Conventional wisdom states that in order to secure your website with an SSL certificate, you need a dedicated IP address. For a long time that’s been true; SSL (and its successor TLS) are low-level encryption protocols with no awareness of domains, or even HTTP. Because of this, there’s historically been no way to share IP addresses between websites that each have their own SSL certificates.
This has always been very inefficient on IP addresses. Without SSL, shared hosting allows you to serve hundreds, or even thousands, of websites from a single IP, whereas an IP that’s used for providing SSL to a site can only be used for that site. For shared web hosts such as us here at site5.com, many more IPs are allocated to providing SSLs than the rest of the shared hosting platform.
We’ve been hearing since the 90s that IP addresses are running out, but it’s now really starting to bite. Through 2013, we’ve seen our IP costs start to rise in some locations, and we’re having to argue our case with the registries more and more for smaller and smaller blocks. Gone are the days that you could pick up a /21 (2,048 IPs) just “because we’re selling more SSLs”!
Fortunately, there’s a solution. It’s taken a while to gain traction, but has been mentioned at least in passing at every tech conference I’ve been to this year and has finally made it into cPanel — Server Name Indication, or SNI.
SNI allows web hosts to serve multiple sites with multiple distinct SSL certificates on the same IP address; it’s exactly the answer we’ve been looking for in order to reduce IP usage on SSL certificates.
With the first implementation written in 2004, it’s been around for a while but it’s been slow to work its way into the industry’s consciousness. Server software’s been reasonably quick to adopt it – Apache’s supported it since 2.2, IIS has supported it since IIS 8.0 (which ships with Server 2012). Browser support has been fairly quick – but I’ll give you one guess as to the most widely-used browser to not support it.
Got it in one.
Other than IE6 (and any version of IE on WinXP), browsers have been supporting SNI for a long time. There’s a full list on Wikipedia. But what about those users using an unsupported browser? According to ie6countdown, IE6 still has 4.9% market share. At first glance, that suggests that you’d prevent nearly 5% of your users from connecting to your website securely — if you sell products or services online, that’d be catastrophic!
But, a closer look reveals a different picture. In Europe and North America, IE’s market share hovers between 0.0% (Norway) and 0.5% (UK). We can expect to see that drop dramatically in the coming months as updates end in April 2014, and of those, many are institutional PCs that will likely have restrictions on web access; often SSL traffic is prevented on corporate networks except to trusted sites as it can’t be inspected by firewalls.
Most IE users are in China (where it retains 22% market share), and neighbouring countries (where market share is in the single digits). If these countries and sectors are important to your business and you use shared hosting, then retaining a traditional SSL certificate likely makes sense for you.
But, if you’re not depending on those markets, then what are the advantages of SNI? Largely, that depends on your host and their pricing structure. When site5.com launches SNI support, customers can save up to $72/year by no longer using a dedicated IP for a site. As time goes on, IP prices will only rise, and this difference will become more pronounced.
So, what do you need to do when your host switches your SSL support over to SNI? If you’re a developer for WordPress, there’s absolutely nothing that you need to do in order to run your site over SNI. There’s a few server environment changes, but nothing dramatic. There will be a DNS propagation period as your site is moved away from your dedicated IP to the shared IP, but your host will provide you details of that as required.
For the sake of completeness, I should mention that there’s at least one hybrid product out there— GlobalSign’s CloudSSL. This uses a combination of large multi-domain certificates (which are 100% compatible but may incur a speed penalty, depending on how many domains are on the single certificate) and SNI to support all browsers, regardless of compatibility. If you use GlobalSign certificates and need the compatibility, then do look into that option, however it’s unlikely to be the long-term solution.
Of course, IPv6 adoption will be the real answer to IPv4 exhaustion — we’re a very long way away from seeing widespread IPv6 adoption in the web hosting industry, and I’m looking forward to getting SNI rolled out across site5.com to save our customers money as well as to help free up pressure on our IP address allocations. We’ve got plenty to go round for the foreseeable future, but in web hosting, that’s just around the corner.
As SNI becomes more widely available, will SSL technology play a part in choosing a shared web host? If you still support IE6, will SNI be another nail in the coffin or will you be sticking to traditional SSL?
Making his home in Nottingham, UK, Rob has been around the web hosting industry since 2009 and has found the DevOps revolution to be perfectly timed, bringing together his love of programming and his natural affinity for servers. As Senior Systems Engineer for Site5, he takes advantage of a 100% remote workplace to work from wherever the Ruby flows best.
9 Comments