The internet is about security and reliability. Internet and cloud service providers take all possible steps to ensure data privacy and protect users from online scams. Similarly, SaaS companies deploy advanced techniques and modern technologies to mitigate cybersecurity threats and secure their servers from malicious attacks.
In this regard, several certificates, standards, and protocols have been introduced over the years. For instance, Transport Layer Security (TLS) is a renowned encryption protocol to ensure internet security. To support the TLS, there is an extension named Server Name Indication (SNI), which is used to host multiple TLS Certificates on servers safely.
An SNI adds the domain name to the TLS handshake, allowing the server to present a specific website the user wants to access while using shared IPs. This way, the client’s device can specify the desired website instantly and prevent name mismatch errors in the TLS handshake process.
In this article, we will review Server Name Indication in detail, explore how it works, and discuss its importance in today’s digital landscape. So, let’s get started!
What is Server Name Indication (SNI)?
Server Name Indication is commonly used to explain the TLS handshake and relevant processes. However, its explanation is a bit tricky and requires basic technical knowledge for better understanding. For beginners, here’s the simplest explanation of Server Name Indication to understand the SNI meaning.
Suppose you are a delivery boy and want to deliver a pizza to an apartment building. Unlike a single house with a street address, an apartment building has several floors and hundreds of apartments. Hence, locating the exact apartment becomes more challenging to deliver pizza to the right person. Consequently, in addition to the street address, you also need information such as the floor number, building section, resident’s name, and apartment number to reach the exact location.
Web servers are similar to apartment buildings hosting thousands of domain names in different categories. Since a server hosts multiple sites with a single IP address, each domain owns a unique SSL certificate. When connecting to one of these sites, the server needs detailed information to show the right SSL certificate. In other words, the server cannot rely on the IP address alone, as it can result in the termination of an HTTPS connection due to the wrong SSL certificate.
To address this problem, servers use Server Name Indication, which acts as an extension for the SSL/TLS protocol used in HTTPS. The SNI streamlines the TLS/SSL handshake process and ensures the identification of the correct SSL certificate. With this extension, the client device can instantly specify the desired domain during the TLS handshake and access that website without any errors or delays.
Refer to the video below for a better understanding:
Server Name Indication Example
Suppose a server named ABC is hosting three different websites www.website1.com, www.website2.com, and www.website3.com, respectively. Since all these websites are hosted in the same place, they have the same IP address with various SSL certificates. Hence, when you try to access www.website1.com, the SNI readily identifies the respective SSL certificate and establishes a secure connection.
This way, SNI prevents the “Common name mismatch” error and “Your connection is not private” error. Initially, Server Name Indication was not a part of the TLS/SSL protocol. At that time, the errors mentioned above were widespread, and internet users had to face inconvenience while trying to access their desired websites.
In 2003, SNI became an extension of Transport Layer Security (TLS) and transformed the user experience. Today, Server Name Indication supports all operating systems, web browsers, and currently used servers.
The Pressing Need for Server Name Indication
When a device attempts to establish a connection with an HTTP site, servers use HTTP HOST headers to present the respective HTTP website. For this purpose, Transport Layer Security (TLS) plays a vital role as the protocol behind HTTPS. Before establishing the HTTP session during the TLS handshake process, there is a need to create a secure session.
Until then, there is no HOST header, and the TLS handshake remains incomplete without a TLS certificate. To access the proper HOST header, the server must know the exact TLS certificate to be presented to establish a secure connection with the HTTP site.
This is where the Server Name Indication becomes essential. It serves as a TLS extension to streamline the TLS handshake process. With server name indication SSL, it becomes more manageable for the server to select the respective key and certificate chain and establish a secure connection. Especially when multiple certificates are hosted on a single IP address, the SNI helps the server pick up the correct certificate and move forward.
A standard TLS handshake without Server Name Indication is time-consuming, less efficient, and highly vulnerable to errors. On the other hand, a TLS SNI handshake is fast and more efficient because the TLS handshake already contains the server hostname. As a result, SNI HTTPS websites can have their own unique TLS certificates with a single IP address.
How does an SNI Work?
As explained earlier, a web server can have more than one domain name hosted on a single IP address. Each hostname (website) has a unique SSL certificate that is used to establish a secure connection during the TLS handshake process.
Before the Server Name Indication, hosting companies had to purchase a unique IP for each SSL certificate. It was a costly process because managing a large database of IP addresses for different domains required a sufficient amount of budget and storage.
The introduction of SNI solved this problem by allowing users to host multiple sites on a single IP address and server. Here’s how the SNL TLS extension works:
Step 1: TLS Handshake Initiation
A user enters the domain name (website) in the web browser. This initiates the TLS handshake process, where a device attempts to establish a secure connection with a specific site.
Step 2: Insertion of the HTTPS Header
The SNI inserts the HTTPS SNI header into the TLS handshake so that the web browser can send the name of the desired domain.
Step 3: SSL Certificate Presentation
Once the server sees the virtual domain (HTTPS SNI header), it finds the specific site requested by the user and presents the correct SSL certificate.
Step 4: Multiple Hostnames on a Single IP Address
SNL eliminates the need to identify a new IP address every time because the server can host multiple domains on a single IP address.
Step 5: Better User Experience & Quick SSL Deployments
Eventually, SNI enhances user experience and makes it quicker and more accurate for the client to access the desired website. Besides, TLS SNI handshake makes SSL deployments cost-effective and painless.
