|SNI SSL - Anyone using it? Where to buy?|
With encryption becoming a bigger issue, SNI seems like the answer…
| 12:19 pm on Mar 24, 2014 (gmt 0)|
Whether it's people trying to stop NSA eavesdropping, or Matt Cutts saying he'd like to see sites with SSL rank higher in the SERPs, there seems to be a huge push to implement SSL. Thing is the bulk of sites are on Apache with a shared IP address. There seem to be multi-domain ("UCC") SSL certs for Windows, but the multi-domain solution for Apache seems to be SNI, but it doesn't seem like many people are using it and it's hard to find vendors that sell them.
In my reading it seems the biggest issue with SNI is compatibility - the two biggest unsupported groups are Windows XP users using Internet Explorer (about 1.1% of the visits to my sites), and Android 2 users using the default browsers (1.6% of visits to my sites). There are SNI-compatible browsers for XP, and I think the same is true of Android 2.
Clearly SNI hasn't reached the 99% compatibility threshold, but it may be at 95% compatibility - and for some sites it's probably a viable option if their numbers are slightly better than mine, or the site has a loyal following that is willing to change browsers to view the site.
All that brings up a few questions for me...
First, have any of you actually used SNI certs? What has been your experience?
Second, who sells them? I searched a number of SSL vendors I knew of and none seem to be advertising them.
Third, are SNI certs like other certs which can offer organizational verification or EV level verification?
| 1:54 pm on Mar 24, 2014 (gmt 0)|
One other question... Is the cert SNI (multi-domain) or is the architecture SNI and supports multiple, regular certs? I just realized it may be the architecture, which is why I can't find vendors that sell SNI certs. So when my hosting company told me "one SSL certificate per IP" they were (technically) wrong. While that may be the best / most compatible way to set things up, it's not the only way to set things up. Or am I confused (yet again)?
| 3:35 am on Mar 25, 2014 (gmt 0)|
This is something I revisit from time to time, but never pull the trigger for the reasons you mention.
I'm not totally current, so take this with a grain of salt, but as I understand it...
1. "have any of you actually used SNI certs?"
There's no such thing as an SNI cert, just like there are no TLS certs. All certificates are called SSL certificates even though, these days, most people are actually using the TLS protocol, not the SSL protocol. SNI is simply an enhancement to the TLS protocol. So a certificate that works for TLS works for SNI *provided* that the server and the client both support SNI.
2."Who sells them?" Nobody or everybody, depending on how you look at it. See #1.
3. I think you would need a multi-domain EV cert.
| 1:12 pm on Mar 25, 2014 (gmt 0)|
I was talking to a friend the other day and he's got UCC certs on his server and pointed out that you can indeed run UCC certs on Apache (in all my reading I thought they were a Windows thing - since the documentation only ever mentions things like Exchange Server). So now I'm completely confused.
I'm thinking now that you can either have a UCC cert (which is 99+% compatible?) or you run regular certs in an SNI architecture/environment (and are probably 95+% compatible at this point). But honestly that might be wrong too. Can anyone clear up the confusion?
| 2:43 pm on Mar 25, 2014 (gmt 0)|
SNI is an extension on TLS and makes it possible to have more then one certificate per IP. This can be used for shared hosting. It is not compatible with XP.
UCC is still one certificate per IP but there is a field subjectAltName where you can put more hostnames in. This certificate became popular with the exchange 2007 introduction.