If you are a cloud provider, the deployment of SSL security is bound to have come up in discussion. The industry is moving towards encryption by default, and the larger your client base, the more certificates you will need to deploy to meet customer demand. So with a limited number of IP addresses and performance considerations, what is the best way to provide security by default?
Why should I worry about SSL?
It might be stating the obvious, but when SSL isn’t your core business, this is a fair question. So if you are still in doubt, here are a few facts that might help make your mind up:
Online threats are at an all-time high: 100% of consumers have been, or know a cybercrime victim*
Browsers now flag unsecured websites
Initiatives such as Always On SSL and HTTPS Everywhere are multiplying
SSL helps website SEO
SSL usage worldwide has increased by 63% over the last three years**
IN SHORT: SSL is no longer nice to have, it is a must-have. You need to protect your customers, as well as your infrastructure. The likelihood is that your competitors have already jumped on the SSL bandwagon and are providing security as an added value, so you simply need to find the right solution to follow suit.
Are IP restrictions a dealbreaker?
Now onto the great news – Not at all. While historically IP restrictions were indeed a problem, they don’t prevent you from implementing SSL by default today.
Traditionally, each SSL Certificate required an IP address which created a number of difficulties for cloud environments. The Server Name Indication Technology, which we covered in more details in previous blogs, solves this problem. As the hostname of the server is included in the SSL handshake, every website can have its own individual SSL Certificate (with any authentication level).
Multi domain cloud certificates are also a great solution enabler for deploying high volumes of SSL Certificates. Customer domains can be added or removed dynamically, perfectly fitting the on-demand nature of cloud environments, with the benefit of full compatibility for the remaining legacy users that lack SNI support.
IN SHORT: These solutions, used independently or in combination, mean that you can now host certificates for thousands of customers without needing to worry about dedicated IP addresses or backwards compatibility. Talk to your CA about the best set up for your infrastructure and customer base.
How will SSL affect CDN performance?
SSL loading speeds are a significant concern especially for CDN providers. In the world of optimally performing websites, every millisecond counts.
This is no longer a problem: With HTTP2 and SPYDY, websites over a secure connection can be loaded much faster than websites without SSL as requests can be tunnelled across a single connection:
Choosing your SSL provider carefully can also make a difference. Every time a visitor connects to a website with SSL, the browser requests a status of the validity of the certificate with its issuing CA. Make sure your CA utilises a high performing infrastructure for delivering certificate statuses and/or work with them to enable OCSP Stapling.
IN SHORT: Talk to your CA about ways to optimize SSL performance. With the advances in technology, there is really no longer a need to trade off security for performance.
* CA Security Council survey, https://casecurity.org/wp-content/uploads/2015/04/CASC-Consumer-Survey-Report-2015.pdf