SSLor TLS is *the* security protocol to encrypt in particular HTTPtraffic. We all know it, love it, and then ignore various pop-ups telling us that in ever so cryptic ways that someone is playing a man in the middle attack on us.
I don't want to go over the basics here, but just talk about various tricks and issues that I see sometimes left out.
What about different certificate Classes
SSL plays two important roles:It encrypts traffic AND it verifies that you are connected to the correct server. Your browser knows that it connects to the correct server because the server presents a certificate that includes its host name, among other information, and is signed by a trusted certificate authorities.
Certificate authorities vary in how they validate the information in the certificate, and what information is actually validated:
Domain: This is the simplest (and cheapest) type of certificate. All it verifies is that the host name. Usually, you can get these certificates in a few minutes as long as your e-mail address is listed in the domain's whois record. For example, if you own the domain name bigbank.com, you can get a certificate for it, no mater if you are affiliated with a company called bigbank or not.
Organization:This is the next class of certificates, sometimes called Class 2 certificates. In this case, the certificate authority verifies that you are associated with the respective organization that owns the domain name. You typically need to fax in a copy of a photo id, a business license or other paperwork. Now, the name of the business is validated by the certificate as well.
EV (Extended Validation) Certificates: This type of certificate is the most expensive to get, and requires additional paper work and validation. The goal is to better validate the business name the certificate is used for. As a reward, many browsers will display the business name, not just the host name, as part of the URLbar. Banks frequently use this type of certificate.
I need a certificate that covers multiple host names
No problem. You got two options:
Wildcard certificates are used for a domain, and they will work for all hostnames in that particular domain (e.g. *.example.com)
Multiple Domain Name Certificates can list various host names from different domain. For example, we use one for isc.sans.edu that covers some of the old host names we used like incidents.org and isc.sans.org.
I am using NameVirtualHosting (1 IP = Multiple Hostnames)
Now this is a tricky issue. If you use SSL, the entire HTTPstream, including headers, is encrypted, In order to figure out which key to use to decrypt it, the server needs to know the host name, which is encrypted... classic catch 22. As a result, you can not use multiple SSLcertificates on the same IP address unless each server listens on a different port. However, modern browsers have a solution referred to as SNI (Server Name Indication, see RFC 4366) . With server name indication, the host name is sent in the clear as part of the client establishing the SSLconnection (the SSL Client Hello message). Now the server knows what host name you are trying to connect to, and can use the right key.
Sadly, Windows XP DOES-)
In order to support SNI, you also need a recent version of openssl and Apache on the server. In cases where I can't update openssl and apache, I had good luck using nginx as a proxy (it supports SNI). Microsoft IIS will not support SNIlast time I checked.
HTTP Strict Transport Security
This is a new features, introduced in Firefox 4. Other browsers start picking it up as well. The feature is intended to tell a browser to only use HTTPS, not HTTP, to connect to a particular host. It protects against attacks that try to redirect the user to an HTTP includeSubDomains
The max-age will tell the browser for how many seconds it should remember this setting. The optional includeSubdomains parameter will extend this preference to any subdomains.
Couple Links related to SSL:
https://www.ssllabs.com/ - great site to check if SSL is configured correctly (make sure to check the Do not show the results on the boards checkbox)
http://hacks.mozilla.org/2010/08/firefox-4-http-strict-transport-security-force-https/ - details about HSTS
http://www.ietf.org/rfc/rfc4366.txt - RFC for SNI
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.