Is the world ready for name based HTTPS vhost service?

Question

Possible Duplicate:
Multiple SSL domains on the same IP address and same port?

I'm developing a web app that MUST MUST MUST use HTTPS. It's kinda developed on the cheap though, and I really don't need (or want to pay for) my own dedicated IP address, except that its needed for TLS.

Except, modern web browsers support an extension to TLS that allows many domain names to operate behind a single IP.

(It feels like we're back in the mid-90s when many browsers supported the HTTP 1.1 Host header but enough didn't.)

Is the world ready for websites that rely on this TLS extension, or should I pay up for a dedicated IP?

Answer 1

No. IE (any version) running on WinXP, and Safari running on XP or older OS X won't do SNI. That's your default browsers for some of the most common platforms out.

Get a dedicated IP address. If you have a virtual private server, you have one already, and extra IPs are not expensive at most providers. If you aren't running at least a virtual private server, you have no business running an application that Must Must Must run HTTPS — cheapo shared hosting won't offer the level of security you need to ensure your data is private.

(If your concern is that you're going to be running many instances of this service under different hostname and you don't want a huge load of IP addresses, then yes, this is a problem. Usually solved by putting all the hostnames under one domain with a wildcard certificate.)

Answer 2

You can get a VPS with a dedicated IP at slicehost.com for $20/month. I know you said cheap, but that's not exactly expensive.

Which doesn't really answer your question. Despite the rapid evolution of apps, the net has been very resistant to infrastructure changes. Take a look at the IPv4 / IPv6 mess -- that's been going on for more than a decade. You have a worldwide installed base in the 100's of millions and none of them support (I don't think) name-based HTTPS.

Answer 3

This article on TechRepublic talks about SNI and includes a list of browsers that currently have support for SNI. Take a look at this list and some data from, e.g., here and make your own decision. It really depends on who you expect your clients to be.

Answer 4

The "world" is never ready for someone to start relying on non-standard extensions to anything. If you really want to use something that's not part of the base standard you either have to provide an alternative or accept the consequences. A prime example is the SMTP protocol, which has more extensions than you can shake a stick at. Any half decent mail program, be it client or server, should fall back to the base when the the other end doesn't support an extension.

Answer 5

It is possible to do name-based SSL virtual hosts on a single IP address, provided they all share the same certificate.

However not all web servers support this option as it has the severe limitation that it cannot handle different certificates.