Support

Find answers, guides, and tutorials to supercharge your content delivery.

SNI (Server Name Indication) Explained

Published on April 8, 2022
SNI (Server Name Indication) Explained

You can imagine SNI as follows: you send a letter to an apartment building and not to a single-family house. In the case of the single-family house, the street address would be enough for your letter to be delivered to the right person. However, if you want your letter to be delivered to the right person in the case of the apartment building, you would need the apartment number in addition to the street address.

Many web servers are more like apartment buildings than single-family homes: they host multiple domain names, so the IP address alone is not enough to indicate which domain a user is trying to reach. This can result in the server displaying the wrong SSL certificate, which prevents or aborts an HTTPS connection - just as a letter cannot be delivered to an address unless the right person signs for it.

SSL is one of the most crucial aspects of a website's security, and it ensures that your customers' data will be encrypted. However, there are two different types of SSL certificates: an "SNI" certificate and a "wildcard" certificate. This article discusses using SNIs to secure multiple domain names on one IP address while still using a single SSL certificate.

What is Server Name Indication (SNI)?

Server name indication is a Transport Layer Security (TLS) extension that sends the domain names of incoming requests to websites. This allows SSL certificates with multiple domains or subdomains on one IP address. This means that you will not have to have an SSL certificate for each domain name. For example, suppose your website has a main site and forums section. In that case, the single IP address will protect both of these domains without paying twice for two separate certificates or going through the trouble of purchasing one from multiple providers.

You can also use SNIs to secure high-traffic sites and load balance servers by sending all non-secure site visitors through a single server. This will save you bandwidth and money.

The server name

You can think of a server name as the hostname that you type into your browser. For example, if you want to visit Google's home page, you would enter "google.com" in your browser URL bar and press enter. This is the same as typing in google.com on its own line because it will take users directly to the website without going through a search engine.

What is TLS?

TLS or the predecessor SSL (Secure Sockets Layer) is a protocol that ensures secure connections between web servers and browsers. TLS provides three key security features: data encryption, server authentication, and message integrity. Data encryption helps to prevent third parties from listening in on sensitive information such as passwords or credit card numbers. At the same time, they are being sent over the network by scrambling it so that it appears to be meaningless text. Server authentication ensures that the website you communicate with is who they claim to be and not someone pretending to be them. Message integrity means that a third party cannot intercept your data and alter or change any of its contents without being detected by the receiver endpoint, which in this case would either be the server hosting the website or your browser.

TLS or SSL certificates contain domain names and a cryptographic key used to secure the connection between an endpoint (in this case, either the hosting server or your browser) and another machine. If you have multiple domains on one IP address, it will also need to have multiple SSL certificates to protect each of these domains.

How does SNI work?

SNI is an extension of the TLS handshake. It is a cryptographic protocol that allows websites to easily implement HTTPS on their servers. When an incoming request for web services comes in, the website's domain name will be sent as well. Because this information is passed along through TLS, all browsers and devices support it automatically, so there's no need to update your technology or code.

Because IPv4 only has around 4 billion IP addresses to go around, and not every address can be used for SSL certificates, SNI is a necessary extension to secure multiple domain names on one IP. It allows website owners to secure as many domains and subdomains as they want without worrying about the limited number of addresses available.

In order for SNI to work, the web server and client must both support it. If they don't, the visitor will be sent to a default website usually hosted on port 443. This means that visitors who come to your site via unsecured methods such as Google search results or links from other websites won't have their traffic encrypted. However, because most browsers now automatically redirect to the secure version of a website (usually starting with "HTTPS://"), this is not usually much of an issue.

Wildcard certificates vs SNI certificates

An SNI certificate is a type of SSL certificate that allows you to secure multiple domain names on one IP address. These certificates are cheaper and easier to manage than traditional wildcard certificates. They also offer security because they use 2048-bit SSL encryption.

Wildcard certificates are traditional SSL certificates that allow you to secure an unlimited number of subdomains on one domain name. This is a more expensive option and has some security issues. However, wildcard certificates can only be used on one IP address, making them less versatile than SNI certificates.

SNI offers a cheaper and easier option than traditional wildcard certificates. They also offer plenty of security, and SNIs can be used on multiple IP addresses, making them more versatile than wildcard certificates.

Which option is right for me?

If you want to secure multiple domain names on one IP address, then an SNI certificate is the right option for you. They are cheaper and more secure than traditional wildcard certificates. However, if you want to secure a single subdomain on a different domain name, you should use a wildcard certificate.

You would want to secure multiple domain names on one IP address if you have a high-traffic website or if you want to load balance servers. You will want to use a wildcard certificate if you want to secure a single subdomain on a different domain name.

Why use Server Name Indication (SNI)?

There are lots of reasons why using SNIs will benefit your business, but the most important ones include:

You can utilize one SSL certificate for all subdomains or different domains on a single IP address; this saves time and money as it's cheaper and easier to obtain than a certificate for each domain name.

SNI hosting is more secure because you only have one SSL Certificate Authority (CA) that issues the certificates. With traditional wildcard or multi-domain certificates, there would be multiple CAs which could lead to security leaks if they were compromised.

You can take advantage of SNI hosting even if you have a high-traffic website, as the TLS handshake only happens at the beginning of an SSL session and does not affect performance.

You can take advantage of this technology even if your business has a medium to a low amount of traffic because it's lightweight and won't slow down your site.

Why Server Name Indication isn't more widespread

The main reason why SNI isn't more widespread is that not all operating systems (such as Windows XP) support TLS. However, this number is growing every day as more and more people realize the benefits of using SNI certificates.

Another reason for the lack of widespread adoption could be attributed to a lack of education on the topic. Many people still think they need a wildcard certificate to secure multiple subdomains on one domain name, which is not the case.

The future of SNI

Although server name indication has been around since 2003, it is slowly gaining traction as a more common technology in the world of security and SSL certificates. Although not every website owner has to take advantage of SNI, it can save you time, money, and headaches when securing your business or website online.

If you're looking for a more secure and versatile way to secure your website, then server name indication is the right choice for you. SNI certificates are cheaper and easier to manage than traditional wildcard certificates, and they offer plenty of security. You can also use them on multiple IP addresses, making them more versatile than traditional SSL certificates.

Supercharge your content delivery 🚀

Try KeyCDN with a free 14 day trial, no credit card required.

Get started
KeyCDN uses cookies to make its website easier to use. Learn more