanbroup