Everyone Has Server Name Indication (SNI)
 Everyone Has Server Name Indication (SNI)
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...
April 3, 2017 Comments closed

Everyone Has Server Name Indication (SNI)

in Hashing Out Cyber Security

New Figures Show Wide Support for Feature Allowing HTTPS On Virtual Hosts.

New data from Akamai confirms that Server Name Indication (SNI) is widely deployed and can be used in an HTTPS deployment without excluding devices.

SNI is a feature of the SSL Handshake that was added as an extension in 2003. Server Name Indication allows the connecting client to specify the hostname to the server. This means a server can use virtual hosting to serve multiple HTTPS sites from one shared IP addresses, and know which certificate to provide.

This makes deployment of HTTPS easier and cheaper, and is especially important for IPv4 services who don’t have addresses to spare.

However there was always a concern that relying on Server Name Indication meant losing some of your audience. While all modern clients have supported SNI for quite a while, its late addition to the protocol meant that some older operating system  Any clients who didn’t support SNI would be given the wrong certificate by the server, which effectively breaks HTTPS.

Akamai is finally putting that fear to rest by sharing that, on average, 98% of client HTTPS requests over their network support SNI. This is for global traffic and is essentially universal support. They note that China is the exception, and has significantly lower SNI usage but did not specify how far behind the country was.

Server Name Indication, SNI

In the last three years, the gap for SNI support has closed. Image courtesy of Akamai.

So, what’s the missing 2%?

Overall, the most notable clients that lack Server Name Indication support are Internet Explorer 8 (and earlier) on Windows XP, and Android 2.3.

The Android developer page reports that only 1% of devices connecting to the Google Play Store are on Android 2.3.

Windows XP has a reputation for refusing to die. But according to analytics.usa.gov, which aggregates data from a few thousand US government sites, less than 1% of visitors are still using Windows XP. This is probably an accurate measure for American internet users.

But the rest of the world probably isn’t visiting these sites, so we need a metric that more accurately reflects them. We like Wikimedia’s user agent dashboard. According to them, just 1.7% of visitors are hanging onto XP.

Now that the internet has moved to SHA-2 signatures for SSL certificates, that also eliminates users who are using Internet Explorer on XP SP2 or earlier. You also have to consider the likelihood that someone on a decade-old OS is part of the potential audience for your site.

Akami notes that TLS proxies performing traffic interception, and bots and search engine crawlers are also a notable portion of the non-SNI clients.

Akamai’s blog post provides more background for those interested in the history of SNI.

Author

Vincent Lynch

The SSL Store’s encryption expert makes even the most complex topics approachable and relatable.

Recent Posts

Follow Us

Free Ebooks

eBook
Email Spoofing Defense 101 (A 5-Step Guide)

Download Now

eBook
Certificate Lifecycle Management Best Practices Guide

Download Now

eBook
10 Code Signing Best Practices

Download Now