Welcome to WebmasterWorld Guest from 3.228.24.192

Forum Moderators: phranque

Message Too Old, No Replies

Does your HTTPS site need a unique IP address?

     
12:28 pm on Sep 16, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


Unique IPs are most commonly used with domains that have Secure Hosting enabled. While it is possible to use Secure Hosting without a Unique IP, some older browsers which do not support Server Name Indication display a certificate warning when viewing your site (even if your cert is valid.)

The following browsers do NOT support Server Name Indication (SNI):

• Internet Explorer (any version) on Windows XP or Internet Explorer 6 or earlier Safari on Windows XP
• BlackBerry OS 7.1 or earlier
• Windows Mobile up to 6.5
• Android default browser on Android 2.x (Fixed in Honeycomb for tablets and Ice Cream Sandwich for phones)
• wget before 1.14
• Java before 1.7
• Nokia Browser for Symbian at least on Series60
• Opera Mobile for Symbian at least on Series60
12:50 pm on Sept 16, 2016 (gmt 0)

Administrator from US 

WebmasterWorld Administrator not2easy is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2006
posts:4520
votes: 350


Isn't it somewhat ironic that Windows XP using IE6 would warn visitors about SSLs?
1:11 pm on Sept 16, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


My content gets a lot of those users who bought a machine 15 years ago and never upgraded beyond what the box came with.
12:02 am on Sept 17, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2004
posts:1995
votes: 75


I think it is also needed to be mentioned that SNI was only introduced on Microsoft IIS since version 8.

[iis.net...]
12:10 am on Sept 17, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8639
votes: 283


Internet Explorer (any version) on Windows XP


Actually, this is not related it Internet Explorer. This is a limitation of Windows XP. So that should read "No browser of any brand on Windows XP."

Simply put, SNI will not work with Windows XP whether using Firefox, Chrome or whatever.

Unfortunately, SNI support isn’t available on Windows XP, even in IE8. IE relies on SChannel for the implementation of all of its HTTPS protocols. SChannel is an operating system component, and it was only updated with support for TLS extension on Windows Vista and later. --src: [blogs.msdn.microsoft.com...]


Depending on which sources you check, Windows XP accounts for about six to ten percent of desktop/laptop traffic which assuming you have about half your traffic on mobile/tablet, that would be three to five percent. By some measures, it is still more popular than OS X
- [netmarketshare.com...]
- [en.wikipedia.org...]

Note also that SNI doesn't work with mail servers and FTP servers last I knew.

So you need to look at you needs and your analytics and figure out whether you can afford to write that traffic off.

Some past discussions of SNI
[webmasterworld.com...]
[webmasterworld.com...]
[webmasterworld.com...]
1:24 am on Sept 17, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


Actually, this is not related it Internet Explorer. This is a limitation of Windows XP. So that should read "No browser of any brand on Windows XP."
Thanks for the additional information. I didn't intend to sound like it was an Internet Explorer thing.
4:05 am on Sept 17, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893



Make sure your web server supports SNI and that your audience uses supported browsers, generally. While SNI is supported by all modern browsers, you'll need a dedicated IP if you need to support older browsers.
source: [support.google.com...]
5:19 am on Sept 17, 2016 (gmt 0)

Senior Member from NL 

WebmasterWorld Senior Member lammert is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 10, 2005
posts: 2955
votes: 35


You don't need SNI to server multiple sited with https over one IP. I have done this for almost 10 years now with wildcard and multiple domain certificates. But the prices for these certificates is still higher per year than the price most hosting companies ask for additional IPs.

Recently though I switched all my sites to https only over one IP practically cutting of the two to ten percent visitors still using outdated technologies. Revenue from the sites hasn't changed which was for me the assurance that those who don't invest in their own computer equipment also do not spend much money on the net.
5:30 am on Sept 17, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


"those who don't invest in their own computer equipment also do not spend much money on the net."

I agree. These are usually the types that are leary of using their credit cards on the internet... all while using archaic systems that are no longer supported with security updates.

But isn't there more than sales that we get from traffic? Traffic builds branding and rating which might translate as sales longterm.
6:36 am on Sept 17, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:2091
votes: 370


Must be a frustrating experience to browse the Web without SNI these days. Anyway, I doubt my sites are very usably in IE <9 since I stopped caring about those versions long ago, and setting up dedicated IPs for those users is probably not worth the money and effort required.

Oddly enough, Analytics tells me that, on one site, I still got 150+ visitors last month who were on Windows XP using Internet Explorer, and their average bounce rate and pages visited look pretty normal, when they shouldn't even be able to access the site.

Or can the SNI problem be bypassed? Perhaps XP/IE users are used to seeing and bypassing those warnings. I'll pull my XP laptop out of the closet later on, see what happens.
7:23 am on Sept 17, 2016 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member graeme_p is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts:3004
votes: 207


I thought Chrome and FF did support SNI on WIndows XP?

