What is an SNI Certificate for SSL?

SSL certification is necessary to make your website and / or system reliable for other users and to ensure that the connection is not intercepted halfway by attackers, as every connection made between your browser and the server is encrypted.

The encryption algorithms have been practically the same for years, and the connection methodology has always been the same until recently, with the emergence of new certificates of the SNI type (Server Name Indication).

Before for you to have a website, you needed to have your computer turned on 24 hours a day on the internet and make your content available.

With the growing demand for users, data centers have emerged for use by small companies and especially large companies and portals on the internet.

Until then, each site had to have its server. There were not even schemes to put two or more sites on each server, if you were to do this, you would have to have other servers and each one with its valid IP on the internet.

It was also possible to obtain IP address ranges for the same computer, and then each site was hosted on its IP.

The Internet started with just a simple HTTP header, its version 1.0 only performed the following TCP query:

GET / HTTP / 1.0

And nothing else was sent to the server, and the server knew how to respond with the website that the user wanted.

Notoriously afterwards it was realized that it was necessary to host several sites on the same server, so the first update of the HTTP protocol was created, with some improvements and the main one: "Virtual Hosts".

Your browser to date generally uses:

GET / HTTP / 1.1
Of course, other headers appeared, such as acceptable document type, connection methods and headers containing the recorded cookies.

This feature made it possible for multiple sites to be hosted on the same server, except sites with SSL (encryption), which is not supported for Virtual Hosts because the encryption handshake does not know which host is being sent only after the connection is stabilized. depending on a unique IP address, until then.

Until IIS 7.5 (Windows 7 and / or Windows Server 2008 R2 and earlier), the "Virtual Hosts" feature for SSL never existed, and every site for the Windows environment depended on having its IP address fixed for IIS to allow loading the connection certificate.

Notice that the "Hostname" field is grayed out, not allowing you to notice which site name in IIS 7.5.

This already occurs differently in IIS 8.0, which already allows sending new SNI certificates (Server Name Indication).

The main difference from the traditional SSL certificate for the new type of certificate, is that the previous one is compatible with all current browsers, while the SNI is only compatible for the latest browsers.

Due to this problem of current incompatibility, the SNI certificate is not interesting for large organizations such as banks, which need to ensure that everyone will be able to access it safely.

However, for those who have a personal and / or institutional website and do not want to lose a user who has accessed "https", they can have their SSL certificate at a much lower cost than the traditional certificate.

In Windows Azure, whoever hires a server, earns up to 5 SNI certificates to keep their sites secure, while the traditional option has costs.

1 comment:

  1. Estava com dúvida sobre esse serviço. Realmente muito útil. Obrigado!