I host many, many websites and have several servers. Probably much the same as most web development agencies out there.

I always want to improve security of course.

Up to now I have only considered a SSL necessary when they take credit card payments on the site... if they use Paypal I don't use a SSL cert. But the site will still take customer contact details and likely a username and password for account login, and the login will not be on a SSL.

Ideally I would like to secure the forms and login of course.

BUT... traditionally a separate IP address is needed for every site. Thats hundreds of IP addresses (if I secure the CMS admin login pages too, thats all my websites). Linode always seem reluctant to give out IP addresses when I ask, IPv4's are running out, but they do when justified.

I read about Multi Domain Certs that can use same IP address with multiple domains... but some sites states I have to specify the domains when I order and cant add more (thats OK for old sites but I cant predict new ones coming up). And the cert lists all domains added to it, some customers may not like the association to other unrelated sites.

So I wondered what others do... it is common not to bother with SSLs for customer registration and login forms, or do people have a separate IP for ALL their sites, or do people use multi domain SSLs as common practice now?

Thanks

_________________
Web Development Agency in South Wales

You could use SNI. Very old browsers don't support this though, so you may want to keep that in mind.

SNI looks like a good solution, but unfortunately it doesn't appear to work on Windows XP systems:
There are still a lot of XP users, though Chrome seems to work on XP:

I guess with some browser and/or OS checks you could address this by informing site visitors.

Given that XP will no longer be supported six months from now, I would rather drop XP compatibility than risk leaking users' (or, worse, admins') credentials to an eavesdropper.

My usual approach, for what it's worth: one IPv4 address with SNI for multi-host HTTPS, but a distinct IPv6 address for each host. Since XP does support IPv6, this is the legacy support built into my "SNI, IPv6, or GTFO" policy.

_________________

/* TODO: need to add signature to posts */

I use SNI. Chrome and Firefox both support SNI on Windows XP. IE (any version) doesn't. The only other platform of note that doesn't support SNI is Android 2.x.

The other options are multiple ips, which are a pain since you have to reboot for each ip. Or SAN certificates which are expensive (and are what people like cloudflare use).

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

As far as I'm aware a separate IP address with a separate SSL cert is still standard practice for sites that require SSL. SNI is not a practical option for anything commercial.

The fact that IPv4 addresses are getting harder to get hold of is an unresolved issue.


(Insert rant about SSL CA's being snake oil merchants here)

Why not beyond the Windows XP/Android 2.x issues?

_________________
Paid support
How to ask for help
1. Give details of your problem
2. Post any errors
3. Post relevant logs.
4. Don't hide details i.e. your domain, it just makes things harder
5. Be polite or you'll be eaten by a grue

But it looks like SNI would be a viable solution for what amityweb is trying to accomplish: a secure connection for logins and web form submissions.