HTTPS with SNI may not work very well for your website

Most websites in the world using HTTPS protocol, make it through the SNI (Server Name Indication), with it, it’s possible that a server presents a number of security certificates in the same IP address. So far, this shows an advantage!

Why HTTPS with SNI can cause problems

The problem is not in the SNI or the HTTPS protocol. The problem is that SNI is not supported by all clients (libraries of languages) and browsers. So when accessing a https site, using SNI server, problems may occur and the website cannot be opened. Summarizing the story, it’s not every website that has a website delivering SSL, based on SNI, it will open.

Anyway, all implementing SSL certificate requires a study and due to the open configuration in all the browsers on desktop devices or mobile.

The main browser that does not support SNI is the Explorer running on Windows XP (believe me, there are people who still use it). Other browsers may have that block page with the message (that of Guardinha icon).

But that does not always happen. To make a connection, TLS client requests a digital certificate from the web server. Once the server sends the certificate if a match occurs the connection continues as normal. Otherwise, the user can be informed of the discrepancy and the connection can abort as the mismatch may indicate an attempt to attack man-in-the-middle.

List of HTTPS sites with SNI worldwide

In practice, this means that an HTTPS server can only serve a domain (or small group of fields) for each IP address for safe navigation? Will it be? The type of SSL certificate offered by Let’s initiative Encrypt is getting well solve this problem, it is good to take a look.

Solution

Assigning a separate IP address for each location increases the cost of hosting. After all, each IP address request must be justified and IPv4 addresses are exhausted. It turns out that many sites are effectively prevented from using secure communications over IPv4. Already IPv6 is an address space that is not exhausted. So sites using IPv6 are not affected by this problem.

Did you like the text? Then share.

Originally posted on January 16, 2017 @ 6:23 pm

Leave a Reply