Ask any WordPress developer about SSL certificates and encryption and you are likely to get a lot of groans and eye-rolling. Encrypting even basic websites is becoming a requirement due to market movers like Google; the search engine giant now gives preferential ranking to sites that encrypt their traffic. Unfortunately, this change couldn’t have come at a worse time. Most implementations of encryption still rely on a dedicated IP address, leading to a shortage of available IPv4 space. And adoption of IPv6 by hosting providers has been slow. The impact on website owners has taken the form of longer wait times for SSL deployments and higher costs in the form of SSL fees. Fortunately, there is a better way to implement SSL encryption in the form of Server Name Indication (SNI).
What is SNI?
SNI is an extension of the Transport Layer Security (TLS) protocol. It solves a very important problem regarding the nature of how sites are served over HTTPS. Hosting providers have leveraged name-based virtual hosting to serve multiple domains from a single web server for over a decade. The challenge with this approach occurs when you try to run multiple sites that require an free SSL certificate. This is because of the nature of TLS handshakes, which occur before the server sees any HTTP headers when using HTTPS. As a result, the server cannot use HTTP header information to choose which certificate to use for any given request. The typical workaround has been to assign multiple IP addresses to a server, one for every website that requires encryption. Each of those IPs requires a lengthy submission process, which has become more stringent and time-consuming as the available IPv4 space has shrunk. This has in turn resulted in a vicious cycle of heftier SSL fees imposed by hosting providers and increasingly more complex and time-consuming requirements by ARIN, the body that issues IP addresses. The bottom line is that things have gotten increasingly worse for website owners, and this has all come to a head at the worst possible time.
How SNI Works
SNI breaks this cycle by allowing you to run multiple encrypted websites on the same server through a single IP address. SNI allows a web browser to send the name of the domain it wants at the beginning of the TLS handshake. This in turn allows the server hosting that site to find and present the correct certificate. And all sites running on that server can share the same IP address and ports. For customers, the experience of encrypting a site gets a whole lot better since there’s no need to justify a new IP address with ARIN. SSL deployments are quick, painless, and much more cost-effective.
Why Isn’t SNI More Widespread?
You are probably wondering why more hosting providers haven’t taken advantage of SNI. Some are probably not aware of this option. Others are concerned about client/browser and operating system compatibility. There are some operating systems still in use today that don’t support TLS, like Windows XP. Fortunately, these end-user environments are becoming rarer every day. We’ve been using SNI at Pressable now for nearly 2 years with great success. We are able to set up SSL in a matter of minutes for our customers because we don’t have to go through the IP request and allocation process. Our customers are typically serving encrypted traffic within minutes of requesting it. And in those almost 2 years we haven’t had a single complaint from customers about a user being unable to access their site because of SNI compatibility issues.
If you are interested in learning more about SNI, here are a few helpful resources:
- Background on SNI and a list of compatible browsers
- How to configure SNI on APACHE
- How to configure SNI on NGINX
We hope you found this article helpful. Feel free to reach out to us if you have any questions or feedback.