Does your site work with those browsers anyway? Have you tested the design with them?
8:58 am on Sept 18, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


So it's not that these older browsers or Windows XP users can't access an HTTPS site, just that they will receive continued cert warnings they will need to click through even if your cert is valid.

I would assume these users are accustomed to seeing these warnings given the huge number of sites moving to secured. I also think many of these users understand what the issue is by now, and that they are either tentative or can't afford the hardware upgrade.
11:38 pm on Sept 18, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2004
posts:1995
votes: 75


SNI & ShmeSeNay is all moot.

Real question is: Are major Search Engines able to distinguish when the user is using their search utility(and let you them/you in their own words in "So called Control Panels" in clear wording what needs to be done).

Using an outdated browser? Or is it that Goog Said 1.1 and $M said "I don-now-dude"?

Can Someone on WebmasterWorld open a real issue?
8:15 am on Sept 19, 2016 (gmt 0)

New User

5+ Year Member

joined:Feb 2, 2013
posts: 7
votes: 0


i bought ssl and hosting told u should have unique IP
10:15 am on Sept 19, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:2091
votes: 370


i bought ssl and hosting told u should have unique IP

You've been upsold. Or their technology is outdated.

Real question is: Are major Search Engines able to distinguish when the user is using their search utility(and let you them/you in their own words in "So called Control Panels" in clear wording what needs to be done).

Using an outdated browser? Or is it that Goog Said 1.1 and $M said "I don-now-dude"?

I have no idea what you're saying.
12:06 pm on Sept 19, 2016 (gmt 0)

Senior Member from GB 

WebmasterWorld Senior Member graeme_p is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 16, 2005
posts:3004
votes: 207


@lammert unless you are using free certificates, and IP plus a certificate per site seems to cost about the same, at least for some combinations of hosts and issuers - near enough that price is not going to be the deciding factor anyway.

Also, some options for hosting have limited flexibility about IPs (e.g. a limit on the number of IPs per VPS) so requiring more IPs might limit your hosting options.
1:52 pm on Sept 19, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:2091
votes: 370


Or can the SNI problem be bypassed? Perhaps XP/IE users are used to seeing and bypassing those warnings. I'll pull my XP laptop out of the closet later on, see what happens.

To follow up on this: yes, the certificate warning is pretty easy to circumvent by clicking "Proceed to this website", although it's "(not recommended)". That's on Windows XP with IE8. It's annoying to have to click through all the time, but people may be used to it.

Interestingly, I cannot access WebmasterWorld at all on that setup (unrelated to the HTTPS certificate).
2:29 pm on Sept 19, 2016 (gmt 0)

Senior Member from NL 

WebmasterWorld Senior Member lammert is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 10, 2005
posts: 2955
votes: 35


Interestingly, I cannot access WebmasterWorld at all on that setup (unrelated to the HTTPS certificate).

You cannot access WebmasterWorld because it uses TLS only. SSL has been switched of server side. I have the same setup on my servers and no Windows XP or other older clients without TLS support are able to connect.
3:14 pm on Sept 19, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:2091
votes: 370


Windows XP supports TLS 1.0, so unless they have that disabled, it should work. I also have SSL disabled server-side and my sites load just fine on that machine.
3:28 pm on Sept 19, 2016 (gmt 0)

Senior Member from NL 

WebmasterWorld Senior Member lammert is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 10, 2005
posts: 2955
votes: 35


Then it may be the cypher set available on the server. I recently did a security scan on my servers which advised me to switch off weak cyphers.
3:34 pm on Sept 19, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Sept 25, 2005
posts:2091
votes: 370


"Server sent fatal alert: handshake_failure" is what SSL Labs [ssllabs.com] tells me. Could be the ciphers.
3:58 pm on Sept 19, 2016 (gmt 0)

Senior Member from NL 

WebmasterWorld Senior Member lammert is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 10, 2005
posts: 2955
votes: 35


If that is the case, then we can maybe conclude that https sites which have disabled weak ciphers have no advantage of serving their content over individual IPs, because clients which cannot use SNI are already blocked from those sites because they cannot use high strength encryption ciphers.
8:41 pm on Sept 20, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


RE: the ssllabs.com test

They rated my site "A" for all 4 categories: certificate, TLS 1.2 (with backward support) Protocol, Key Exchange & Cipher Strength.

And I'm using a free Let's Encrypt cert without a unique IP address :)
6:42 pm on Sept 21, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2004
posts:1995
votes: 75


@KP

What OS/WebServer Ver. is this on?
8:22 pm on Sept 21, 2016 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member keyplyr is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Sept 26, 2001
posts:12913
votes: 893


@blend27 - sticky sent

Linux, apache2