TLS (SSL)

Posted on by Bart Pluskota 5146 Views

Overview

TLS: Transport Layer Security
SSL: Secure Socket Layer
TLS ensures the privacy and data integrity between to communicating points across a network. Originally known as SSL, TLS is not only important when transferring sensitive data (such as personal or payment information) but also for websites/applications in general. Google have also announced that fully HTTPS websites/applications will have SEO priority.
For more information see the below website: https://en.wikipedia.org/wiki/Transport_Layer_Security

SSL and CDN

When considering SSL and the CDN, please be aware that having an SSL certificate installed on the hosting or only on the CDN does not qualify as an end-to-end HTTPS secure website/application.

Best Practice
Always remember to have an SSL certificate installed on the Hosting Server and on the CDN. This will ensure a complete end-to-end secure connection. These can always be looked at in two forms:

  • End user -> CDN
  • CDN -> Origin (Hosting Server)

Also, note that you are always using the latest TLS version (currently TLS v1.2) and the certificate in use has ciphers that are up to date and supported by all web browsers. Details and links to these versions and ciphers are detailed below.

Versions and Ciphers

The most up to date TLS version is TLS v1.2. Version 1.3 is currently in a draft state.
Please see the following webpage regarding Cipher Suites: https://www.openssl.org/docs/manmaster/man1/ciphers.html

Best Practice
It is important to note that SSL certificates alone are not enough to support the protocol fully. Always ensure the following are provided to the CDN team and/or the SSL vendor.

  • SSL Certificate
  • Private Key (with or without a password) – dependent on use case
  • Chain – combination of the Root CA and Intermediate Chain

SNI – Server Name Indication

SNI is an extension to TLS and can only be used and treated as an add-on. It allows multiple certificates to be used by the same IP address. Please review the 2 models below. Diagram 7 shows that for each website a different hosting server is required to have its own SSL certificate specific to that website, however, Diagram 8 shows that a single hosting server can have an infinite number of SSL certificates installed – this is the beauty of SNI.

Standard SSL Model
Diagram 7: Standard SSL Model
SSL with SNI Model
Diagram 8: SSL with SNI Model
Best Practice
When using a CDN, SNI is one of the most useful features. You may find with most CDN vendors that charges apply for 3 separate SSL options:

  • SSL on MDC (an SSL domain on a CDN shared cert)
  • Wildcard domain on MDC
  • Private SSL (you can provide your own certificate – usually the most expensive)

Now with the addition of SNI, CDN vendors do not need to allocate specific IP addresses for each of your certificates across their network. SNI not only allows CDN vendors to restore 1000’s of IPv4 addresses but also enables a cheaper, longer term solution for clients.

Wherever possible, take advantage of your CDN vendors SNI feature. It also ties in nicely with complete self-implementation of new websites/applications on the CDN.