At Arrow, we like to offer all our customers the ability to secure their site(s) with an SSL/TLS certificate - this gives you the padlock in the address bar and helps boost customer confidence in your site. Traditionally, to run a secure site you required a dedicated IP address - you were not able to share the same IP address as you do in non-secure shared hosting. Therefore, a secure site usually meant you needed some dedicated hardware (usually a server) just for your site, which vastly increased the cost of hosting.
To get around this problem, and some other issues, server name indication (SNI) was made available around 2007. This allowed you to run multiple secure sites on a single IP address. This was a great step forward, but it required the technology on both the web server(s) and the visitors' machines. After a while, more and more browsers and operating systems supported SNI. We are now at the point where it is a valid choice for running a secure site, as not many visitors run un-supported software.
We therefore offer secure site hosting (via SNI) at no additional charge, all our clients are able to run their sites securely with the only cost being the SSL/TLS certificate. There are still some tradeoffs with SNI, so we created this article to enable customers to choose the solution right for them.
- No additional cost (other than the certificate)
- Google now gives a secure site better ranking than a non-secure site
- All communications are encrypted end-to-end
- Customer confidence increases
- Username and passwords are not sent in plain text over the internet when you and/or customers login
- No support for Internet Explorer on Windows XP
- Annual cost of certificate
Is SNI right for me?
Our answer to this is yes, unless you need to support a significant number of visitors running Internet Explorer on Windows XP. Microsoft dropped support for Windows XP in April 2014. Meaning this operating system isn't getting regular updates and may be a significant security risk, therefore official recommendation is to not use it and upgrade to a newer version of windows.
We are typically seeing a low number of XP users (between 5% and 8% on our client sites), some of which will be using alternative browsers (which will work fine). This number will be decreasing month on month.
Therefore, in summary:
- If you need to run a secure site and don't have a large visitor base on Windows XP, then SNI will be great.
- If you need to run a secure site and have a large visitor base on Windows XP, then you will need your own dedicated hardware.
- If you don't really need to run a secure site and don't have a large visitor base on Windows XP, it's entirely up to the client whether the advantages of running a secure site via SNI outweigh the disadvantages.
- If you don't really need to run a secure site and have a large visitor base on Windows XP, then perhaps continue to run the site non-secure and re-asses every 6 months