← Lessons

quiz vs the machine

Gold1360

Networking

Server Name Indication

How one IP can serve many HTTPS sites by naming the host during the handshake.

4 min read · core · beat Gold to climb

The virtual hosting problem

Multiple HTTPS sites often share a single IP address. With plain HTTP the server reads the Host header to pick the right site, but in TLS the handshake happens before any HTTP request, and the server must present a certificate first. Without extra information it cannot know which site's certificate to send.

How SNI solves it

Server Name Indication is a TLS extension where the client includes the target hostname in its first handshake message, the ClientHello.

  • The server reads the requested name early in the handshake.
  • It selects the matching certificate for that host.
  • It completes the handshake with the correct identity.

A privacy concern is that the hostname in SNI is sent in the clear, so a network observer can see which site you are visiting even though the rest of the connection is encrypted. Encrypted Client Hello is the evolving answer, wrapping the sensitive handshake fields so the visited hostname is hidden from passive observers.

Key idea

SNI puts the target hostname in the ClientHello so a server sharing one IP can pick the right certificate, though that hostname is visible until Encrypted Client Hello hides it.

Check yourself

Answer to earn rating on the learn ladder.

1. Why is SNI needed for HTTPS virtual hosting?

2. What privacy weakness does plain SNI have?