Running several HTTPS websites under the same IP address is normal practice today. But that wasn’t always the case. Initially, you needed a dedicated IP address for every domain you wanted to secure. However, the arrival of Server Name Indication (SNI) changed the entire SSL landscape. In this article, we explain what is SNI, how it works, and why you may need it. To better understand the whole process, we need to take a step back in time before SNI creation.
Table of Contents
- Before SNI: Name-Based Hosts and Their Mismatch With HTTPS
- What Is SNI?
- Why Use SNI?
- How SNI Works?
- What Are the Advantages of SNI?
- What Are the Differences Between SNI and SANs?
- Wildcard Certificates vs SNI Certificates
- Which Browsers Support SNI?
- Are There Any Disadvantages to SNI?
- Why Isn’t SNI More Widespread?
- What Is Encrypted SNI (ESNI)?
Before SNI: Name-Based Hosts and Their Mismatch With HTTPS
More than a decade ago, only a small portion of websites were using the HTTPS protocol. HTTP was still the king. Today, if you want to host multiple HTTP websites on the same IP address, you can use name-based hosts. For instance, if you run three HTTP sites on the same IP address when a user connects to a particular site, it uses a unique HTTP header that contains the hostname. In response, your server identifies and matches this header, and sends the user the desired destination.
This approach works until HTTPS comes into the equation and then it doesn’t. Since SSL/TLS requires a handshake to establish a secure connection between a client and a server, the HTTP header with the necessary hostname can’t be downloaded before the handshake has been completed. The server simply doesn’t know which website to match and send the user to. Here’s where SNI comes to the rescue.
What Is SNI?
SNI is an extension of the TLS (Transport Layer Security) protocol that enables multiple websites to share the same IP address. It allows web servers to host several SSL/TLS certificates on the same IP, an essential benefit for sites that use HTTPS to encrypt their communication with users.
Now, we all know that TLS is the cryptographic protocol that secures sensitive data in transport (and if you don’t, here’s a quick technical overview of SSL/TLS certificates), but by itself, in certain situations, TLS is far from perfect. One such essential situation is running multiple SSL certificates on the same IP address. TLS can’t do that unless it gets a bit of help from an extension
Just like your browser’s extensions add more features and better functionality, SNI is an extension to the TLS/SSL protocol that allows users to host multiple SSL certificates on a single IP address. SNI does this by inserting the HTTP header into the SSL/TLS handshake.
Before SNI became a TLS extension in 2003, each website you wanted to encrypt required a unique IP address. This has led to huge costs, but more worryingly, rapid consumption of IPv4 IP addresses. Unique IP addresses aren’t infinite. For example, Internet Protocol version 4 has roughly four billion addresses.
Prior to SNI’s emergence, there were real concerns that the IPv4 addresses would run out before the arrival of the new IPv6. SNI managed to alleviate these fears and slow down IPv4 depletion. In other good news, IPv6 has around 340 undecillion addresses. That’s 340 followed by 36 zeros. Such an amount should be enough for the foreseeable future.
Why Use SNI?
SNI allows website owners to secure communications with their users and customers by facilitating SSL certificate management. Without SNI, each website would need a unique IP address to use HTTPS encryption, which could be expensive for small businesses and companies with a tight budget.
SNI also makes it easier to manage websites, as web servers can now host multiple SSL/TLS certificates on the same IP address. This means that website owners can easily add or remove websites from their hosting accounts.
How SNI Works?
When you visit a website over HTTPS, your web browser and the website’s server need to establish a secure connection through the SSL/TLS handshake. During this process, the web browser sends a message to the server that includes the website’s hostname.
In the case of SNI, the website’s hostname is included in the Client Hello message, which allows the server to select the correct certificate to use in the Server Hello message. As a result, the server can host multiple SSL certs on the same IP address.
Most modern web servers and browsers support SNI, but older versions may not. In these cases, the web browser may receive a generic SSL cert instead of the correct one, which can cause warnings or errors to appear.
What Are the Advantages of SNI?
