multiple ssl certificates on a single ip address
TRANSCRIPT
![Page 1: Multiple SSL Certificates on a single IP address](https://reader035.vdocuments.site/reader035/viewer/2022062313/55c5c6cfbb61eb0c1a8b480c/html5/thumbnails/1.jpg)
© GlobalSign. A GMO Internet Inc group company.
Authentication. Security. Trust.
IPv4 Shortage Multiple SSL Certificates on a single IP address
Paul van Brouwershaven Business Development Director EMEA, GlobalSign
@vanbroup on Twitter
![Page 2: Multiple SSL Certificates on a single IP address](https://reader035.vdocuments.site/reader035/viewer/2022062313/55c5c6cfbb61eb0c1a8b480c/html5/thumbnails/2.jpg)
www.globalsign.com Authentication. Security. Trust.
INTERNATIONAL FOOTPRINT Customers spanning all industries
![Page 3: Multiple SSL Certificates on a single IP address](https://reader035.vdocuments.site/reader035/viewer/2022062313/55c5c6cfbb61eb0c1a8b480c/html5/thumbnails/3.jpg)
www.globalsign.com Authentication. Security. Trust.
GlobalSign Solutions | Visible Trust in an online world
Server, Database & Network Security
SSL Certificates Managed SSL
Developer Solutions Code Signing
Embedded SSL
Secure Email Digital IDs for Individuals Digital IDs for Departments Managed Digital IDs
eDocument /File Security & Compliance Adobe CDS for PDF Microsoft Office Encrypting File System (EFS)
Automated SSL for Web Hosts
SSL Reseller Program OneClickSSL
PKI & Root Signing Trusted Root for CAs
![Page 4: Multiple SSL Certificates on a single IP address](https://reader035.vdocuments.site/reader035/viewer/2022062313/55c5c6cfbb61eb0c1a8b480c/html5/thumbnails/4.jpg)
www.globalsign.com Authentication. Security. Trust.
Innovation | We keep improving!
![Page 5: Multiple SSL Certificates on a single IP address](https://reader035.vdocuments.site/reader035/viewer/2022062313/55c5c6cfbb61eb0c1a8b480c/html5/thumbnails/5.jpg)
www.globalsign.com Authentication. Security. Trust.
More demands and requirements for SSL
Article 17 of Directive 95/46/EC of the European Parliament Security of processing
Member States shall provide that the controller must implement appropriate technical and
organizational measures to protect personal data against accidental or unlawful destruction or
accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the
transmission of data over a network, and against all other unlawful forms of processing. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.
![Page 6: Multiple SSL Certificates on a single IP address](https://reader035.vdocuments.site/reader035/viewer/2022062313/55c5c6cfbb61eb0c1a8b480c/html5/thumbnails/6.jpg)
www.globalsign.com Authentication. Security. Trust.
Each SSL Certificate needs its own IP
![Page 7: Multiple SSL Certificates on a single IP address](https://reader035.vdocuments.site/reader035/viewer/2022062313/55c5c6cfbb61eb0c1a8b480c/html5/thumbnails/7.jpg)
www.globalsign.com Authentication. Security. Trust.
We are running out of IPv4 addresses
![Page 8: Multiple SSL Certificates on a single IP address](https://reader035.vdocuments.site/reader035/viewer/2022062313/55c5c6cfbb61eb0c1a8b480c/html5/thumbnails/8.jpg)
www.globalsign.com Authentication. Security. Trust.
How much time is left?
![Page 9: Multiple SSL Certificates on a single IP address](https://reader035.vdocuments.site/reader035/viewer/2022062313/55c5c6cfbb61eb0c1a8b480c/html5/thumbnails/9.jpg)
www.globalsign.com Authentication. Security. Trust.
CA IPv6 Revocation Compatibility
![Page 10: Multiple SSL Certificates on a single IP address](https://reader035.vdocuments.site/reader035/viewer/2022062313/55c5c6cfbb61eb0c1a8b480c/html5/thumbnails/10.jpg)
www.globalsign.com Authentication. Security. Trust.
As long as you select a CA who provides revocation checks (CRL, OCSP) over IPv6. But it won’t solve your IPv4 problem!
Can we use IPv6?
![Page 11: Multiple SSL Certificates on a single IP address](https://reader035.vdocuments.site/reader035/viewer/2022062313/55c5c6cfbb61eb0c1a8b480c/html5/thumbnails/11.jpg)
www.globalsign.com Authentication. Security. Trust.
