IPv4, HTTPS and Microsoft browsers

Server Name Indication (SNI) allows a server to present multiple certificates on the same IP address and port number. source: Wikipedia

Most cloud instances, virtual machines or dedicated servers are sold with a single IPv4 address, because the Internet is running out of IPv4 addresses. Still, you may need multiple IPv4 addresses to serve multiple sites using HTTPS. This is true unless you use SNI, because SNI allows you to server multiple secure sites with a single IPv4 address. There is a caveat: SNI is not supported by all browsers. “As of November 2012, the only major user bases whose browsers do not support SNI appear to be users of Internet Explorer 8 or below on Windows XP and versions of Java before 1.7 on any operating system.” according to the Wikipedia article on the subject.

Although worldwide in Januari 2013 the percentage of Internet Explorer 8 users is 23 percent (another source reports 11 percent) you might choose not to care. This sounds harsh and not particularly wise commercially seen, but you would not stand alone. Google chose to go that path as well and pulled support for Internet Explorer 7 in July 2011 and for Internet Explorer 8 in November 2012. Such a giant choosing this path might mean that most consumers will stop using Internet Explorer 7 and 8.

For the corporate audience this is different. One reason Internet Explorer 8 is hard to kill off is that large corporations are conservative about operating system upgrades and it is the most up-to-date version of Internet Explorer for Windows XP. Another reason corporate audience might adopt slower to new Internet Explorer versions is that cloud services Gmail and Google Apps are not very common among large corporations, maybe because these companies are scared of storing data in the cloud.

So if you are targeting a tech savvy consumer audience you may consider to use SNI. With the price of certificates dropping and the use of wireless devices on the rise, you might want to consider to at least offer your website on HTTPS for customers that support SNI (you may want to either warn or block them if they do not support SNI). Here is how your virtualhost configuration file would look for a SNI enabled site (in “/etc/apache2/sites-available/leaseweblabs”):

SSLStrictSNIVHostCheck off
<VirtualHost *:443>
ServerName leaseweb.com/labs
ServerAlias www.leaseweb.com/labs
DocumentRoot /home/leaseweblabs/public_html

SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM

SSLCertificateFile /etc/apache2/ssl/leaseweblabs-ssl.crt
SSLCertificateKeyFile /etc/apache2/ssl/leaseweblabs-ssl.key
SSLCertificateChainFile /etc/apache2/ssl/leaseweblabs-ca.bundle

</VirtualHost>

<VirtualHost *:80>
ServerName leaseweb.com/labs
ServerAlias www.leaseweb.com/labs
DocumentRoot /home/leaseweblabs/public_html

RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} !MSIE\ [6-8] [NC]
RewriteRule ^(.*)$ https://leaseweb.com/labs$1 [R=301,L]

</VirtualHost>

The line containing “%{HTTP_USER_AGENT}” will exclude IE 6-8 users to be redirected to the secured version. This is not perfect, since there may be browsers (like FireFox 3.6) that do not support SNI and do get redirected to HTTPS. You can consider adding “RewriteCond” statements for these specific cases. But even without alterations the setup above feels like a good trade-off between security and compatibility: Your website will be secure for the majority of visitors and also accessible for almost all of them sine all major browsers and their popular versions are supported.

Warning, rant ahead…

So maybe the browser you love to hate has improved by supporting SNI in versions 9 and 10. For me, that is not enough. In my opinion, the SNI feature should be offered as a critical security update for Internet Explorer 8 (and even 7). This is technically possible and the only ethical thing to do with IPv4 running out. So Microsoft, the ball’s in your court, so to speak.

Share