Learning about SSL certificates and the underlying technology behind them is like sightseeing a new city and discovering smaller, less known attractions. Often you find an interesting building and wonder what’s in there? The same applies to Server Name Indication. You may have bumped into the SNI acronym on a web security forum or an SSL guide, but you didn’t have a clue what it’s all about. In this article, we explain what is SNI and why you may need it. To better understand the whole process, we need to take a step back in a time before SNI creation.
Before SNI: Name-Based Hosts and their mismatch with HTTPS
More than a decade ago, only a small portion of websites was using the HTTPS protocol. HTTP was still the king. Today, if you want to host multiple HTTP websites on the same IP address, you can use name-based hosts. For instance, if you run three HTTP sites on the same IP address when a user connects to a particular site, it uses a unique HTTP header that contains the hostname. In response, your server identifies and matches this header, and sends the user the desired destination.
This approach works until HTTPS comes into the equation and then it doesn’t. Since SSL/TLS requires a handshake to establish a secure connection between a client and a server, the HTTP header with the necessary hostname can’t be downloaded before the handshake has been completed. The server simply doesn’t know which website to match and send the user to.
What is SNI?
SNI stands for Server Name Indication, an extension of the TLS (Transport Layer Security) protocol. Now, we all know that TLS is the cryptographic protocol that secures sensitive data in transport (and if you don’t, here’s a quick technical overview of SSL/TLS certificates), but by itself, in certain situations, TLS is far from perfect. One such essential situation is running multiple SSL certificates on the same IP address. TLS can’t do that unless it gets a bit of help from an extension
Just like your browser’s extensions add more features and better functionality, SNI is an extension to the TLS/SSL protocol that allows users to host multiple SSL certificates on a single IP address. SNI does this by inserting the HTTP header into the SSL/TLS handshake.
Before SNI became a TLS extension in 2003, each website you wanted to encrypt required a unique IP address. This had lead to huge costs, but more worryingly, rapid consumption of IPv4 IP addresses. Unique IP addresses aren’t infinite. For example, the Internet Protocol version 4 has roughly four billion addresses.
Prior to SNI’s emergence, there were real concerns that the IPv4 addresses would run out before the arrival of the new IPv6. SNI managed to alleviate these fears and slow down the IPv4 depletion. In other good news, IPv6 has around 340 undecillion addresses. That’s 340 follow 36 zeros. Such an amount should be enough for the foreseeable future.
SNI is now compatible with 99% of browsers and all the major server systems. Chrome, Mozilla, Opera, Safari, and lesser-known browsers all support SNI. You can implement SNI on Apache, Nginx, Ubuntu, Debian, CentOS, and many other popular systems. Some of the libraries that support SNI are Open SSL, GnutTLS, Python, Oracle, and Java. Whenever you need to secure multiple websites on a single IP address, use SNI to your advantage.