What is Server Name Indication(SNI)?
This article will provide a detailed explanation of the topic called Server Name Indication(SNI). Before moving on to the main topic first, let us understand what is the server name.
What is Server Name?
A server name is just a computer's name. Users are not shown this name in the case of web servers unless the server only hosts one domain and its name is the same as the domain name. The clients provide that hostname by which they can connect at the before handshaking using the Server Name Indication feature of the Transport Layer Security computer networking protocol.
What is Server Name Indication(SNI)?
Server Name Indication (SNI) is an extension of the TLS protocol. At the beginning of the TLS handshake, a client or browser is permitted to specify the hostname through which he/she can connect. With the same IP address and port, the server may thus show a number of certificates. Before SNI, only one SSL/TLS certificate could be issued per IP address, making it impossible to run several secure websites on the same server.
Why Use Server Name Identification?
IP addresses are very deficient sources i.e., they are available in very less number. So, SNI helps in protecting these IP addresses.
Some other important reasons of using SNI are mentioned below:
- website that requires SSL/TLS encryption need not require to set up a separate IP address by using SNI.
- SNI makes the connection simpler for website administrators and owners to maintain SSL/TLS certificates.
- SNI enables servers to host several TLS certificates for numerous sites under a single IP address.
- SNI offers the benefit of hiding the certificate from scanning, which helps to boost security.
Working of SNI
- The "ClientHello" message is sent by the client to the server as part of a TLS handshake.
- The hostname of the server that the client wants to connect is included in the "ClientHello" message.
- The requested hostname's SSL/TLS certificate is included in the "ServerHello" message which the server sends back as a response.
- The server will respond with an error message and cut off the connection if it doesn't support SNI or doesn't have a certificate for the requested hostname.
- The client and server will finish the TLS handshake and start the encrypted connection if the server has a valid SSL/TLS certificate for the specified hostname.
Modern web browsers and servers, like Apache and Nginx, support SNI to a large extent. SNI may not be supported by older servers and browsers, which might cause compatibility problems.
Features of Server Name Identification
Following are the some features or characteristics of Server Name Identification:
- Cost Savings: IP addresses are very expensive to obtain and use. SNI helps in reducing the need for additional IP addresses for hosting multiple websites. So, lots of money can be saved as the there is no necessity for additional IP addresses.
- Compatibility: SNI is a widely used technique for hosting several secure websites on a single server because the majority of modern web browsers and servers support it.
- Multiple certificates: In order to host many domain names on the same IP address, SNI permits the installation of numerous SSL/TLS certificates on a single server.
- Improved Performance: SNI lets the servers to handle more requests and make better use of their resources, which can speed up websites.
- Enhanced Security: In order to improve security and fend against man-in-the-middle attacks, SNI makes sure that the appropriate SSL/TLS certificate is being utilised for each domain name.
- Flexibility: SNI offers flexibility by hosting multiple domains i.e., SNI allows a single server to host different websites where each having its OWN SSL/TLS certificate.
Benefits of Server Name Identification
Following are the four benefits of Server Name Identification:
- Better resource utilization: The main benefit of using SNI is that it allows several SSL certificates to be hosted on a single IP address. This will help in eliminating waste and maximizing resource efficiency.
- Simplified management: The Server Name Identification minimizes the complexity of SSL certificate administration which allows many SSL certificates to be hosted on a single IP address.
- Support for virtual hosting: The cost of hosting SSL certificates is further decreased because of SNI's compatibility with virtual hosting.
Virtual hosting is the process of running several websites on a single server, allowing different domains to share server resources like CPU, memory, and storage. Virtual hosting also allows website owners to host numerous websites on a single physical server which eliminates the need for additional servers and helps in reducing the cost.
- Improved Server Efficiency: Server Name Identification increases the server efficiency by reducing the number of IP addresses required for SSL certificates.
Limitations of Server Name Identification
With the benefits of SNI, it also has some limitations which are discussed below:
- Limited to HTTPS: Server Name Identification is only used for HTTPS connections. So, it has no advantages over other protocols like FTP or SMTP.
- Lack of Encrypted SNI Support: The information of Server Name Identification is transmitted in plain text during the TLS handshake, which makes it possible for third parties to view the domain name of the website being accessed. To overcome this limitation, we can use the encrypted SNI, but it is not supported by many systems.
- Complexity: Server Name Identification increases the complexity of the SSL/TLS negotiation process, which might lead to more setup mistakes or SSL certificate management mistakes.
- Performance: SNI may add additional round trips between the client and server, which may increase latency and reduce the performance.
- Single Certificate Per IP Address: The main disadvantage of SNI is that it uses single certificate for one IP address. This can create a problem if many websites are hosted on the same IP address under different certificates.