What is Server Name Indication (SNI)?

All that a server name is is the computer’s name. Unless the server hosts a single domain and the server name is the same as the domain name, this name is not displayed to end users for web servers. An addition to the Transport Layer Security computer networking protocol is called Server Name Indication, which enables the client to provide the hostname it is attempting to connect to at the outset of the handshaking procedure.

What is Server Name Indication?

Server Name Indication (SNI) is a TLS protocol addon. At the beginning of the TLS handshake, it enables a client or browser to specify the hostname it is attempting to connect to. As a result, the server can display several certificates on the same port and IP address.

Features of SNI

• Cost savings: Obtaining and using IP addresses comes at a high cost. SNI contributes to the reduction of the requirement for extra IP addresses while hosting several websites. As a result, significant financial savings are possible because extra IP addresses are not required.
• Compatibility: Because SNI is supported by most modern web browsers and servers, it is a commonly used solution for hosting multiple secure websites on a single server.
• Multiple certificates: SNI allows the installation of multiple SSL/TLS certificates on a single server, allowing the hosting of many domain names on the same IP address.
• Enhanced Performance: SNI increases server capacity and optimizes resource usage, which can speed up webpages.

Why use SNI?

Since IP addresses are a limited resource, SNI is significant in that it conserves them. Below are some of the reasons to use SNI:

• It makes it easier for website administrators and owners to manage SSL/TLS certificates because they are no longer required to purchase and set up a unique IP address for every website that needs SSL/TLS encryption.
• With the help of SNI, servers can host multiple TLS certificates for multiple sites, all under one single IP Address.
• SNI has the advantage that scanning an IP address does not reveal the certificate which helps to increase security.

What is a Hostname?

The hostname in SNI refers to the domain name or IP address of the server that a client wants to communicate with securely over HTTPS. A device that is connected to a network is identified by its hostname. A domain name, or the name of a website, is a kind of hostname in the context of the Internet. Both exist independently of the IP address linked to the domain name.

What is a Virtual Hostname?

A virtual hostname in SNI refers to the hostname provided by a client during the SSL/TLS handshake to indicate the server it is trying to connect to when multiple virtual hosts are hosted on the same IP address and port using name-based virtual hosting. A virtual hostname is a hostname that is hosted on a server with other hostnames and lacks its own IP address. Similar to virtual reality, which only exists digitally and not in the real world, it is “virtual” in that it lacks a specific physical server.

What Does the TLS SNI Extension Do?

The Transport Layer Security (TLS) protocol is used to establish secure and encrypted connections between a client and a server over the internet. The Server Name Indication (SNI) extension is a part of the TLS protocol that allows a client to specify the hostname of the server it is trying to connect to during the SSL/TLS handshake.

A web server is frequently in charge of several hostnames, also known as domain names (the names of websites that are readable by humans). In the event that the websites adopt HTTPS, each hostname will have a unique SSL certificate.The issue is that one server’s hostnames are all assigned the same IP address. This is not an issue with HTTP, as the client will specify the website it is attempting to access in an HTTP request as soon as a TCP connection is established.However, HTTPS encrypts HTTP messages; it does not replace HTTP with another protocol. Instead, it requires a TLS handshake before the HTTP discussion can start. Therefore, without SNI, the client cannot tell the server whose hostname they are interacting with. Consequently, the server can generate the SSL certificate for an incorrect hostname. The client browser gives an error and typically closes the connection if the name on the SSL certificate does not match the name the client is attempting to access.In order for the TLS process to reach the correct domain name and obtain the correct SSL certificate, SNI adds the domain name to the TLS handshake process. This allows the remainder of the TLS handshake to proceed normally.

How Does SNI Works?

Below are the mentioned steps that demonstrates the working of Server Name Indication.

Step 1: TLS Handshake

The TLS (Transport Layer Security) handshake between the client and server is started by the client. The client communicates with the server by way of a Client Welcome message during this phase.

Step 2: Client Hello Message

A list of supported TLS protocol iterations is included in the Client Welcome message, along with a nonce, which is a random number. Also, it contains a signal that the client is compatible with the SNI extension.

Step 3: Hostname Specification

With the Client Welcome message, the client will include the hostname of the server it wants to connect to if it supports SNI.

Step 4: Server Hello Message

If the server supports SNI, it responds with a Server Hello message. The requested hostname’s SSL certificate, a nonce, and the TLS protocol version are all included in the Server Welcome message.

Step 5: SSL Certificate Verification

During the handshake phase, the client checks the SSL certificate that the server has provided. The client completes the TLS handshake procedure if the SSL certificate is legitimate and trusted.

Step 6: HTTPS Request

The requested hostname is included in the HTTP Host header when the client sends an HTTPS request to the server. Due to its name-based virtual hosting configuration, this enables the server to decide which virtual host to serve.

Step 7: Virtual Host Serving

The HTTPS request is processed by the server, which then provides the client with the proper response. SNI increases web hosting efficiency by allowing many HTTPS-enabled websites to be hosted on the same IP address and port.

Which Browsers Supports SNI?

Below are some of the Browsers that support SNI:

• Google Chrome (version 6 and later).
• Mozilla Firefox (version 2 and later).
• Microsoft Edge (all versions).
• Apple Safari (version 3 and later).
• Opera (version 8 and later).
• Android Tablet Default Browser – starting with 3.x (Honeycomb).
• BlackBerry 10 Web Browser.
• OpenSSL – starting with version 0.9.8f.

