Posts Tagged 'SSL'

April 4, 2012

Sharing a Heavy Load - New Load Balancer Options

I always think of Ford, Chevy and Toyota pick-up truck commercials when I think of load balancers. The selling points for trucks invariably boil down to performance, towing capacity and torque, and I've noticed that users evaluating IT network load balancers have a similar simplified focus.

The focus is always about high performance, scalability, failover protection and network optimization. When it comes to "performance," users are looking for reliable load balancing techniques — whether it be round robin, least connections, shortest response or persistent IP. Take one of the truck commericals and replace "towing capacity" with "connections per second" and "torque" with "application acceleration" or "SSL offloading," and you've got yourself one heck of a load balancer sales pitch.

SoftLayer's goal has always been to offer a variety of local and global load balancing options, and today, I get to announce that we're broadening that portfolio.

So what's new?

We've added the capability of SSL offloading to our shared load balancers and launched a dedicated load balancer option as well. These new additions to the product portfolio continue our efforts to make life easier on our customers as they build their own fully operational virtual data center.

What's so great about SSL offloading? It accelerates the processing of SSL encrypted websites and makes it easier to manage SSL certificates. Think of this as adding more torque to your environment, speeding up how quickly certs can be decrypted (coming in) and encrypted (heading out).

Up until now, SoftLayer has offered SSL at the server level. This requires multiple SSL certifications for each server or special certs that can be used on multiple servers. With SSL offloading, incoming traffic is decrypted at the load balancer, rather than at the server level, and the load balancer also encrypts outbound traffic. This means traffic is processed in one place — at the load balancer — rather than at multiple server locations sitting behind the load balancer.

With SoftLayer SSL offloading on shared load balancers, customers can start small with few connections and grow on the fly by adding more connections or moving to a dedicated load balancer. This makes it a breeze to deploy, manage, upgrade and scale.

What do the new load balance offerings look like in the product catalog? Here's a breakdown:

Shared Load Balancing
250 Connections with SSL $99.99
500 Connections with SSL $199.99
1000 Connections with SSL $399.99
Dedicated Load Balancer
Standard with SSL $999.00

I'm not sure if load balancing conjures up the same images for you of hauling freight or working on a construction site, but however you think about them, load balancers play an integral part in optimizing IT workloads and network performance ... They're doing the heavy lifting to help get the job done. If you're looking for a dedicated or shared load balancer solution, you know who to call.

-Matt

June 19, 2009

Self Signed SSL

A customer called up concerned the other day after getting a dire looking warning in Firefox3 regarding a self-signed SSL certificate.

"The certificate is not trusted because it is self signed."

In that case, she was connecting to her Plesk Control Panel and she wondered if it was safe. I figured the explanation might make for a worthwhile blog entry, so here goes.

When you connect to an HTTPS website your browser and the server exchange certificate information which allows them to encrypt the communication session. The certificates can be signed in two ways: by a certificate authority or what is known as self-signed. Either case is just as good from an encryption point of view. Keys are exchanged and data gets encrypted.

So if they are equally good from an encryption point of view why would someone pay for a CA signed certificate? The answer to that comes from the second function of an SSL cert: identity.

A CA signed cert is considered superior because someone (the CA) has said "Yes, the people to whom we've sold this cert have convinced us they are who they say they are". This convincing is sometimes little more than presenting some money to the CA. What makes the browser trust a given CA? That would be its configured store of trusted root certificates. For example, in Firefox3, if you go to Options > Advanced > Encryption and select View Certificates you can see the pre-installed trusted certificates under the Authorities tab. Provided a certificate has a chain of signatures leading back to one of these Authorities then Firefox will accept that it is legitimately signed.

To make the browser completely happy a certificate has to pass the following tests:

1) Valid signature
2) The Common Name needs to match the hostname you're trying to hit
3) The certificate has to be within its valid time period

A self-signed cert can match all of those criteria, provided you configure the browser to accept it as an Authority certificate.

Back to the original question... is it safe to work with a certificate which your browser has flagged as problematic. The answer is yes, if the problem is expected, such as hitting the self-signed cert on a new Plesk installation. Where you should be concerned is if a certificate that SHOULD be good, such as your bank, is causing the browser to complain. In that case further investigation is definitely warranted. It could be just a glitch or misconfiguration. It could also be someone trying to impersonate the target site.

Until next time... go forth and encrypt everything!

Subscribe to ssl