Index syndication
comment syndication

Is SNI viable?

Traditionally if one was to secure a web server using TLS (or previously, SSL) – then one would configure your web server to use TCP port 443 to listen for TLS requests from clients (browsers). When a browser connects to the web server using the HTTPS protocol, the server would encrypt the communications and all would be well with the world.

A problem occurs when you use name based Virtual Hosting on your web server. If you need to determine the client request before providing content from a virtual host, e.g. blah.com vs. blahblah.com, then this couldn’t be done if you encrypted the communications using TLS. Enter stage left: Server Name Indication.

According to Wikipedia:

Server Name Indication is a feature that extends the SSL and TLS protocols. It permits the client to request the domain name before the certificate is committed to the server. This is essential for using TLS in virtual hosting mode.

I’ve a need to use Server Name Indication (SNI) for some freelance IT work I perform, but colleagues shy away from SNI since Internet Explorer on Windows XP is unsupported.

Is this an issue? Are so many people still on Windows XP that it will diminish the security aspects of implementing SSL to secure input of personal data ?

One of the best places to determine OS usage trends in Australia would be from Google, but they don’t provide such data. Therefore I turn to another source of data: StatCounter. They have been providing stats to websites and business for well over 10 years, so their data should be viable.

Source: StatCounter Global Stats – OS Market Share


The chart above shows Operating system usage for 2014 in Australia. Windows XP sits at 4 percent usage at the end of 2014. For an operating system that’s now unsupported and 4 Major versions old; it just shouldn’t be considered anymore.

Source: StatCounter Global Stats – Combine Chrome (all versions) & Firefox (5+) Market Share

The second chart shows browser usage statistics in 2014. Internet Explorer 6, which doesn’t support SNI, isn’t even on the chart anymore.

Knowing the actual statistics – the usage of Internet Explorer 6 (or a lesser version) and Windows XP seems to be so minimal that usage of SNI is a viable option; especially where it gives a rise to cost saving on implementation of x509 certificates on web front ends. What do you think?

Coral Content Distributed network

Have you ever had your website hit on a topic that people find conflicting? When the site gets viewed by the masses, you need to be prepared. If you have access to modify your web server .htaccess file then go and have a read of the Coral CDN Overview
For those interested in the techie bits, here is my .htaccess for news site flood protection, and to allow CDN to serve up all my site images – thus offloading from my puny connection the bandwidth burden for images.


<ifmodule mod_rewrite.c>
RewriteEngine On
#prevent slashdot effect
RewriteCond %{HTTP_USER_AGENT} !^CoralWebPrx
RewriteCond %{HTTP_REFERER} blogspot\.com [NC,OR]
RewriteCond %{HTTP_REFERER} reddit\.com [NC,OR]
RewriteCond %{HTTP_REFERER} digg\.com [NC,OR]
RewriteCond %{HTTP_REFERER} news\.slashdot\.org [NC,OR]
RewriteCond %{HTTP_REFERER} slashdot\.org
RewriteRule ^(.*)$ https://techdebug.com.nyud.net/$1 [R,L]
#Rewrite images to allow CDN to serve them
RewriteCond %{HTTP_USER_AGENT} !^CoralWebPrx
RewriteRule ^(.*)/(.*\.(gif|png|jpe?g))$ https://techdebug.com.nyud.net/$1/$2 [R,L]
#Wordpress rewites
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</ifmodule>

mod_rewrite is your friend.