Wednesday, April 18, 2012

Microsoft is holding back the secure web

Today on Hacker News there's a story about getting round the problem that SSL can only manage one host (i.e. domain name) per IP address.  If you want more than one secure web site on a machine it's going to need one IP address per web site.  The Hacker News story is about a hack that works for one cloud provider, but doesn't address the fundamental issue.

The actual solution to this problem is called Server Name Indication and allows the connecting web browser to specify the web site domain name when making an SSL/TLS connection.  It's been around in various incarnations since 2004.

Currently it's supported by all the major web servers and (almost) all the major web browsers.  But there's one important platform/browser combination that's holding back its widespread use: any version of Internet Explorer running on Windows XP.

Although Windows XP is ancient history it hasn't disappeared.  In fact, far front it.  Many large corporations standardized on Windows XP long ago and will not change operating system once they have a stable desktop setup.  Here's the global distribution of desktop operating systems worldwide from StatsCounter:


It shows Windows XP declining but still in use by over 30% of users.  Here's how Asia, Europe, North and America compare.




A secure web site cannot ignore Windows XP no matter where in the world its users come from.

Microsoft has to fix this problem.  SNI could be rolled out everywhere if they were to patch Internet Explorer on Windows XP to support SNI.  Other Windows XP browsers already support SNI, just not Internet Explorer.

Enabling the free use of SNI would greatly reduce the complexity of SSL (especially for cloud providers who could start offering SNI certificates on cloud-based IP that are typically shared across users) and allow for a more secure web.

Come on, Microsoft.  Fix it.


If you enjoyed this blog post, you might enjoy my travel book for people interested in science and technology: The Geek Atlas. Signed copies of The Geek Atlas are available.

2 Comments:

Blogger Joseph said...

I'm not sure Microsoft has much incentive to do this though. Not surprisingly their push is to only support more recent versions of their operating system.

If Microsoft is unwilling to fix Windows XP to support SNI then there really is only one other option. Another big push to get everyone off of Internet Explorer. If you are using Windows XP you simply MUST, MUST! use Firefox or Chrome.

4:45 PM  
Blogger Joseph said...

I'm not sure Microsoft has much incentive to do this though. Not surprisingly their push is to only support more recent versions of their operating system.

If Microsoft is unwilling to fix Windows XP to support SNI then there really is only one other option. Another big push to get everyone off of Internet Explorer. If you are using Windows XP you simply MUST, MUST! use Firefox or Chrome.

4:45 PM  

Post a Comment

Links to this post:

Create a Link

<< Home