SSL, SNI, Certs

HTTPS Everywhere is a wonderful concept, but of course we need functionality first, which means dealing with the whole PKI issue. So, when stuff is located in countries with limited IPv4 addresses, how can this be accomplished?

  • Simply put SNI allows for any number of certificates to work on a single IP address. Basically it extends the HTTPS negotiation protocol to include the domain name. Without that, the connection is made to an IP address first, before the domain name is available.
  • However, there are clients whose support for SNI does not exist, including Blackberry v7.1 and below, Android 2.x and below, and any browser on Windows XP. Current sites have up to 10% of visitors and 5% of customers.

So that means what is required is an IP address for each domain name. Also, it means that single domains for an organization, with the domain name being the same as the organization name, is the best approach (when using things like extended validation).