Webfaction enabled SNI on all of their servers in December 2011 [1], which means you no longer need to buy a dedicated IP address to use SSL. In fact, when they made this switch, they switched my server over to SNI automatically and stopped charging me the extra $5/month automatically. Awesome!
A small fraction of Internet users on extremely out-of-date system cannot use SNI. If you need to support those users, you will still have to buy a dedicated IP address. I personally don't bother (if you're running IE 6 on Windows XP, you have bigger problems).
This is a great guide! I did the exact same thing several months ago and am very happy with the result. Enough with the excuses not to deploy SSL!
Almost 1 in 5 people on the web are still running Windows XP. No version of Internet Explorer on XP supports SNI. Neither does Safari on XP, the browser in Android 2.x, the BlackBerry browser or Opera Mobile before 10.1. It may be a minority of users, but it's not just "people who are still running IE6".
Pretty much everyone would love to use SNI; site owners wouldn't have to pay for extra IPs, hosting companies wouldn't have to worry about securing and allocating them just for SSL use, tons of IPv4 space could be put back into circulation, and CAs would be able to sell many more certs. Unfortunately the group that can't use it is too large to ignore, so none of that's happening.
Yes, XP does not support SNI. Users will be presented with a certificate error however the correct site will be served. It will just have the wrong cert. If this is not a deal breaker for the small percentage of XP traffic expected you should use SNI anyway. Maybe a javascript check to point out to the user why the wrong cert was displayed would nudge them to upgrade.
I appreciate your detailed response! I should not have been so dismissive of those users. Still, I maintain that the "extra cost for a dedicated IP" is a poor excuse for not implementing SSL.
Further proving my point... Joyent is another example of a cloud provider which only gives you one IP address.
It doesn't need to be this way - Linode gives extra addresses for $1/month each (provided valid technical justification, such as the need to run HTTPS).
In digital oceans defense, the right answer if you need an additional ip for an Ssl secured website is to pay $5/month for it and get a free 512m/20G droplet for it. If the price difference between Linode's $1/month extra ip address and DO's $5/month extra vps is a sticking point - you're not indicating that you care very much about privacy/security.
(There may well be other reasons spinning up additional vpses for each SSL secured site doesn't suit you, but a few dollars a month price difference is surely only being used as an excuse for inaction rather that a show-stopping financial burden - at least for anyone in the top 99% of HN's demographic…)
Without SNI, SSL works on an IP address level rather than a hostname level, just like HTTP/1.0 worked at the IP address level and HTTP/1.1 works at the hostname level with the Host header.
Sorry, I wasn't clear. I understand SNI and SSL without SNI.
What I'm not seeing is why it's a problem when a host such as DO doesn't allow multiple IP addresses on a single machine.
Is it because you may want to host multiple sites on that machine and use one IP address for SSL?
Oh, nevermind. It's because you may want to support multiple SSL sites on the same box without requiring your clients support SNI. That makes sense.
We really need to just EOL everyone who has a browser without SNI. People like to say that there's still a lot of XP users out there but surely even a reasonable chunk of them are using Chrome or Firefox with SNI support, right?
Any IExplorer on Windows XP, Safari on Windows XP, Android 2.x, Blackberry, Symbian, Java before 1.7, Windows Mobile up to 6.5 ... the list is quite significant. Depending on your target, you can easily talk about 25% of the traffic.
I used StartSSL certs on a few of my Webfaction-hosted websites with SNI. It was fairly simple, and considering the cost, an excellent service that I highly recommend.
One caveat is that the free certificate lasts only a year.
A small fraction of Internet users on extremely out-of-date system cannot use SNI. If you need to support those users, you will still have to buy a dedicated IP address. I personally don't bother (if you're running IE 6 on Windows XP, you have bigger problems).
This is a great guide! I did the exact same thing several months ago and am very happy with the result. Enough with the excuses not to deploy SSL!
[1] https://blog.webfaction.com/2011/12/server-name-indication-e...