What is Encrypted SNI?

Encrypted SNI (ESNI) is an extension to the TLS protocol that encrypts the SNI information sent by the client during the TLS handshake. To protect user surfing data, encrypted server name indication (ESNI) is a necessary feature. It guarantees that eavesdropping third parties are unable to exploit the TLS handshake procedure to track the websites users visit. As its name suggests, ESNI does this by encrypting the TLS handshake’s server name indication (SNI) section.

What is Wildcard Certificate?

A single certificate with the wildcard character (*) in the domain name field is known as an SSL/TLS wildcard certificate. As a result, the certificate can protect numerous hosts or subdomain names that belong to the same base domain.

Like SANs, wildcards are an additional feature of SSL certificates. Purchasing a Wildcard SSL option is both economical and practical if your website includes multiple subdomains, such as new.websitename.com and blog.websitename.com.

Benefits of SNI

• Multiple SSL Certificates: SNI enables the hosting of numerous SSL certificates on a single IP address, which can save hosting costs and make SSL certificate maintenance easier.
• Enhanced Security: SNI makes it easier to secure many websites, permits the use of SSL certificates on multiple domains, and ensures correct SSL certificate validation, all of which contribute to increased website security.
• Improved Server Efficiency: SNI decreases the requirement for dedicated IP addresses for SSL certificates, which can increase server efficiency by lowering the required number of IP addresses.
• Better Website Management: SNI makes managing many websites with various SSL certificates on the same server more effective for website owners.
• More Flexibility: SNI gives website owners extra configuration and management options for SSL certificates, which can be especially helpful for bigger websites or those with intricate hosting requirements.
• Hosting on Multiple Domains: On a single server and IP address, you may host and secure numerous websites with SNI. SNI simplifies SSL maintenance and drastically lowers hosting expenses.
• Adaptability: With SNI, you may easily add or remove websites from a server without changing its configuration or getting more IP addresses.
• Improved Use of Resources: Better use of resources, such IP addresses, which can be costly and scarce, is made possible by SNI. Using the same IP address for several websites slows down IPv4, the main protocol that allows us to connect to the Internet.

Limitations of SNI

• Lack of Encrypted SNI Support: During the TLS handshake, SNI information is provided in plain text, which can make it possible for outsiders to see the domain name of the website being accessed. Encrypted SNI (ESNI) can be used to overcome this restriction, although it is not currently widely supported.
• Single Certificate Per IP Address: Just one certificate can be used per IP address since SNI depends on the SSL/TLS handshake to decide which certificate to use. When hosting many websites with various certificates on the same IP address, this can be problematic.
• Limited to HTTPS: SNI is only applicable to HTTPS connections and does not provide any benefits for other protocols, such as FTP or SMTP.
• Potential for Misconfigurations: Because SNI depends on proper server setup to function, improper implementation could result in misconfigurations.
• Limited Browser and Server Support: When attempting to access websites that rely on SNI, compatibility issues may arise since some older browsers and servers may not support SNI.
• Potential for Security Vulnerabilities: Attacks like Man-in-the-Middle (MITM) assaults, DNS spoofing, or traffic interception, which might reveal sensitive user information, can make SNI susceptible.
• One is that SNI may not function as quickly as non-SNI solutions or those that use a dedicated IP address. This is because in order to create a secure connection, the server needs to go through an additional process to choose which SSL/TLS certificate to use.
• The fact that not all web browsers and servers support SNI is another drawback. You can experience compatibility problems with older browsers or platforms, which could result in mistakes or security flaws.

 Differences Between SNI and SANs

• Multiple SSL certificates can be supported on a single server using SNI or SANs. Their approaches to offering this help, nevertheless, vary. SANs are a certificate feature, whereas SNI is a server-side technique.
• SNI allows a web server to host several certificates on a single IP address, as you are already aware. Based on the domain name supplied by the client in the initial request, SNI enables the server to choose the appropriate certificate when a client connects to it.
• SANs, on the other hand, are an SSL certificate feature that enables the security of numerous domain names with a single certificate installation. A list of extra domain names (sometimes referred to as Subject Alternative Names) that you can secure with a single certificate is included in a SAN certificate.
• Regarding compatibility, the majority of servers and web browsers from today support SNI and SANs. It’s possible, though, that some legacy systems won’t work with them.

Conclusion

Each aspect and perspective on server name indication has been discussed in this article. You can use SNI for your projects and websites now that you understand what it is. Since SNI is a necessary expansion in the current web hosting environment, the majority of systems are compatible with it. As HTTPS has become the new Web standard, SNI makes it easier to switch from the antiquated HTTP protocol.

Frequently Asked Questions on Server Name Indication(SNI) – FAQs

Which protocols support SNI?

Server Name Indication (SNI) is a TLS protocol addon. At the beginning of the TLS handshake, it enables a client or browser to specify the hostname it is attempting to connect to. As a result, the server can display several certificates on the same port and IP address.

Do all web servers and browsers support SNI?

A TLS protocol enhancement called Server Name Indication enables the hosting of several SSL certificates at the same IP address. Although most contemporary browsers use it these days, older ones could not support SNI!

Are there any compatibility issues with SNI?

Domain fronting is limited in its compatibility since it deviates from the standard that defines SNI itself. Several services reject connections with domain-fronted SNI as invalid, verifying that the SNI host matches the host specified in the HTTP header.