Why should my CA do revocation over IPv6?
![Page 12: Multiple SSL Certificates on a single IP address](https://reader035.vdocuments.site/reader035/viewer/2022062313/55c5c6cfbb61eb0c1a8b480c/html5/thumbnails/12.jpg)
www.globalsign.com Authentication. Security. Trust.
Why do I need a dedicated IP address?
![Page 13: Multiple SSL Certificates on a single IP address](https://reader035.vdocuments.site/reader035/viewer/2022062313/55c5c6cfbb61eb0c1a8b480c/html5/thumbnails/13.jpg)
www.globalsign.com Authentication. Security. Trust.
Request on a non-secure connection
Client
• HTTP Request: Can you please send me /contact.html on www.globalsign.com
Server
• HTTP Reply: Here is the content you requested.
![Page 14: Multiple SSL Certificates on a single IP address](https://reader035.vdocuments.site/reader035/viewer/2022062313/55c5c6cfbb61eb0c1a8b480c/html5/thumbnails/14.jpg)
www.globalsign.com Authentication. Security. Trust.
Request on a secure connection
Client • (TLS Handshake) Hello, I support XYZ Encryption.
Server
• (TLS Handshake) Hi there, here is my public certificate, let’s use this encryption algorithm.
Client • (TLS Handshake) Sounds good to me.
Client
• (Encrypted) HTTP Request: Can you please send me /contact.html on www.globalsign.com
Server • (Encrypted) HTTP Reply: Here is the content you requested.
![Page 15: Multiple SSL Certificates on a single IP address](https://reader035.vdocuments.site/reader035/viewer/2022062313/55c5c6cfbb61eb0c1a8b480c/html5/thumbnails/15.jpg)
www.globalsign.com Authentication. Security. Trust.
Server Name Indication (SNI)
Client
• (TLS Handshake) Hello, I support XYZ Encryption, and I am trying to connect to ’www.globalsign.com'.
Server
• (TLS Handshake) Hi there, here is my public Certificate for www.globalsign.com, and lets use this encryption algorithm.
Client • (TLS Handshake) Sounds good to me.
Client
• (Encrypted) HTTP Request: Can you please send me /contact.html on www.globalsign.com
Server • (Encrypted) HTTP Reply: Here is the content you requested.
![Page 16: Multiple SSL Certificates on a single IP address](https://reader035.vdocuments.site/reader035/viewer/2022062313/55c5c6cfbb61eb0c1a8b480c/html5/thumbnails/16.jpg)
www.globalsign.com Authentication. Security. Trust.
The SSL/TLS handshake
![Page 17: Multiple SSL Certificates on a single IP address](https://reader035.vdocuments.site/reader035/viewer/2022062313/55c5c6cfbb61eb0c1a8b480c/html5/thumbnails/17.jpg)
www.globalsign.com Authentication. Security. Trust.
All versions of Internet Explorer on Windows XP Android 2.x default browser (other browsers like Opera
do support SNI on Android) BlackBerry Browser Windows Mobile up to 6.5
Applications with no SNI Support
![Page 18: Multiple SSL Certificates on a single IP address](https://reader035.vdocuments.site/reader035/viewer/2022062313/55c5c6cfbb61eb0c1a8b480c/html5/thumbnails/18.jpg)
www.globalsign.com Authentication. Security. Trust.
Operating System Usage - Win XP: 24%
![Page 19: Multiple SSL Certificates on a single IP address](https://reader035.vdocuments.site/reader035/viewer/2022062313/55c5c6cfbb61eb0c1a8b480c/html5/thumbnails/19.jpg)
www.globalsign.com Authentication. Security. Trust.
Internet Explorer has 30% market share
![Page 20: Multiple SSL Certificates on a single IP address](https://reader035.vdocuments.site/reader035/viewer/2022062313/55c5c6cfbb61eb0c1a8b480c/html5/thumbnails/20.jpg)
www.globalsign.com Authentication. Security. Trust.
30% of 24% = 7.2% Internet Explorer Windows XP
of internet users do not support Server Name Indication (SNI)
Do you want to lose 10% of your visitors?
![Page 21: Multiple SSL Certificates on a single IP address](https://reader035.vdocuments.site/reader035/viewer/2022062313/55c5c6cfbb61eb0c1a8b480c/html5/thumbnails/21.jpg)
www.globalsign.com Authentication. Security. Trust.
