I was browsing through Yusuf’s blog today and read in his post about enabling cheaper SSL hosting for the first time about Server Name Indication (SNI), as specified in section 3.1 of RFC3546.
Anyone who’s had to set up an TLS/SSL (let’s say secure) site knows that currently, a secure site must be hosted on a unique IP. If you need to host more than one SSL site, you need to have separate IPs for each secure site hosted. This requirement is present because pre-SNI, the server name is negotiated based on the DNS hostname only. SNI elegantly works around this requirement by adding another step to TLS negotiation. As part of the TLS handshake, the client tells the TLS server which hostname it is trying to connect to, and the hostname thus knows which certificate to present to the client. This is explained a lot more elegantly by Paul Querna.
SNI makes life better because secure hosting becomes more affordable. The cost of a secure certificate is often no longer the largest cost that secure sites must bear to be secure. One can get a certificate for $20/year. However, dedicated IPs are expensive. On a host such as Dreamhost, unique IPs cost $4.95/month. Add this up and it’s almost $60/year. If this extra cost can be eliminated a lot more businesses might be tempted to go secure, and this is a good thing for everybody.
So what’s the current state of browsers?
- Opera: Already has full support for SNI as of 8.0
- Internet Explorer: Windows Vista adds full support for SNI
- Gecko/NSS: Not yet, but bugs 116168 and 116169 have been filed.
It’s no secret that as far as end users are concerned, backend features are not as sexy as features which are exposed in the UI, but I wonder whether if SNI support is added to Gecko/NSS before IE, if Firefox will suddenly become a lot sexier to businesses who don’t have an arbitrarily large IP space but are looking to standardise on a browser, or recommend one to their clients. Hey, it’s a much better solution than forcing an upgrade to Vista.
I have now filed the following bug report for Konqueror: http://bugs.kde.org/show_bug.cgi?id=122433
I’m now not sure the place you are getting your info, however good topic. I needs to spend a while learning much more or working out more. Thanks for fantastic information I was in search of this info for my mission.
Tremendous issues here. I’m very happy to peer your post. Thank you so much and I’m having a look ahead to touch you. Will you kindly drop me a mail?
Hi everyone,
I read the article, and I find implementing SNI useful and interesting. I know this article is dated, but I wanted to know if the information is still considered relevant. Is SNI currently being supported by the latest browsers? Has anyone found any cases where this is implemented? (I’d love to get the links!) I saw the article by Paul Querna, but the links were dead…
hello!,I like your writing so much! share we be in contact more approximately your post on AOL? I need an expert on this house to unravel my problem. May be that is you! Having a look forward to peer you.
target=”_blank” title=”Windows Bilgiler”>Windows bilgiler|<a
Somebody essentially assist to make seriously posts I’d state. This is the very first time I frequented your website page and so far? I amazed with the analysis you made to create this actual post extraordinary. Great process!
hello there and thanks to your info ? I?ve certainly picked up anything new from proper here. I did alternatively experience several technical issues the usage of this site, as I skilled to reload the website many occasions prior to I may just get it to load correctly. I had been brooding about in case your web hosting is OK? No longer that I’m complaining, however slow loading cases times will sometimes impact your placement in google and could harm your quality score if ads and ***********
We’re a group of volunteers and opening a new scheme in our community. Your site offered us with helpful information to work on. You’ve performed a formidable task and our whole community can be grateful to you.