Benefits of SNI
Server Name Indication offers several benefits. Some of them are listed below:
- 1. Solve the IPv4 Shortage
The most significant advantage of SNI is that it helped us solve the IPv4 shortage problem. According to an estimate, there are more than 4 billion IP addresses in the Internet Protocol version 4 (IPv4). At the same time, the number of computers and digital devices connected to the internet has also crossed 4 billion. As a result, a shortage of IPv4 addresses made it extremely difficult for hosting companies to manage such a massive amount of data.
The introduction of SNI made it possible for cloud servers to host multiple domains with unique TLS certificates on a single IP address. This means we need fewer IP addresses to host billions of news sites in the future. As we enter the Internet Protocol version 6 (IPv6), SNI will play a key role in solving the IPv4 shortage problem and making IP addresses more available.
- 2. Better Internet Usage Experience
SNI speeds up the site loading by improving accuracy and reducing possible errors. The client’s device can complete the TLS handshake process and establish a secure connection to the requested site faster and more accurately. Likewise, SNI makes it easy for internet users to update to advanced servers compatible with IPv6 and use high-tech routers and browsers.
- 3. Easy Website Configuration
Another benefit of SNI is that it makes website configuration much simpler and more manageable. Users can use this TLS extension to manage multiple websites on the same IP address.
- 4. Improved Security
In SNL-enabled TLS handshake, servers establish a secure connection by simply scanning an IP address. Since there is no need to reveal the SSL certificate of the requested domain, the process improves general security.
- 5. Cost-efficiency
Since hosting companies don’t have to buy multiple IP addresses for different domains, they need little storage to manage their sites. Hence, SNI helps them save money and offers long-term financial benefits.
Drawbacks of Server Name Indication
- 1. Not Supported by Legacy Browsers
The most significant drawback of Server Name Indication is its compatibility issues, as some specific web servers and browsers don’t support SNI. For example, legacy browsers over six years old – like Internet Explorer, Android 2.3, and Blackberry operating system – often struggle with SNI. As a result, users of these two browsers and OS often report a “common name mismatch error” because a default SSL certificate is chosen in the TLS handshake process.
- 2. Imperfect Model
Some tech experts also believe SNI is imperfect because the information is transmitted without encryption. For instance, the hostname is encrypted and highly vulnerable to third-party attacks from cybercriminals. On the other hand, having a unique IP address for each website would be a safer option. In that case, a secure connection would be possible without SNI.
- 3. Limited Protection
Another drawback of SNI is that the connection with the requested domain is set up in TLS 1.2, which offers little to no protection against censorship and surveillance. Although this problem is already under consideration in TLS 1.3, it will still require more time until TLS 1.3 becomes widely adopted.
How to Solve these Challenges
You must be wondering, are there any ways to solve the challenges mentioned above? Recommended below are some feasible solutions.
- Multi-domain TLS Certificate
If your web browser or operating system doesn’t support SNI, start using Multi-domain TLS as the default certificate. With this option, you can list all your domains or websites on the shared IP on a single certificate. Moreover, a multi-domain TLS certificate can help you solve the IPv4 exhaustion issue and browser or server compatibility.
Watch the video below for more detailed information:
- Encrypted SNI (ESNI)
Encrypted SNI (ESNI) is another viable solution to solve issues regarding information security and protection against cybersecurity threats. ESNI partially encrypts the Client Hello on the part of SNI and secures communication between the client and server. Eventually, no unauthorized users can see the certificate being requested, thus offering extended protection. Modern web browsers like Mozilla Firefox and Cloudflare support ESNI.
We have used several alternatives and opposite terms in the article. Some of them are explained below more comprehensively for better understanding.
SNI vs. Multi-domain TSL Certificate
Although both SNI and multi-domain SSL certificates reduce the number of IPv4 addresses needed, they perform this operation differently. In SNI, websites have their own SSL certificates despite being hosted on the same IP address. However, a multi-domain TSL certificate requires only one certificate for several domains, meaning multiple domains can be hosted on one IP.
Hostname vs. Virtual Hostname
A hostname refers to the name of a website (also called the domain) that connects to a network to establish a secure connection. Each website has its own SSL certificate with a shared IP address. On the other hand, a virtual hostname doesn’t have a dedicated physical server or its own IP address since it is virtual with no real existence.
Browsers, Servers, & Libraries that Support SNI
Listed below are modern browsers, servers, and libraries that support SNI:
|1||Internet Explorer 7||Apache Tomcat 9||Java 1.7|
|2||Opera 8||Apache 2.2.12||Ruby 2.0|
|3||Safari 2.1||Microsoft IIS 8||Erlang r17|
|4||Google Chrome 6||IBM HTTP Server 9.0.0||Python .7.9rc1/3.2alpha4|
|5||Android 3.0||nginx 0.5.23||PHP 5.6|
|6||Windows Phone 7||Jetty 9.3.0||QT 4.8|
|7||Mobile Safari for iOS 4.0||Perl 1.56|
|10||Mozilla Firefox 2|
Server Name Indication plays a crucial role in enhancing the user experience on the internet. While surfing different websites, we use SNI to establish a secure connection between the server and the requested domain. It is an extension that streamlines the TSL handshake process and prevents “common name mismatch error.”
Considering everything covered above, it is apparent that SNI is highly beneficial for internet users. Some of the key benefits offered by SNI include better internet usage experience, easy domain configuration, and improved security. Similarly, the extension helps us solve the IPv4 shortage problem and reduce our operating expenses without compromising performance. At the same time, it also has some drawbacks, such as compatibility issues, limited protection against surveillance, and lack of information encryption. You can address these problems by using multi-domain TSL certificates and encrypted SNI.
Lastly, when choosing a web browser, OS, server, or library, make sure it supports SNI and meets your system requirements for better results.