In this article, we will learn what is SNI or server name indication technology; its limitations, advantages, difference with SAN & how it works for https-based website with a few scenarios. Let’s dive in!
The mushrooming of internet connected devices has led to shortage of IPv4 addresses globally. However, the IPv6 format can fix this issue to some extent, but that is not a permanent solution. Therefore, Server Name Indication (SNI) technology is introduced, which can fix this issue by letting us host multiple websites on a single IP. Hence, we will not run out of IPv4 or IPv6 addresses that early.
Let’s begin with a quick definition of SNI. Well! SNI is an extension of TLS protocol, which lets you connect multiple SSL/TLS certificates to one IP address.
In a non-secured client server interaction scenario, when a client requests any website, it uses a unique HTTP header encompassing the respective hostname. In response, the server matches this header with the respective website and redirects the user there. In this case, hosting multiple websites on a single IP address is possible by setting name-based hosts.
But, will anyone be able to rely on non-secured websites in today’s world where cybercrime is spreading like wildfire?
Well! the answer is going to be a big time NO for sure.
We all know that non-secured (non-https) websites always remain on the radar of hackers. Hence, they are susceptible to cyber-attacks. Thankfully, the inception of https protocol has helped websites stay secured against various types of cybercrimes. But unfortunately, it restricts the process of hosting multiple SSL/TLS certificate-based websites on a single IP address without incorporating SNI methodology.
Since we mentioned SSL/TLS certificates here, we will cover the difference between them too, as most of the readers are ambiguous on this topic.
The term Transport Layer Security (TLS) certificate has been rapidly evolving in the cybersecurity ecosystem owing to its innumerable advantages over conventional SSL certificates. It is an advanced version of SSL certificate, which is powered with various encryption methods including ECC, RSA or DSA. However, the term SSL certificate is more common in layman terms. But, when you are buying the latest SSL certificate at present time, you are actually buying a TLS certificate. Moving forward, we are going to use the most appropriate term, namely TLS certificate instead of SSL certificate.
Well! TLS protocol needs a TLS handshake before establishing a secured connection between client and server. In this case, the HTTP header containing the hostname wouldn’t be downloaded unless the handshake is completed. In other words, it makes the server unable to identify which website it should connect.
Being present in the PKI industry for years, we often come across the scenarios where clients need to install multiple TLS certificates on a single IP. These clients are usually software development companies, hosting providers or other organizations having the similar requirements. Thankfully, SNI methodology makes it extremely simple to host multiple TLS certificates on a single IP for multiple websites.
It inserts the HTTP header into the SSL handshake to let the server identify the intended hostname during the handshake. This is how the server knows which website to present when using shared IPs and helps the client securely connect to the requested website.
Besides advantages, every technology has a few disadvantages as well. And, unfortunately SNI is not spared from them, effecting a tiny percentage of users. It has a drawback of not being compatible with conventional browsers or operating systems. The Internet explorer on Windows XP and Android 2.3 or older versions are not supported by SNI. In other words, if the legacy browser is not compatible with SNI, it will generate a common name mismatch error.
Another issue with SNI is that it starts an unencrypted connection in TLS 1.2 on initial level, which becomes encrypted later. This process puts a question mark over its security. However, this problem does not exist in TLS 1.3, but unfortunately TLS 1.3 is not fully supported until now. So, make sure to migrate from TLS 1.2 to TLS 1.3, once it becomes fully supported.
It’s a genuine question indeed and deserves a detailed answer. We know that there is a tiny percentage of users who are still using the conventional versions of browsers and operating systems worldwide. It’s good to know information that they can achieve this objective with multi-domain TLS certificate, which is also known as Subject Alternative Name (SAN). It can be set as a default certificate to include multiple domains on a shared IP with a single certificate. SAN has no compatibility issues with any server or browser and lets you host up to 200 domains on a single certificate.
Simillar to SNI, SAN has its own limitations that are as following:
In a nutshell, SNI helps you deploy unique certificates for multiple domains on a single IP. And, SAN lets you list a limited number of domains on a single certificate as well as IP address. So, choose the right solution according to your business requirements & stay ahead of the competition.