6

Possible Duplicate:
Multiple SSL domains on the same IP address and same port?

I'm developing a web app that MUST MUST MUST use HTTPS. It's kinda developed on the cheap though, and I really don't need (or want to pay for) my own dedicated IP address, except that its needed for TLS.

Except, modern web browsers support an extension to TLS that allows many domain names to operate behind a single IP.

(It feels like we're back in the mid-90s when many browsers supported the HTTP 1.1 Host header but enough didn't.)

Is the world ready for websites that rely on this TLS extension, or should I pay up for a dedicated IP?

Community
  • 1
billpg
  • 585
  • 1
  • 5
  • 17
  • Plenty of cheap hosting plans provide SSL support (with an IP address you can call your very own) as part of the deal. Far more expensive is the certificate. – womble Dec 20 '09 at 08:37

5 Answers5

6

No. IE (any version) running on WinXP, and Safari running on XP or older OS X won't do SNI. That's your default browsers for some of the most common platforms out.

Get a dedicated IP address. If you have a virtual private server, you have one already, and extra IPs are not expensive at most providers. If you aren't running at least a virtual private server, you have no business running an application that Must Must Must run HTTPS — cheapo shared hosting won't offer the level of security you need to ensure your data is private.

(If your concern is that you're going to be running many instances of this service under different hostname and you don't want a huge load of IP addresses, then yes, this is a problem. Usually solved by putting all the hostnames under one domain with a wildcard certificate.)

bobince
  • 776
  • 3
  • 8
  • My HTTPS requirement is there because the main use case of my app is someone with a laptop using random public wifi access points. There would be no private data held on the server beyond the passwords, keys etc. Really, cheapo hosting *would* do the job. – billpg Dec 20 '09 at 10:10
  • Is it time for this answer to be revised? WinXP is finally on the wane for many audiences, the blunt "No" at the start of the question is starting to look like it should be a "Maybe"... – Tao Oct 07 '15 at 11:47
2

You can get a VPS with a dedicated IP at slicehost.com for $20/month. I know you said cheap, but that's not exactly expensive.

Which doesn't really answer your question. Despite the rapid evolution of apps, the net has been very resistant to infrastructure changes. Take a look at the IPv4 / IPv6 mess -- that's been going on for more than a decade. You have a worldwide installed base in the 100's of millions and none of them support (I don't think) name-based HTTPS.

Peter Rowell
  • 343
  • 1
  • 9
  • 1
    A sizeable proportion of the installed browser base supports SNI. Not enough, but it's certainly a lot more than "none of them". – womble Dec 20 '09 at 08:36
  • @womble: you are correct. The big problem is, how does a site owner decide that they do not *need* the people who are using browsers that don't support SNI? Most businesses will take a look at the cost of a static IP versus potential loss of audience and it's a no-brainer for them -- they go static IP. Only when the math (cost) starts to go in the other direction will businesses consider the other option. This is a classic case of critical mass of installed base versus cost of new infrastructure. – Peter Rowell Dec 24 '09 at 04:15
1

This article on TechRepublic talks about SNI and includes a list of browsers that currently have support for SNI. Take a look at this list and some data from, e.g., here and make your own decision. It really depends on who you expect your clients to be.

Community
  • 1
larsks
  • 41,276
  • 13
  • 117
  • 170
0

The "world" is never ready for someone to start relying on non-standard extensions to anything. If you really want to use something that's not part of the base standard you either have to provide an alternative or accept the consequences. A prime example is the SMTP protocol, which has more extensions than you can shake a stick at. Any half decent mail program, be it client or server, should fall back to the base when the the other end doesn't support an extension.

John Gardeniers
  • 27,262
  • 12
  • 53
  • 108
0

It is possible to do name-based SSL virtual hosts on a single IP address, provided they all share the same certificate.

However not all web servers support this option as it has the severe limitation that it cannot handle different certificates.

MarkR
  • 2,898
  • 16
  • 13