What’s Wrong with SNI Based SSL Certificates & Browser Support?

Considering an SNI based SSL certificate with hosting? Here are good reasons not to, even if it’s provided free. And what’s the problem with browser support?

SNI Based SSL

Don’t get me wrong, there are good uses for TLS/SSL certificates that use the Server Name Indication (SNI) extension. But be aware of the following;

So what’s wrong with SNI based SSL certificates?

Issue #1 Browser support

All modern web browsers support SNI certificates. However, depending on the visitor geographic or type, some may have older versions that lack support.

Every year, there are less non-compatible browsers online. But those serious enough may want to implement backup measures, which is not an easy task.

These are popular supported browsers;

  • Mozilla Firefox support from version 2.0
  • Internet Explorer support from version 7 (Windows Vista or higher only, no Windows XP support)
  • Google Chrome support since version 6.0

You can find a list of SNI certificate compatible browsers here.

Issue #2 Better alternatives

Even if browser compatibility is a minor issue, why take the risk when you can get completely free SSL from the Let’s Encrypt certificate authority. Which has the same support as commercial certificates, and are domain validated.

Most modern hosting companies nowadays support them, with easy one-click install in cPanel and no need for expensive IP addresses. Good examples are;

If you are stuck with a hosting company that offers only free SNI SSL (Bluehost, etc.), the above companies can migrate your website free.

Issue #3 Less secure

The SNI SSL will likely support the TLS 1.0 protocol which is considered more insecure and venerable than regular domain validated TLS/SSL certificates.

Still security impact can be debated, and will be minor. However, there is still little reason to risk it when there are better and free alternatives available.

Issue #4 Commercial certificates

The biggest promoter of SNI SSL certificates is Comodo. Coincidentally, it is also one of the biggest and oldest, commercial TLS/SSL certificate authorities.

Fact is, that they are often giving out “free SSL” in partnership with other, big (like Endurance International Group or EIG) hosting companies. While trying to push hosting customers to opt-in for commercial Comodo SSL certificates.

Le’s Encrypt (or LetsEncrypt) is run by the Electronic Frontier Foundation and other good guys, and rely on donations with a good cause of providing a truly secure internet for everyone. I personally prefer to support them!

These 4 issues with SNI certificates I consider the most important.

What do you think, is Server Name Indication good or bad?
What’s your solution or problem for HTTPS hosting on free SSL? 

End note; Some articles within the WebHostWhat blog are containing affiliate links. This is only a portion of the links and supports my blood and sweat put behind these writings. Either way, huge thanks for visiting my blog! Cheers, Tim.

Leave a Comment