Securing Websites Economically


With a world-wide recession looming around the corner, budget conscious web site operators will look for ways to save resources wherever they can. Securing and serving multiple web sites from the same server always required a digital certificate and dedicated IP address [1]  for every site and domain. Needless to say this can add to the yearly expenditures quite a bit [2].

Enter SNI:

Server Name Indication (SNI) [3] allows for early discovery of the requested host as part of the TLS handshake. This in turn allows to serve multiple SSL secured hosts from the same IP address. Add to this the ability to include multiple domain names within the same digital SSL certificate and you’ve got big savings! This may be specially convenient for private operators which handle their own server from their home broadband connection and which are usually limited to one IP address only. But also corporate and hosting providers have to struggle with the costs of a limited resource (that of IP addresses) in addition to the digital certification.

So what’s wrong?

Unfortunately the most popular web server of the Internet, Apache, which serves roughly 45% of all secured hosts doesn’t support SNI officially. Due to some wrangling and finger-pointing, this important feature is only planed for a future release, most likely version 2.4. And this means that it might take some time still… By witnessing the argumentation’s and accusations of those responsible and with it effectively preventing a perfectly working solution to this problem, I decided to do some good. Interestingly on the browser front SNI is better supported than I initially thought. Those that do include Firefox 2 and higher, Opera 7.6 and higher, KDE 3.5 and higher and IE7 on Vista.

The solution:

StartSSL™ VerifiedAnd here it comes….it has been a long known little secret, that every netizen can receive perfectly valid and free digital SSL certificate from StartCom, but not many know that the higher validated Class 2 certificates provide an incredible value too. Class 2 allows not only wild cards (for example *.domain.com), but also for multiple domains and their sub domain to be included within the same certificate. That’s a lot of return value for the investment…:-)

StartCom LinuxBut that’s not all. Since we happen to be the producer of a Linux operating system, I decided to provide a patched [4] version of the popular Apache web server with SNI support. StartCom Linux is a RHEL compatible clone and the SNI related packages should be usable on any compatible system. StartCom Linux is freely available from the download mirrors and the SNI-enabled packages are distributed at this location. Here the test case of the complete solution:

All secured hosts are served from the same IP address (69.77.167.35). Operating system is StartCom Enterprise Linux AS-5.0.2. Web server is Apache/2.2.3 (StartCom) with SNI support. Included DNS entries in the SAN extension of the digital certificate are amongst others mirror.startcom.org, vhost.better-trust.com, vhost.startssl.eu, vhost.startssl.us.

SevenL NetworksJust in case should you have been thinking about getting a new dedicated server to tinker with during the holiday season, allow me to recommend SevenL Networks - a true supporter of open source software. They have been generously sponsoring a dedicated server for us and we promptly setup another mirror on the system. The above test case is also served by the system provided by SevenL.  If you ask them nicely I’m certain they’ll setup a StartCom box for you - just tell them that Eddy sent you over ;-)

[1] Regular and unsecured sites can be served from one and the same IP address because the server knows which site to serve upfront due to the request headers the client (browser) sends. However for SSL secured sites the same headers can only be exchanged after the initial handshake between the client and server is already done. This limitation requires that each site is served from its unique IP address in order for the server to know which site and ultimately which certificate to use. Therefore for every to-be-secured web site and its domain a different digital certificate and a dedicated IP was required.

[2] Assuming that a dedicated IP address from an ISP and/or hosting provider amounts to about US$ 5-10 per month and a wild card certificate another few hundred, the costs per SSL secured site are probably around one hundred bucks and higher.

[3RFC4366 describes an optional field to the TLS client request called “Server Name Indication” (SNI). With this the client just includes a list of ServerNames (usually one) that it’s trying to contact. Apache can easily match the supplied name from the client against a ServerName (or ServerAlias) directive from it’s configuration files.

[4] The patch was provided by Kaspar Brand. Well done!

Information and Links

Join the fray by commenting, tracking what others have to say, or linking to it from your blog.


Other Posts
A leap forward - Thunderbird 3 beta
Your Digital Identity Card

Write a Comment

Take a moment to comment and tell us what you think. Some basic HTML is allowed for formatting.

You must be logged in to post a comment. Click here to login.

Reader Comments

My personal experience is that lighttpd is not only faster, but also easier to set-up and they claim to support SNI out of the box with simple conditionals in the config.

Yes, I haven’t had too many chances to check out lighttpd more closely but it’s certainly on my plate to do that soon.

I found this post recently which provides binaries for Apache on Windows.