(5 votes, average: 5.00 out of 5)
Loading...
Server Name Indication is one of those important technologies that the domain of internet security and web hosting is undergoing.
Today, around 85% of websites use HTTPS, which is hypertext transfer protocol secure, with secure channels running over SSL/TLS.
SNI is an advancement in the TLS protocol, making it possible to resolve the limitation of hosting multiple SSL certificates on a single IP address.
That makes it even more important now, especially when the number of websites is growing abnormally, crossing 1.88 billion somewhere in the year 2022, hence cost-effective and secure hosting solutions are need of the hour.
It includes the intended hostname in the SSL handshake, hence allowing the server to deliver the correct SSL certificate for the requested domain.
This ensures linking of the user to the correct web page for secure browsing. Therefore, no compromise happens with the user’s security needs, and it builds the much-needed trust for the website. With this blog, we would go deep into the working of SNI, its features, pros, and cons.
Server Name Indication (SNI) is one of those important technologies in web hosting and web security. Suppose you are visiting a site, how would it be if before the content showed up, there is a handshake already happening between your browser and the server behind the scene?
SNI is an extension to the TLS protocol, allowing multiple SSL certificates to be managed on a single IP address. It’s like a receptionist waiting for a person to arrive and tell them which company they are visiting, so that they can redirect them to the right office.
This becomes very important in a world where websites are multiplying by the minute.
The Server Name is the name of a website; it identifies a website uniquely. In some description, it is a website’s digital address. When you type a URL into your browser, basically, that’s one way to tell your browser which server you want to talk to.
A server name is a part of the URL, such as “www.example.com,” that lets the server know which website you want to access among the many that it is hosting.
SNI allows various SSL certificates for different websites to coexist on a single IP address. This becomes cost-efficient and effective in shared hosting environments.
It ensures that correct SSL certificate of each website is enabled, hence securing the link and protecting critical data.
As more and more websites are established daily, SNI makes it easier to work with a ballooning number of SSL certificates without requiring a unique IP address for each site.
SNI is supported by most of the browsers used in the modern world, which makes it very user-friendly today.
In a traditional way of doing things, each SSL certificate required a separate IP address. SNI allows many certificates to share the setup of one IP address, saving billions of money.
For example, secure, small businesses can save money where the businesses are using shared servers to host secure websites.
Using the correct SSL certificate to offer a site avoids a situation where the user is sent to the wrong site, which would be a perfect recipe for insecurity breaching.
Think of a user will be looking to access the site for their bank, but instead, the user gets sent to a fake site. SNI makes it possible that one gets to the correct site, securely.
SNI provides a way to contain SSL certificates in an innovative way. Therefore, one can host many secure websites mindlessly if the number of required sites goes higher.
For example, an SNI allows a web hosting company to securely host hundreds of websites on one single server.
For example:
Think of a large apartment building where a lot of people live. Then imagine that instead of one key for the entire building, all those people own footwork key to the building, SNI uses one key for every resident, and the building knows that the tenant (website) in question that gets visited. And everything is secure and it is very efficient.
Hostname is a label assigned to a device connected to a computer network, uniquely identifying a particular device in the network, which is used for distinguishing such a device from other devices.
Most often, in the process of entering an address on the Internet, a hostname will be a part of the URL to be entered for website access, as a result of making a human-readable domain name become an IP address through the Domain Name System.
For instance, in a URL such as `https://www.example.com`, “www.example.com” is the host. If you type this URL into your web browser, DNS servers will convert it into the IP address that your computer will use to establish a connection with the web server that hosts the website.
A virtual hostname or simply a virtual host allows hosting of multiple host names on a single physical server, each appearing as a distinct server. This is usually applied in web hosting as a way of carrying out several websites on a single server without an increase in the hardware.
Types of virtual hosting can be grouped under two primary categorizations:
This is a method through which multiple host names can be served from one single IP address; for example, `www.example1.com` and `www.example2.com`—that is, from the same server using just one IP address.
It hosts each hostname on an individual IP address. This solution isn’t widely used due to the deficiency in IP addresses, but there are situations where it is used along with SSL/TLS encryption.
Example:
Imagine a web hosting company where there are three sites: `www.site1.com`, `www.site2.com`, and `www.site3.com`. Using virtual hosting, the three share one server, and share operation costs are reduced.
Server Name Indication is the extension of the TLS protocol: it allows a server to have several certificates for SSL on one IP address and TCP port number, hence allowing multiple HTTPS websites on a single IP address.