SNI has changed the entire hosting landscape when installing and managing SSL certificates. Here are its main advantages:
- Multi-Domain Hosting. With SNI, you can host and secure multiple websites on a single server and IP address. SNI significantly reduces hosting costs and streamlines SSL management.
- Flexibility. SNI provides the flexibility to add or remove websites from a server without having to reconfigure the server or obtain additional IP addresses.
- Better Resource Utilization. SNI enables better utilization of resources such as IP addresses, which can be scarce and expensive. By hosting multiple sites on the same IP, you slow down the exhaustion of IPv4 – the core protocol that helps us connect to the Web.
What Are the Differences Between SNI and SANs?
SNI and SANs are both methods for supporting multiple SSL certificates on a single server. However, they differ in how they provide this support. The main difference between SNI and SANs is that SNI is a server-side technology, while SANs are a certificate feature.
As you already know, SNI enables a web server to host multiple certificates on a single IP address. When a client connects to the server, SNI allows the server to determine which certificate to use based on the domain name provided by the client in the initial request.
SANs, on the other hand, are a feature of SSL certificates that allows a single certificate to secure multiple domain names under one installation. A SAN certificate includes a list of additional domain names (also known as Subject Alternative Names) that you can protect with the same certificate.
As for compatibility, most modern web browsers and servers support SNI and SANs. However, some legacy systems could be incompatible with them.
Wildcard Certificates vs SNI Certificates
A Wildcard SSL certificate secures one domain and all its subdomains (unlimited) under a single SSL certificate. Wildcard is another feature of SSL certs, just like SANs are. It’s convenient and cost-effective to get a Wildcard SSL option if you’re website has several subdomains like new.yourwebsite.com or blog.yourwebsite.com.
SNI certificates don’t exist as SNI is not an intrinsic feature of SSL certs but a TLS extension on the server side. If your server supports SNI, you can add any SSL type on multiple domains with the same IP address.
Which Browsers Support SNI?
SNI is now compatible with 99% of browsers and all the major server systems. Chrome, Mozilla, Opera, Safari, and lesser-known browsers all support SNI. You can implement SNI on Apache, Nginx, Ubuntu, Debian, CentOS, and many other popular systems. Some of the libraries that support SNI are Open SSL, GnutTLS, Python, Oracle, and Java. Whenever you need to secure multiple websites on a single IP address, use SNI to your advantage.
What Happens if the Web Browser Doesn’t Support SNI?
If a web browser does not support SNI, it won’t be able to establish a secure connection with a server that uses SNI to host multiple SSL/TLS certificates. As a result, the user won’t be able to access the website. Moreover, the user will get an error message indicating that the website in question is not secure.
Are There Any Disadvantages to SNI?
While SNI has significant advantages, there are a few potential drawbacks. One is that SNI can be slower than using a dedicated IP address or a non-SNI solution. This is because the server must perform an extra step to identify the correct SSL/TLS certificate to establish a secure connection.
Another disadvantage is that not all web browsers and servers support SNI. If you use a legacy browser or platform, you may face compatibility issues, which can lead to errors or security vulnerabilities.
Why Isn’t SNI More Widespread?
Some organizations prefer to use dedicated IP addresses for security reasons. These measures can provide additional protection against cyber attacks such as IP spoofing. Many legacy systems do not support SNI, so that’s also a factor. But, as encryption becomes ubiquitous, SNI implementation is gaining widespread adoption.
What Is Encrypted SNI (ESNI)?
Encrypted SNI (ESNI) is a new technology designed to address some of the potential security vulnerabilities associated with SNI. ESNI encrypts the SNI information so that it cannot be intercepted by third parties, protecting the user’s privacy and preventing attackers from spying on the TLS handshake process to determine which websites users visit.
ESNI is not yet widely supported by web browsers and servers.
Which browsers support ESNI?
Currently, Firefox is the only popular browser to offer SNI support.
This article has covered Server Name Indication from all angles and aspects. Now that you know what SNI is, you can adopt it for your websites and projects. Most systems are compatible with SNI as it’s an essential extension in today’s web hosting environment. With HTTPS being the new Web standard, SNI facilitates migration from the obsolete HTTP protocol.
Save 10% on SSL Certificates when ordering today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10