Hacker News new | past | comments | ask | show | jobs | submit login

SSL certificates for CDNs are just a tough problem because there's no cheap/easy way to have one certificate that corresponds to a bunch of different IP addresses (that works on Windows XP).



It's not an issue with multiple IP addresses, but rather with being able to host multiple SSL-enabled domains on a single IP (which is what CDNs need to do). That is where SNI[1] comes in, along with all of its compatibility issues with older network stacks.

[1] http://en.wikipedia.org/wiki/Server_Name_Indication


So IPv6 would not be an issue then, I gues, every client could have an IP on each edge node...


Yes, that is a possibility. SNI will also become a more realistic option as older devices get retired. I've implemented several sites with SNI, and as long as you're aware of what devices/browsers/OSes will be connecting to your site (and their SNI support), things work great.


So why is it so expensive?


Why is it so expensive to add SSL with a custom domain to Amazon CloudFront? Because Amazon actually needs to acquire hundreds of individual certificates on your behalf and distribute them to its edge servers.


No they don't, you provide them with a single cert and they use that on every edge node.


SSL requires additional CPU resources, and is often coupled with hardware acceleration. All of this equates to higher hosting costs.


What is what so expensive?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: