Best way to secure (via SSL) many CMS logins on same server
I always want to improve security of course.
Up to now I have only considered a SSL necessary when they take credit card payments on the site… if they use Paypal I don't use a SSL cert. But the site will still take customer contact details and likely a username and password for account login, and the login will not be on a SSL.
Ideally I would like to secure the forms and login of course.
BUT… traditionally a separate IP address is needed for every site. Thats hundreds of IP addresses (if I secure the CMS admin login pages too, thats all my websites). Linode always seem reluctant to give out IP addresses when I ask, IPv4's are running out, but they do when justified.
I read about Multi Domain Certs that can use same IP address with multiple domains… but some sites states I have to specify the domains when I order and cant add more (thats OK for old sites but I cant predict new ones coming up). And the cert lists all domains added to it, some customers may not like the association to other unrelated sites.
So I wondered what others do… it is common not to bother with SSLs for customer registration and login forms, or do people have a separate IP for ALL their sites, or do people use multi domain SSLs as common practice now?
Thanks
7 Replies
SNI
@Nuvini:
You could use
. Very old browsers don't support this though, so you may want to keep that in mind. SNI
SNI looks like a good solution, but unfortunately it doesn't appear to work on Windows XP systems:@Wikipedia:Does not work on Windows XP, even Internet Explorer 8 (because the support of this feature is not browser version dependent, it depends on SChannel system component which introduced the support of TLS SNI extension, starting from Windows Vista, not XP).
There are still a lot of XP users, though Chrome seems to work on XP:@Wikipedia:XP on Chrome 6 or newer.
I guess with some browser and/or OS checks you could address this by informing site visitors.
My usual approach, for what it's worth: one IPv4 address with SNI for multi-host HTTPS, but a distinct IPv6 address for each host. Since XP does support IPv6, this is the legacy support built into my "SNI, IPv6, or GTFO" policy.
The other options are multiple ips, which are a pain since you have to reboot for each ip. Or SAN certificates which are expensive (and are what people like cloudflare use).
The fact that IPv4 addresses are getting harder to get hold of is an unresolved issue.
(Insert rant about SSL CA's being snake oil merchants here)
> SNI is not a practical option for anything commercial.
Why not beyond the Windows XP/Android 2.x issues?
@sednet:
As far as I'm aware a separate IP address with a separate SSL cert is still standard practice for sites that require SSL. SNI is not a practical option for anything commercial.
But it looks like SNI would be a viable solution for what amityweb is trying to accomplish: a secure connection for logins and web form submissions.