SNI or server name indication is an addition or an extension to the TLS protocol, which again stands for transport layer security. So, basically server name indication allows the client to indicate the host where it wants to terminate the encrypted session.
It allows a server to present multiple certificates on the same IP address and TCP port number and hence allows multiple secure (https) websites to be served by the same IP address without requiring all those sites to use the same certificate.
You may also like: SNI in Tomcat.
How it Works
While working with TLS, let’s suppose you have an IP address that has a virtual server on which you want to host multiple secure sites. Now, you want to direct a client to one of those secure websites with only a single virtual server in act.
Now, the question arises of how you are gonna do that. So, now the SNI comes into the play. Every site has their own digital certificates. Before any handshaking process, the client demands a digital certificate from the server. The server sends the certificates and the client matches the name on the certificate with which it wants to form the connection.
If the certificate matches, the client proceeds further and allows the server to make the connection. However, if there is a mismatch of the certificates then the server automatically shows the discrepancy and the connection is aborted.
Now, you can consider SNI as a blessing in disguise because before SNI was introduced, every secure website requires a unique IP address which was highly costly and made the encryption process a tad bit tedious.
But, there is a disadvantage too. It consumes a lot more of IPv4 address, which is a 32-bit numeric internet protocol address. So, mathematically 32 bit means that it can comment to 2n number of devices.
So, 2 raised to the power of 32 = 4,294,977,962 billions devices.
This is not sufficient, considering the fact that there are trillions and zillions of connected devices used globally by the people.
So, we are trying to overcome that issue by shifting toward a newer version of IP address that is IPv6, which is 128 bits of a protocol, which means that it can get connected to approximately trillions of devices.
What Is SSL?
SSL stands for Secure Socket layer. Just so to be clear, SSL is a predecessor of TLS system.
So, here, I will be going through its working to better understand how SNI has shortened this process for us and made web browsing a better place for the user.
It is used for secure communication over devices. Basically, when an encrypted message is sent over from client to host, then this protocol ensures it’s safe to transfer. It prevents any leakage of personal or sensitive data.
So, it has a number of applications is data transfer, web browsing, emails, etc.
It works on three principles which are:
- Integrity: It means that data should be sent over to the server in its original form.
- Authentication: The two entities having the communication for eg., server and client or server and server should be authenticated. So, it normally prevents the transfer of data between authenticated sites.
- Confidentiality: This parameter covers the part where an intruder or third party is denied access to the data. Which means that only authorized person can access the data which is being shared.
How it Works
So, the message to be sent from the client is first sent over to SSL, where it encrypts the data using different encryption algorithms, which secures the data to be transferred. This reduces the chance of data hacking.
Now, the encrypted data is tagged with an SSL header and forms a packet of data. This packet of data is now sent to the host/server. Now, before the host receives the data, it gets decrypted so the message becomes readable.
So, for that to happen, the SSL header is first removed from the data. Now, the decryption of the data takes place.
After the data/message is fully decrypted, it is sent over to the application layer of the receiver from where the host gets integrated confidential messages.
Protocols Used by SSL
SSL uses four different protocols for the safe transfer of data which are:
Handshake protocol: This protocol handles the establishment of a connection to be set up between host and client. It authenticates the entities for the secure transfer of the data.
But the confidentiality and integrity of the data are managed by another protocol called SSL record protocol.
Change cipher spec protocol: It handles the encryption process of the data
Alert protocol: It handles the Alert message sent during the transfer of data when an error occurs which indicates any chances of insecure connections.
HTTPS: It stands for hypertext transfer protocol secure which is nothing but an extension of HTTP but with an issued SSL certificate that ensures secure transfer of data over devices by encryption the data.
Importance of SNI in SSL technology
SNI has nothing but proved itself beneficial in the long run.
- You can run multiple SSL certificates on a single IP address. You do not need to buy different IP addresses for different sites, which can be a little hard on the pocket.
- It is not tampering with security as you require SSL certificate before the handshaking protocol.
- It automatically aborts any insecure connection
So, this article concludes that SNI has provided user-friendly options, which do not require unique IP address each time you need to transfer data to a different site. It has proven itself to be cost-effective as well as time-saving.