undefined | Better HN

0 pointslegutierr12y ago0 comments

I'm curious, in addition to a lack of compatibility with Windows XP and early versions of certain browsers, is there any other reason that one wouldn't want to use SNI?

0 comments

donavanm12y ago

theres the (lack of) security when the client advertises the expected cert cn outside of the secure session. bu the real reason is simply client support. last i looked about 50% of requests looked like they came from clients that didnt support sni. suppose a ridiculously optimistic estimate of 90% support. is it acceptable for 10% of your clients to have security warnings when visiting your site? that's an unacceptable customer experience, personally.

legutierrOP12y ago

I'd be curious to know what the actual numbers are...IE 7 even supports SNI, as long as it is running on Vista+. I've seen stats that say XP usage is near 15% now, and some portion of that must include non-IE browsers, so perhaps 10% might be an accurate estimate? When you "last looked", where did you find that 50% stat?

With regards to the security hole, do you mean to say that having the domain name sent in the clear before the secure session is established is the problem? Other than some narrow privacy concerns, I can't see the real issue here, given that most of the time a certain IP address implies a certain domain name, and the destination IP address needs to be sent in the clear.

nilsbunger12y ago

Python 2's standard library also doesn't support SNI. Nor does Android 2.x browser.

j / k navigate · click thread line to collapse

0 comments

donavanm12y ago

legutierrOP12y ago

nilsbunger12y ago

Python 2's standard library also doesn't support SNI. Nor does Android 2.x browser.

j / k navigate · click thread line to collapse