Server Name Indication (SNI): Definition & Usage

Learn why Top Industry Analysts consistently name Okta and Auth0 as the Identity Leader

Use server name indication (SNI), and you can host several domain names at once, each with unique TLS certificates, under a single IP address. 

Let's start with an example. 

The hosting giant GoDaddy has 52 million domain names. Consumers expect privacy on each one. But they're all hosted on the same IP addresses.

But in the past, companies like GoDaddy did things like creating blanket security certificates to reassure consumers (and their browsers). This wasn't always effective. Sometimes, sites wouldn't load. Other times, users got dreaded "This site is not secure" messages before they could connect. 

SNI is designed to solve this problem by changing the way a browser interfaces with a server. 

Let's dig deeper.

What Problem Does an SNI Solve?

Plenty of hosting companies serve websites with vastly different domain names, but they're all hosted on the same IP address. Connections in this environment can tangle very quickly.

To connect with a website, your device must go through a handshake process that involves:

  • Outreach. Your browser taps the host server and requests an SSL certificate. These tiny data files work a bit like authentication, ensuring that the connection between a browser and a server is secure. 
  • Trade. Your browser and the host server trade electronic keys to solidify the security process. 
  • CLIENT HELLO. Your browser requests a specific website within a shared IP via this code. 
  • Connection. You're ready to engage. 

Notice that your browser requests a specific IP address after requesting an SSL certificate. And here's the problem. 

If the server doesn't know exactly which site a browser wants, it can send the wrong one. Instead of getting the security certificate for the site you want, you'll get one for a site you never asked for. Confusions like this come with alerts. Your website could, as one blogger puts it, end up "scaring people" with warnings about poor security certificates. 

It might seem wiser, in this environment, to devote one IP address to each unique website. Unfortunately, there just aren't enough IPs to go around. 

IPv4 is an international communication standard that governs online traffic. Numeric labels are assigned to each device on the internet, allowing for fast connections. But this system was developed in 1981, and it can't keep up with demand. 

So many devices are online-enabled now. In addition to computers and phones, we have doorbells, refrigerators, speakers, and microwaves ready to connect. Unique addresses are rare. 

A new standard in development, IPv6, will solve the problem. But it's not ready yet. For now, we must learn to share. And SNI makes that possible.

How the TLS SNI Extension Works

Think of SNI as flipping a standard access protocol upside down. Instead of waiting to tell a server which site you'd like to see, you make the request upfront. 

SNI is an extension to the TLS protocol. During a handshake with a host, a browser can specify the domain name of the requested site before exchanging security keys. That means the right certificate is sent right away, and risks of poor user experience are reduced.

Is SNI Secure?

Developers created the underlying SNI concept to ensure that users had secure connections to the sites they wanted to visit. But unfortunately, the extension does have a security risk. 

SNI isn't completely encrypted. Anyone snooping on your site could see the site you're trying to visit. And if that eavesdropper is talented, that person could replace the host name you want with one controlled by the hacker. 

Developers are using workarounds to encrypt SNI to reduce or eliminate this risk. But for now, it remains real.  

Who Can Use SNI?

Most consumers can't outright force their browsers to accept this technology. It's written into the code, or it's excluded from the same code. 

Implementation of SNI can be a little tricky. Organizations must have working systems that accept and use the extension. And visitors must be on browsers that do the same. 

Some companies use workarounds. They implement SNI only on specified operating systems, and they leave the others to chance. 

If visitors are working on browsers that don't support SNI, they may go through default handshake systems and get the wrong certificate. Thankfully, this is rare. Most browsers do work with the SNI system.

If you're working with legacy systems, you know how difficult it is to keep things safe and secure. We've written up a whitepaper on the topic that you might find useful. Read all the details here.  

References

How Go Daddy Keeps 52 Million Domains Running. (April 2012). Data Center Knowledge. 

Solving the IP Address Shortage. (May 2011). Governing. 

Is Your Website Scaring People? Friends of Ministry.