SNI is supported by most of the modern web browsers:
1. Google Chrome: Supported since version 6.0 (2010).
2. Mozilla Firefox: Supported since version 2.0 (2006).
3. Microsoft Edge: Supported since its first release.
4. Apple Safari: Supported starting from version 3.0 in 2007 on macOS and iOS.
5. Opera: Supported since version 8.0 (2005).
6. Internet Explorer: Supported since version 7.0 on Windows Vista and later.
For example:
Suppose you run several secure websites off of one machine, e.g., `secure.example1.com` and `secure.example2.com`. Modern browsers with SNI support will allow your server to present proper SSL certificates for each site making a secure connection without the need to have one IP per site.
Understanding hostnames, virtual hostnames, and particularly SNI, will make you able to serve multiple websites from one server and secure them properly, thus creating a clean and safe browsing environment.
The Transport Layer Security (TLS) Server Name Indication (SNI) extension is an important part of the TLS protocol, allowing a client to indicate the hostname to which it is trying to connect during the initial handshake.
This becomes most significant whenever the server has multiple domains (virtual hosting) on one single IP address. Here is how it works:
When the client wants to establish a secure connection, it sends a “ClientHello” message to start the TLS handshake. The SNI extension sends the hostname that the client would want the server to possess.
The server can make use of the SNI information to pick the right certificate for the hostname mentioned by the client, enabling the server to present the correct certificate in the case of hosting multiple domains.
To increase the level of privacy that is afforded by the standard SNI extension, ESNI is developed. In regular SNI, the hostname sent in the handshake is in plaintext and is something that can be easily intercepted by anyone sniffing your network.
ESNI is meant to hide this information through the encryption of SNI with the guarantee that just an intended client and the server will be able to read it.
It encrypts the SNI field with a public key sent by the server, making it unintelligible to parties other than the server. This way, transit intermediaries and passers-by, including your network provider and a possible attacker, do not get to know exactly which hostname the client is trying to connect to.
To explain the theory, one would proceed roughly as follows:
Example Walkthrough Let’s look at a more detailed example:
Without SNI Let’s say a server hosts two websites: www.siteA.com and www.siteB.com. Both sites share the same single IP address. Client A wishes to connect to www.siteA.com.
Since SNI doesn’t send the hostname in plaintext without having established a secure connection yet, the server has no idea what the client wants until it sends a certificate.
The server may default to sending the certificate for www.siteA.com, which is fine for Client A. If Client B wants to connect to www.siteB.com, the server may send the certificate for www.siteA.com, leading to a certificate mismatch error.
With SNI Client A sends a “ClientHello” with SNI of www.siteA.com. The server will then see the SNI for www.siteA.com and send the appropriate certificate. Client B sends a “ClientHello” with SNI of www.siteB.com. The server will then see the SNI for www.siteB.com and send the appropriate certificate.
A client sends an encrypted SNI in the “ClientHello”. The encrypted SNI makes the hostname opaque, so it cannot be read by intermediaries. The server decrypts SNI with its private key and responds to the other end with a relevant certificate.
Feature | SNI (Server Name Indication) | SANs (Subject Alternative Names) |
Definition | SNI is an extension of the TLS protocol that allows hosting of multiple SSL certificates on a single IP address. | SSL certificates use X.509 certificates that can have a specification called SANs. These specifications will allow a single certificate to secure multiple domain names. |
Primary Use Case | This feature use case allows hosting multiple SSL certificates issued to many different domain names on the same IP address and port. | This use case allows just one SSL certificate to secure many domain names, many IP addresses, or many subdomains. |
Configuration Complexity | SNIs need to be included in server configuration to implement. | Need to specify additional domains when obtaining the certificate. |
Server Compatibility | Works in most modern web servers, such as Apache and Nginx. | All Certificate Authorities can work with these. |
Client Compatibility | Works with most modern browsers and clients. | All clients and browsers can support it. |
Performance | Performance might drop a bit, as it involves a few extra steps on the TLS handshake that it will not when SNI is not in place. | No effect on performance. |
Scalability | This, for every individual domain, one certificate is issued, which makes renewal and management quite easier. | Only one certificate needs to be managed and updated with the addition and removal of domains. |
Certificate Management | The feature allows multiple SSL-enabled websites to be hosted on one server without using multiple IP addresses. | The purpose of this is securing multiple domain names and subdomains or IP addresses through a single certificate. |
Implementation Layer: | Transport Layer Security (TLS) protocol | X.509 certificates. |
Server Name Indication (SNI) and Subject Alternative Names (SANs) are two of the most critical technologies in modern hosting and web security. It allows hosting multiple SSL certificates on one IP, which overcomes the cost-efficiency and scalability limitations.
By that token, SANs secure various domains in one certificate, easing management. It behooves the interested parties to understand the feature use case and compatibility of all this technology to host the web securely and, as importantly, efficiently.
Safeguarding this growing internet for the rest of safe, scalable web interactions with trust is critical.