There is no problem when you need to secure a website or portal that is used by a closed community or business that has no Windows XP users. Provide SNI support for free with an SSL Certificate
− Users can decide to provide an unsecure connection and a warning to visitors with an outdated system.
Calculate an additional fee for users that want to have full compatibility and thus a dedicated IP number
Should I use/offer SNI for SSL sites?
![Page 22: Multiple SSL Certificates on a single IP address](https://reader035.vdocuments.site/reader035/viewer/2022062313/55c5c6cfbb61eb0c1a8b480c/html5/thumbnails/22.jpg)
www.globalsign.com Authentication. Security. Trust.
Should I use/offer SNI for SSL sites?
![Page 23: Multiple SSL Certificates on a single IP address](https://reader035.vdocuments.site/reader035/viewer/2022062313/55c5c6cfbb61eb0c1a8b480c/html5/thumbnails/23.jpg)
www.globalsign.com Authentication. Security. Trust.
What are the alternative solutions?
![Page 24: Multiple SSL Certificates on a single IP address](https://reader035.vdocuments.site/reader035/viewer/2022062313/55c5c6cfbb61eb0c1a8b480c/html5/thumbnails/24.jpg)
www.globalsign.com Authentication. Security. Trust.
One SSL Certificate for multiple domain names from different organisations. The certificate contains the
hosting company’s details. Domain control is verified for
each domain.
CloudSSL: One certificate, multiple domains
![Page 25: Multiple SSL Certificates on a single IP address](https://reader035.vdocuments.site/reader035/viewer/2022062313/55c5c6cfbb61eb0c1a8b480c/html5/thumbnails/25.jpg)
www.globalsign.com Authentication. Security. Trust.
No support for OV, EV One certificate shared by
many websites Many hostnames are
visible in the certificate Visitor needs to
download a bigger certificate (slower)
The disadvantages of CloudSSL
![Page 26: Multiple SSL Certificates on a single IP address](https://reader035.vdocuments.site/reader035/viewer/2022062313/55c5c6cfbb61eb0c1a8b480c/html5/thumbnails/26.jpg)
www.globalsign.com Authentication. Security. Trust.
What if we could use the best of both worlds?
90% SNI
/ 10% CloudSSL
![Page 27: Multiple SSL Certificates on a single IP address](https://reader035.vdocuments.site/reader035/viewer/2022062313/55c5c6cfbb61eb0c1a8b480c/html5/thumbnails/27.jpg)
www.globalsign.com Authentication. Security. Trust.
SNI combined with CloudSSL User requests website
Secure website delivered
![Page 28: Multiple SSL Certificates on a single IP address](https://reader035.vdocuments.site/reader035/viewer/2022062313/55c5c6cfbb61eb0c1a8b480c/html5/thumbnails/28.jpg)
www.globalsign.com Authentication. Security. Trust.
With SNI support
![Page 29: Multiple SSL Certificates on a single IP address](https://reader035.vdocuments.site/reader035/viewer/2022062313/55c5c6cfbb61eb0c1a8b480c/html5/thumbnails/29.jpg)
www.globalsign.com Authentication. Security. Trust.
Windows XP (has no SNI support)
![Page 30: Multiple SSL Certificates on a single IP address](https://reader035.vdocuments.site/reader035/viewer/2022062313/55c5c6cfbb61eb0c1a8b480c/html5/thumbnails/30.jpg)
www.globalsign.com Authentication. Security. Trust.
No additional costs Sites can use all types of certificates (including EV)
Fully automated provisioning of the legacy CloudSSL
Certificate No email verification needed
All domain control checks performed automatically
by the program.
Two SSL Certificates for one site!
![Page 31: Multiple SSL Certificates on a single IP address](https://reader035.vdocuments.site/reader035/viewer/2022062313/55c5c6cfbb61eb0c1a8b480c/html5/thumbnails/31.jpg)
www.globalsign.com Authentication. Security. Trust.
Completely Automated Process
![Page 32: Multiple SSL Certificates on a single IP address](https://reader035.vdocuments.site/reader035/viewer/2022062313/55c5c6cfbb61eb0c1a8b480c/html5/thumbnails/32.jpg)
www.globalsign.com Authentication. Security. Trust.
Thank you
Paul van Brouwershaven [email protected]