What is Server Name Indication (SNI) – Is it a Quick Fix to IPV4 Exhaustion Issue?

In this article, we will learn what is SNI or server name indication technology; its limitations, advantages, difference with SAN & how it works for https-based website with a few scenarios. Let’s dive in!

The mushrooming of internet connected devices has led to shortage of IPv4 addresses globally. However, the IPv6 format can fix this issue to some extent, but that is not a permanent solution. Therefore, Server Name Indication (SNI) technology is introduced, which can fix this issue by letting us host multiple websites on a single IP.  Hence, we will not run out of IPv4 or IPv6 addresses that early.

what is SNI and IPV4 problem

Client Server Interaction in a Non-Secured Environment

Let’s begin with a quick definition of SNI. Well! SNI is an extension of TLS protocol, which lets you connect multiple SSL/TLS certificates to one IP address.

In a non-secured client server interaction scenario, when a client requests any website, it uses a unique HTTP header encompassing the respective hostname. In response, the server matches this header with the respective website and redirects the user there. In this case, hosting multiple websites on a single IP address is possible by setting name-based hosts.

But, will anyone be able to rely on non-secured websites in today’s world where cybercrime is spreading like wildfire?

Well! the answer is going to be a big time NO for sure.

We all know that non-secured (non-https) websites always remain on the radar of hackers. Hence, they are susceptible to cyber-attacks. Thankfully, the inception of https protocol has helped websites stay secured against various types of cybercrimes. But unfortunately, it restricts the process of hosting multiple SSL/TLS certificate-based websites on a single IP address without incorporating SNI methodology.

Since we mentioned SSL/TLS certificates here, we will cover the difference between them too, as most of the readers are ambiguous on this topic.

Let’s Take a Quick View of the Basics – The Difference Between SSL & TLS Protocol in a Nutshell

SSL-TLS-Difference

The term Transport Layer Security (TLS) certificate has been rapidly evolving in the cybersecurity ecosystem owing to its innumerable advantages over conventional SSL certificates. It is an advanced version of SSL certificate, which is powered with various encryption methods including ECC, RSA or DSA.  However, the term SSL certificate is more common in layman terms. But, when you are buying the latest SSL certificate at present time, you are actually buying a TLS certificate. Moving forward, we are going to use the most appropriate term, namely TLS certificate instead of SSL certificate.

Why HTTPS Restricts Hosting Multiple Website on a Single IP Without SNI

Well! TLS protocol needs a TLS handshake before establishing a secured connection between client and server. In this case, the HTTP header containing the hostname wouldn’t be downloaded unless the handshake is completed. In other words, it makes the server unable to identify which website it should connect.

Being present in the PKI industry for years, we often come across the scenarios where clients need to install multiple TLS certificates on a single IP. These clients are usually software development companies, hosting providers or other organizations having the similar requirements. Thankfully, SNI methodology makes it extremely simple to host multiple TLS certificates on a single IP for multiple websites.

It inserts the HTTP header into the SSL handshake to let the server identify the intended hostname during the handshake. This is how the server knows which website to present when using shared IPs and helps the client securely connect to the requested website.

SNI Limitation – Compatibility Issue

Besides advantages, every technology has a few disadvantages as well. And, unfortunately SNI is not spared from them, effecting a tiny percentage of users. It has a drawback of not being compatible with conventional browsers or operating systems. The Internet explorer on Windows XP and Android 2.3 or older versions are not supported by SNI. In other words, if the legacy browser is not compatible with SNI, it will generate a common name mismatch error.

Another issue with SNI is that it starts an unencrypted connection in TLS 1.2 on initial level, which becomes encrypted later.  This process puts a question mark over its security. However, this problem does not exist in TLS 1.3, but unfortunately TLS 1.3 is not fully supported until now. So, make sure to migrate from TLS 1.2 to TLS 1.3, once it becomes fully supported.

How about those Users who are Still Using Older Operating Systems or Browsers? Will they never be able to host multiple websites on a single IP?

host-multiple-sites-on-single-ip

It’s a genuine question indeed and deserves a detailed answer. We know that there is a tiny percentage of users who are still using the conventional versions of browsers and operating systems worldwide. It’s good to know information that they can achieve this objective with multi-domain TLS certificate, which is also known as Subject Alternative Name (SAN). It can be set as a default certificate to include multiple domains on a shared IP with a single certificate. SAN has no compatibility issues with any server or browser and lets you host up to 200 domains on a single certificate.

SNI or SAN from the User’s Viewpoint?

Simillar to SNI, SAN has its own limitations that are as following:

  • In the scenario of SAN, every domain needs to be added as Subject Alternative Names to one certificate. In the event that any SAN entry needs to be edited or revoked, it is recommended replacing the respective certificate for every listed domain. Replacing every domain is surely a time-consuming task.
  • All the listed domain entries are visible on the certificate, which reduces the privacy of ownership.
  • Website’s response time is one of the latest Google ranking factors. Thus, adding multiple domain entries to a single certificate makes it heavy, which may reduce website’s response time by some milliseconds.
  • SAN has a limit of adding domains.
  • Last but not least, SAN is not compatible with Organization Validated (OV) and Extended Validation (EV) when shared between the organizations.

In a nutshell, SNI helps you deploy unique certificates for multiple domains on a single IP. And, SAN lets you list a limited number of domains on a single certificate as well as IP address. So, choose the right solution according to your business requirements & stay ahead of the competition.

About the Author

Leave a Reply

Your email address will not be published.