We hope you enjoyed the session held by our Technology Solutions Director, Paul van Brouwershaven, at WorldHostingDays 2015 as much as we did, it’s always great to share opinions and debates with like-minded people. Unfortunately we ran out of time on the day and couldn’t answer all of the questions submitted during the talk, so I thought I’d share the answers in this post.
Reselling SSL in the Hosting Industry
Which certificate should we provide for our customers? What’s the difference?
Hosting companies usually provide the full range of SSL Certificates to bundle in with their hosting packages, from more basic entry level certificates, to Extended Validation SSL Certificates.
In addition to providing encryption and displaying the padlock as well as HTTPS, Extended Validation Certificates also show the verified identity of company behind the website, and displays the green address bar. This level of security is highly visible and particularly adapted for companies that are looking to protect their brand, increase customer confidence, and in turn, improve sales conversions.
Extended Validation Certificates
How much awareness of EV security is there in particular in the hosting and finance industry?
End user awareness of SSL security depends on a variety of factors, including age, internet habits, and industry. A recent GlobalSign survey however showed that over a third of end users, across the board, actively look for the company name in the address bar before deciding whether to trust a website. Extended Validation security therefore becomes critical for any business looking to build customer confidence.
Best Practices
Why did SSL survive for so long and the Certificate Authorities didn't force Microsoft to give up IE6?
Unfortunately Microsoft can’t control when companies upgrade their infrastructure. They extended the support for Windows XP several times, most likely for commercial reasons. Deprecating support for an Operating System doesn’t mean that users actually stop using it. Microsoft waited until they had another Operating System that was gaining some market share before they stopped supporting the one that many companies worked with.
Luckily the way software is updated nowadays is very different to a few years ago. Today installations no longer require user interaction, which should facilitate upgrades in future.
When it comes to SSL protocols, the industry has been transitioning to TLS over the past few years. However, as is often the case, outdated protocols such as SSL v3 only stop being used completely when a security flaw is discovered, which happened when the Poodle vulnerability was disclosed in December 2014. As a CA, we encourage pro-active configuration reviews to ensure only the most updated protocols are ever in use.
SSL and SNI
Isn't CloudSSL just another Multi-Domain certificate? Why is this specifically suitable for legacy SNI clients?
GlobalSign’s CloudSSL is an organisation validated certificate issued to the hosting/cloud provider, with a number of domain validated Subject Alternative names for customers’ websites. This certificate is used as “fall back” in combination with SNI for legacy systems that lack SNI support. What makes our solution so special is that we provide our partners with an application that fully automates the generation of the CloudSSL certificate. So you can still use individual certificates on each website, but still benefit from 100% compatibility!
Now it’s your turn – as a hosting company, what are your main concerns and strategies when it comes to SSL security?
