USD 
USD 
GBP 
EUR 
INR 
ZAR 
AUD 
CAD 
MYR 
SGD 
THB 
HKD 
BRL 
AED 
Server Name Indication – SNI has changed how websites with a single IP address should handle SSL/TLS certificates. Previously, a website on a single IP address could only host one SSL certificate. SNI enables multiple SSL/TLS certificates to be used on the same IP address.
With the rapid expansion of websites and TLDs, the demand for secure communication has increased. SSL/TLS certificates encrypt the data and secure transmission over the internet. However, hosting multiple SSL certificates on the same IP address posed a challenge. The Server Name Indication has come to the rescue in mitigating this challenge.
This article provides a clear idea about the SNI extension. We will also learn about its working and importance in modern web security.
What is Server Name Indication (SNI) in TLS?
The Server Name Indication is an extension of the TLS (Transport Layer Security) protocol. It supports the browser or application to communicate with the hostname during the primary TLS handshake.
Each SSL/TLS certificate sought a separate IP address before SNI was introduced. A single server hosting multiple domains struggles to determine different certificates without separate IPs. SNI enables various domains to share a single IP while using their own TLS certificates.
How Does SNI Work?
- The user’s browser sends a request to the server when visiting the website.
- If the website has SSL/TLS, a TLS handshake happens between a server and the client.
- The client includes the requested hostname in its request with the support of SNI.
- The server presents the SSL certificate to the hostname after reading the SNI field.
- Hence, a secure connection is established without the extra IP address.
The server wouldn’t have known which certificate to use without a Server Name Indication. This creates a high risk of security warnings and connection failures.
How Does Server Name Indication Works with TLS?
Let us understand the role of Server Name Indication and its interaction with the TLS handshake process.
Steps in the TLS Handshake with SNI:
- Client Hello:
- The browser initiates a primary connection with the server.
- This connection includes the requested hostname in the SNI field.
- Server Hello:
- The server scans the hostname from the SNI field.
- It picks the suitable SSL/TLS certificate from the requested domain.
- Certificate Exchange & Verification:
- The server sends the chosen SSL certificate to the client.
- The client thoroughly verifies the validity of the certificate.
- Encryption Established:
- Upon successful verification, an encrypted session is established between both parties.
- Then, a secure data transmission begins.
The user can securely host multiple domains on a single server by using the server name indication in this process.
What is a Hostname and a Virtual Hostname in Server Name Indication?
Hostname:
It is a unique identifier allotted to a domain on a network. For instance, www.cheapsslshop.com is a hostname that maps to an IP address. They assist users in locating web resources.
Virtual Hostname:
It refers to the domain hosted on a shared serving with an SNI. Virtual hostnames enable multiple domains to coexist on a single server without the need for an SSL/TLS-enabled domain for each IP address.
For example, consider a web hosting provider with multiple clients:
- cheapsslshop1.com
- cheapsslshop2.com
- cheapsslshop3.com
All these three sites share one single server and IP address. A server operating with SNI can present an appropriate SSL/TLS certificate based on the hostname requested by the client. It enables multiple domain names to utilize the same IP address so they can establish secure connections without needing new IP addresses.
What is Encrypted SNI (ESNI)?
Encrypted SNI is the advanced version of SNI that encrypts hostname details transmitted during TLS handshake operations. It blocks external observers from seeing which website the user is accessing.
Although SNI enhances security with support for multi-domain SSL/TLS encryption, it has a drawback. In general, during the TLS handshake, the hostname is transmitted in plaintext. Due to this transmission, third parties such as Internet service providers, network administration, or attackers can see it. ESNI addresses this issue by encrypting the hostname.
How Encrypted SNI Works:
- Before sending the request, the browser encrypts the SNI field.
- The server decrypts the hostname using a predefined cryptographic key.
- The requested domain is thus protected as a secure connection is established.
Later, ESNI was replaced with Encrypted Client Hello (ECH), which offers better privacy protection by encrypting more handshake details in TLS 1.3.
How Does SNI Differ from SAN (Subject Alternative Name) Certificates?
