SSL history

The Secure Socket Layer (SSL) certificates represent the underpinnings of trust in most web and internet transactions. Trust is the key word when it comes to SSL and HTTPS. When a website uses SSL, the communication between the browser and the server is encrypted, but to obtain an SSL certificate, you must establish a level of trust with an issuing authority.

To enable SSL, you must install a certificate on your server. Certificates are issued by a certificate authority (CA). Today, there are many certificate authorities, and it would be difficult to list them all. You should search for the best provider for your needs. I will discuss a few in this chapter. You will also learn about the different types of certificates and the additional features that CAs package them with. In the not too distant past, Network Solutions was the only authority from which available to purchase a certificate.

Not only were they the only game in town, you had to navigate lots of red tape. If they did not like your paperwork, they would reject you. It was almost impossible for individuals to buy a certificate as domain ownership needed to be tied to a registered business.

This limited availability led to high prices for annual certificates. The average blog, business, or organization never considered using SSL because of the cost. This limited SSL to sites that transferred sensitive information, such as credit card and bank account numbers, because of the original barriers.

The certificate cost was not limited to just the annual certificate cost—hosting a secure site was prohibitive. Because web technology had not evolved, SSL was limited to a single domain per IP address. This meant that sites needed to pay for a dedicated IP address and, often, a dedicated web server. $4.99-a-month shared-hosting plans were not an option if you wanted encryption.

The HTTPS story has changed since then. There are many free and low-cost certificate authorities, removing the annual cost barrier. HTTP protocol and web server technology has also advanced. Today, you can host multiple sites on the same IP address using different certificates and host headers (domains).

Server Name Indication (SNI) was added to the TLS specification in 2003 (https://en.wikipedia.org/wiki/Server_Name_Indication). This allows servers to host multiple domains on the same IP and port number using TLS. Originally, the server managed the host header name translation once the HTTP connection was established, or after the TLS handshake.

The 2003 TLS specification change has the client include the domain name as part of the TLS negotiation. Now, web servers can use their internal host header tables to determine the desired website.