Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


SNI vs Muilt-Domain
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

SNI vs Muilt-Domain

I have a few smaller sites that I work on and have been debating adding SSL to help their Google ranking, etc. As I don't want to get a IP for each one I am debating using SNI or Multi-Domain for the certs. SNI would carry the lowest cost but I wonder if it will toss out too many errors with older browsers. Or as a friend of mine said “oh people running older browsers are use to that now”.

What do you think? Is SNI an okay option to go with or should I pay the extra cash and buy multi-domain certs? Anyone have experience with either they would like to share?

Comments

  • ClouviderClouvider Member, Patron Provider
    edited June 2015

    That would still be SNI if you put multiple websites on the same IP address, no matter what type of SSL certificate you are going to use.

  • wychwych Member
    edited June 2015

    Does your userbase or use case warrent not using SNI check your site stats?

  • @Clouvider I was thinking multi-domain was "Safer" and less problems. (I am just starting to look into this). So no benefit of one over the other? Have you tired or seen issues with SNI?

  • MisterGMisterG Member
    edited June 2015

    @wych I did look at site stats and did find that for XP users the number using IE was very low. (meaning a few over a few months) and most of these hits were single hits and not even someone looking past the first page of the site(s). I need to look for early Android browsers.

    This is what got me looking into SNI vs just adding IPs.

  • ClouviderClouvider Member, Patron Provider

    It doesn't matter whether you use a single domain or multi-domain SSL. The problem is in the way the certificate is installed. If you don't want SNI, every website, not every certificate, needs a dedicated IP address.

  • AbdussamadAbdussamad Member
    edited June 2015

    Clouvider said:

    That would still be SNI if you put multiple websites on the same IP address, no matter what type of SSL certificate you are going to use.

    No it wouldn't. SNI is where a different cert is given to the client by the server based on a hostname header sent by the client in the clear (before the SSL tunnel is setup). If there is only one cert for all domains there is no need for SNI.

    MisterG said: As I don't want to get a IP for each one I am debating using SNI or Multi-Domain for the certs. SNI would carry the lowest cost but I wonder if it will toss out too many errors with older browsers

    IMO it's time to let the XPers go and use SNI. But you may feel differently if your target market has a lot of XP users. For example I understand the OS is still very popular in China.

    You can grab a free wosign multidomain cert. So the cost isn't going to be a problem.

  • AltAlt Member
    edited June 2015

    @Clouvider : no, you're wrong.
    One certificate with multiple domains will work everywhere, even with IE6: it doesn't use SNI at all.
    One certificate per single domain/vhost needs the use of SNI to recognize which certificate to use with which domain, so it can't work with IE under XP and others browsers : http://en.wikipedia.org/wiki/Server_Name_Indication#Client_side

    @MisterG: if you need support for old browsers, go for a multiple domains certificate.
    If you don't care about old browsers, use SNI, it's easier to manage (just create/delete a certificate when you create/delete a domain)

  • rm_rm_ IPv6 Advocate, Veteran
    edited June 2015

    Abdussamad said: IMO it's time to let the XPers go

    Not just XPers, but only those who use Internet Explorer on Windows XP. I'd say they got bigger issues than anything being able to visit your website is ever going to solve :p

    See https://en.wikipedia.org/wiki/Server_Name_Indication#Implementation for the full list of versions where the support was added.

    Thanked by 2mikho ATHK
  • @Alt Thanks you, is it true that when you purchase a multi-domain cert you have to purchase all the domains up front? If that is the case what do you do when you need add another. When I looked at a couple of purchase sites they were vague what happens when you add one later.

  • @Abdussamad I agree that is is time to let the XPers go but it is also an issue with older Android phones who are not on Chrome. But for the sites I am talking about 95% of the target market is US with 5% EU.

    On a side note I do have one site with 48% of the users using XP and Internet Explorer - of course it has a dedicated IP.

  • AltAlt Member

    @MisterG: yes, that's why I said SNI is easier to manage -> have a new domain? Just ask for a new certificate.

    With a multiple domains certificate, you have to recreate a new certificate with all the previous domains you had + the new ones. And you have to revoke the old certificate.

  • @Alt - have you used SNI yet? Any complaints from users? Just seems like the right way to go for many smaller websites.

  • AltAlt Member

    @MisterG: Yes, I've tried SNI and it works very well. Sadly I need to support legacy users with IE7 under XP so I went with a multiple domains certificate.
    I hope in a year or two I'll be able to completely drop support for this old browsers, so I'll switch to SNI.

  • @Alt thank you for all your feedback. Did you find a good (lost cost) source for multiple domain certs?

  • AltAlt Member

    @MisterG: you're welcome :-)

    Yes, since a few months I'm using WoSign, it's free and up to 100 domains : https://buy.wosign.com/free/?lan=en
    When you request a certificate from WoSign, it can take more than 24H to receive it, because they are manually validating it.
    There are several threads in this forum talking about them.

  • @Alt @Abdussamad Thank you for the info on Wosign, I was not aware of them but further look seems to have been talked about a lot on LET

  • AltAlt Member

    @MisterG: People talks a lot about them because they are, AFAIK, the first and only who have this kind of certificates (free with multiple domains).

    There's also StartSSL ( https://www.startssl.org/ ) which exists since a long time and give free certificates, but sadly they are limited to a single domain and a subdomain (a domain with and without "www").

  • @Alt Have you had any issues with wosign working in browsers?

  • n1kkon1kko Member

    XP is dead... Move on!

  • AltAlt Member

    @MisterG: no, it seems to be recognized everywhere I've tried: different versions of Windows, OSX, Debian, Android and iOS. I'm not aware of any browser which cause a problem with them.

    @n1kko: depend who your websites target... for some businesses it's required to support old browsers on old OSes like XP. Sadly.

    Thanked by 1MisterG
  • n1kkon1kko Member

    @Alt Such a shame some people have to still support XP.

  • n1kkon1kko Member

    I just use Cloudflare free SSL with all my domains. Should I consider something like multi domain SSL?

  • @n1kko IE on XP is not the only issue here, we still see almost 6% of Android phones using 2.3.x or earlier. I have one client who has most of their 45,000+ users still on XP. Some are allowed to install Chrome or FF but some are not and using a very old IE. But I am aware of those users and use dedicated IP for those sites. I am just covering a bunch of smaller sites with the SNI or MultiDomain.

  • At this time, most desktops and mobile browsers are supported SNI. Purchasing separate IP address for each FQDN it can be much costlier. SNI technology allows you to secure multiple websites on the single IP Address.

    An SSL certificate issued on Fully Quilified Domain Names, so you should go with Multi Domain SSL certificate that allows you secure multiple domain names (site1.com, site2.com, any.thing.anytld). You do not need separate IP Addresses or additional hardwares to secure multiple websites.

    Purchasing an individual certificate for each website can be hard to manage and more pricey. There are various vendors available in the market who are offering this certificate at different price range $45 to $540, you can find them here - http://www.cheapsslcouponcode.com/coupons/multi-domain-san-ssl

Sign In or Register to comment.