GlobalSign today addressed the exhaustion of IPv4 addresses at WHD.India 2013 and how it is adversely affecting the web hosting providers, who have to bear the exorbitant costs of managing individual IP addresses.
Mr. Paul van Brouwershaven, Business Development Director EMEA, GlobalSign, discussed how the need for the adoption of SSL security is on a steep rise with organizations like Facebook making it mandatory for website owners to have an SSL certificate on their website if they want to link it to Facebook or develop a Facebook application. Since each SSL certificate traditionally needs its own IP address, this creates a number of challenges.
“With IPv4 addresses exhausting fast, IPv6 can be a solution. GlobalSign is the only one in the CA industry who supports IPv6. There are some other CAs who’ve IPv6 DNS or a host somewhere that responds on IPv6, but not the complete package. GlobalSign is the only who that supports full IPv6 revocation check,” said Mr. Paul.
“While we’re IPv6 compatible and can help those who want to host their website on IPv6, it doesn’t solve the problem. There are only 2% of the Internet users who can do revocation checks over IPv6 because there are not many ISPs that’re providing IPv6. So remaining 98% can’t visit a website on a secure connection that has an SSL certificate installed on an IPv6,”he added.
Mr. Paul explained why one needs a dedicated IP address if he/she needs to have a dedicated IP address.
A connection from a browser to a server takes place via an IP address and not domain names. So when a browser makes a connection with an IP address, the server doesn’t know which website is requested. This information is stated in a “Host” header, and is sent to the server by the browser over the established connection. And here lies the problem. Becasue when using an SSL Certificate, all the information which is exchanged between the server and the browser is encrypted so that it cannot be read by third parties. This includes the “host” header which is often used to indicate to which website a connection is made.
Decrypting data before the web server takes a look at “Host” header doesn’t solve problem because each site has its own SSL Certificate and the information which is exchanged can only be decrypted with the associated certificate. So if there’re multiple websites hosted on a single IP address, the server doesn’t know which certificate to use to decode this information.
While Server Name Indication does solve the problem effectively using an extension for the TLS protocol that adds the hostname of the website to the initial handshake from the browser to the server, thus informing server about which SSL Certificate needs to used to decrypt the information; the fact that there is no support available for Server Name Indication on Windows XP, Internet Explorer, Blackberry, Android 2.x etc, renders it unfit about 10% of the Internet users.
CloudSSL, which provides one SSL Certificate for multiple domain names from different organizations is also not an effective solution because it doesn’t support Organization Validation and Extended Validation. Another major disadvantage is that since one certificate needs to be shared by many websites, many hostnames are visible in the certificate, something which not many hosters would like. The size of a Cloud SSL is also large and hence it takes longer to download.
GlobalSign, said Mr. Paul has a solution to this problem – it combines SNI with CloudSSL, thereby providing best of both worlds.
GlobalSign has developed an application that automatically requests and validates a second certificate when an SSL Certificate for a specific website is installed, replaced or removed on the same IP address. The said application can be installed on the server as well as load balancer.
This method first installs a Domain Validated, Organization Validated, or Extended Validated SSL Certificate on each site and then adds a second multi domain SSL Certificate valid for all SSL-secured domains on that same IP address, said Mr. Paul.
This effectively enables hosting of multiple secure websites on a single IP address and solves the compatibility problems for 10% of systems that do not support SNI as well, added Mr. Paul, wrapping up the session.