This unlocked the power of load balancers and CDNs as now they could host secure traffic for limitless domains. However, this will often result in a certificate name mismatch error and your browser will scream bloody murder. Web servers also have a default certificate, which is what they issue in the event, it does not have a certificate with a SAN that matches the SNI extension of the request. The web server examines all of the SANs in each certificate that it is configured to use on its socket and selects the one that matches the request. Side note: If you look closely, you will see that QUIC, the newest version of HTTP, that runs on UDP not on TCP includes the TLS handshake. Imagine if you were hosting web sites for multiple companies if the private key was compromised, all of those domains (and thus companies) would be affected. Multi-SAN certificates are very common but are almost always for domains and subdomains tied to a single entity. Get a multi-domain certificate - multi-SAN (subject alternative name) certificates started to become a thing around 2000.Imagine having to remember is on 443 but is on 444. Go ahead and try this on any website - just put :443 at the end of the domain name - like - you will see the port will disappear upon page load. Use a different port - this was not attractive because all browsers were programmed to default to port 80 for HTTP and port 443 for HTTPS unless a port was specified in the URL- so it would not be user friendly to ask your users to remember a port in addition to a domain name.Like above, this was depending on you being able to procure a new public IP address. Assign an additional IP address to the NIC (network interface card) on that server.This is assuming you could get an additional IP address from your ISP - if you didn’t, you were out of luck. Spin up a new web server - This was expensive, as back in those days it was almost always a physical server.If you wanted to host another website, you had 4 options: If you were browsing that IP address on TCP port 443, the web server could only encrypt traffic and offer a certificate for that single combination. Netscape’s SSL was more commonly used but Microsoft did not want Netscape to get de facto naming rights on the new protocol - so everyone agreed on a new protocol name, TLS.įor example, if you browse that socket might be 142.250.81.206 on TCP port 443. Rather than having a bunch of different versions, the IETF organized a meeting to agree on a single, global standard. Netscape developed SSL and Microsoft and other companies were developing their own solutions for encrypting web traffic. Back in the late 1990s, there was a “Browser War” between Netscape and Microsoft - Microsoft Internet Explorer and Netscape Navigator. Side note: SSL and TLS are used interchangeably by a lot of people (including myself) but TLS is technically the correct term - and you can thank Microsoft for the confusion. When Secure Socket Layer (SSL) was first being developed in the 1990s by former technological titan, Netscape, web servers could only “listen” for SSL traffic on a single socket, a.k.a. To do that with SNI, we have to go back to the beginning of SSL/TLS.
TURN OFF SECURITY ON NETSCAPE 7.0 SOFTWARE
I have often said that the best way to explain a piece of technology or software is to explain what problem it is trying to solve, rather than explain what it does. It solves a lot of interesting problems and has even introduced some interesting problems with privacy. Today we will be going over one of the more under-appreciated aspects of TLS: Server Name Indication - a.k.a. So much complexity and nuance have gone into it. It’s easy to take for granted exactly how much engineering and brain power has gone into the development of TLS it has evolved a lot over the years with its latest version being 1.3, which was officially defined by the IETF in RFC 8446 in 2018. Google estimates that 95% of web traffic is HTTPS and that is just one way TLS is used - it can be used with essentially any other TCP protocol either natively or via StartTLS (it is even starting to be used in UDP with QUIC). One of the most well-known applications of it is Transport Layer Security - TLS. It pretty much goes without saying that encryption is one of the pillars of InfoSec. How SNI Became a Battleground of Security v.s.