Server Name Indication (SNI) and Subject Alternative Name (SAN) certificates are two solutions for hosting multiple domains securely. While both address the challenge of IPv4 exhaustion, they work differently. The table below highlights their key differences:
| SNI (Server Name Indication) | SAN (Multi-Domain Certificate) |
| TLS extension that allows multiple SSL certificates on a single IP address | A single certificate that secures multiple domains and subdomains |
| Can host millions of domains on the same IP | Covers multiple domains under one certificate, but still uses a single IP |
| May not be supported by very old browsers and operating systems | Works universally with all browsers and servers |
| Each domain requires its own certificate | A single certificate can secure up to 200 domains |
| More cost-effective for large-scale hosting | Can be more expensive due to certificate pricing |
| Shared hosting, CDNs, cloud services | Businesses managing multiple domains with a single certificate |
| Hostnames can be exposed unless using Encrypted SNI | No exposure of hostname since everything is included in the certificate |
Why Server Name Indication is Still Needed Despite Multi-Domain Certificates?
While Multi-Domain Certificates (SAN Certificates) secure multiple domains under a single certificate, they come with notable limitations, making Server Name Indication essential. Managing a SAN certificate can be cumbersome, as any addition, removal, renewal, or revocation affects all listed domains, requiring the entire certificate to be reissued and redeployed.
Security is another concern – since all domains share the same certificate, a single vulnerability could impact multiple domains, whereas SNI allows each domain to have its own isolated certificate. Due to these constraints, SNI remains a superior solution for hosting providers, CDNs, and cloud services that require flexibility, scalability, and enhanced security.
Advantages and Disadvantages of Using Server Name Indication
Though Server Name Indication has been introduced to solve a problem, it has its set of advantages and disadvantages.
Server Name Indication Advantages:
- Works with a single IP Address: It avoids using separate IPs for each domain.
- Cost-Effective: Reduces management costs of SSL/TLS certificates and hosting.
- Flexible Hosting: Supports multiple domains to host on a single server, including those secured by single-domain SSL and multi-domain SSL certificates.
- Compatible with Modern Browsers and Servers: It is compatible with major hosting platforms and web browsers.
Server Name Indication Disadvantages:
- Not supported by Older Systems: Oftentimes, OS versions and legacy browsers are not supported.
- Hostname Exposure: Hostname is clearly visible to third parties without Encrypted SNI.
- Potential Compatibility Issues: A few enterprise security systems chose to block these connections.
Though there are a few limitations, Server Name Indication is consistently chosen as an effective way to host secure multi-domain websites.
Server Name Indication Compatibility
SNI, being a TLS extension, needs support from the browser and the server. Although modern systems are in favor, older platforms often lack compatibility.
Supporting Browsers:
- Google Chrome (v6+), Firefox (v2+), Edge, Safari, and Opera
- Android (v3.0+), iOS (v4.0+)
Supporting Servers:
- Apache (v2.2.12+), Nginx (v0.5.23+), IIS (v8.0+)
- Cloud services (AWS, Azure, Cloudflare)
Non- Supporting Legacy Systems:
- Internet Explorer on Windows XP.
- Outdated SSL libraries embedded in older devices.
Users relying on non SNI-compatible systems may face connection failures and security warnings.
Conclusion
Server Name Indication has revolutionized modern web hosting. It reduces management costs and optimizes server resources through multiple SSL/TLS certificates on a single IP.
Although modern web hosting has benefitted from SNI, compatibility issues with legacy systems have become a problem. Adding to this, hostname exposure also adds up to its drawbacks. SNI’s advanced version, Encrypted SNI, later replaced with Encrypted Client Hello (ECH), resolves this issue by improving security. However, their widespread option is still in progress.
The server name indication streamlines SSL/TLS management and improves security, thus helping businesses, hosting providers, and developers. Organizations handling multiple secure domains find SNI to be a more efficient and scalable solution. If you’re managing multiple domains on a single server, SNI can optimize security and efficiency. Explore cost-effective SSL solutions at CheapSSLShop to secure your domains with confidence!
