Isn't it somewhat ironic that Windows XP using IE6 would warn visitors about SSLs?

My content gets a lot of those users who bought a machine 15 years ago and never upgraded beyond what the box came with.

I think it is also needed to be mentioned that SNI was only introduced on Microsoft IIS since version 8.

[iis.net...]

www.iis.net IIS 8.0 Server Name Indication (SNI): SSL Scalability Version Notes IIS 8.0 Server Name Indication was introduced in IIS 8.0. IIS 7.5 Server Name Indication was not supported in IIS 7.5. IIS 7.0 Server Name Indi...

Internet Explorer (any version) on Windows XP

Actually, this is not related it Internet Explorer. This is a limitation of Windows XP. So that should read "No browser of any brand on Windows XP."

Simply put, SNI will not work with Windows XP whether using Firefox, Chrome or whatever.

Unfortunately, SNI support isn’t available on Windows XP, even in IE8. IE relies on SChannel for the implementation of all of its HTTPS protocols. SChannel is an operating system component, and it was only updated with support for TLS extension on Windows Vista and later. --src: [blogs.msdn.microsoft.com...]

Depending on which sources you check, Windows XP accounts for about six to ten percent of desktop/laptop traffic which assuming you have about half your traffic on mobile/tablet, that would be three to five percent. By some measures, it is still more popular than OS X
- [netmarketshare.com...]
- [en.wikipedia.org...]

Note also that SNI doesn't work with mail servers and FTP servers last I knew.

So you need to look at you needs and your analytics and figure out whether you can afford to write that traffic off.

Some past discussions of SNI
[webmasterworld.com...]
[webmasterworld.com...]
[webmasterworld.com...]

blogs.msdn.microsoft.com Understanding Certificate Name Mismatches

Actually, this is not related it Internet Explorer. This is a limitation of Windows XP. So that should read "No browser of any brand on Windows XP."

Thanks for the additional information. I didn't intend to sound like it was an Internet Explorer thing.

Make sure your web server supports SNI and that your audience uses supported browsers, generally. While SNI is supported by all modern browsers, you'll need a dedicated IP if you need to support older browsers.

source: [support.google.com...]

You don't need SNI to server multiple sited with https over one IP. I have done this for almost 10 years now with wildcard and multiple domain certificates. But the prices for these certificates is still higher per year than the price most hosting companies ask for additional IPs.

Recently though I switched all my sites to https only over one IP practically cutting of the two to ten percent visitors still using outdated technologies. Revenue from the sites hasn't changed which was for me the assurance that those who don't invest in their own computer equipment also do not spend much money on the net.

"those who don't invest in their own computer equipment also do not spend much money on the net."

I agree. These are usually the types that are leary of using their credit cards on the internet... all while using archaic systems that are no longer supported with security updates.

But isn't there more than sales that we get from traffic? Traffic builds branding and rating which might translate as sales longterm.

Must be a frustrating experience to browse the Web without SNI these days. Anyway, I doubt my sites are very usably in IE <9 since I stopped caring about those versions long ago, and setting up dedicated IPs for those users is probably not worth the money and effort required.

Oddly enough, Analytics tells me that, on one site, I still got 150+ visitors last month who were on Windows XP using Internet Explorer, and their average bounce rate and pages visited look pretty normal, when they shouldn't even be able to access the site.

Or can the SNI problem be bypassed? Perhaps XP/IE users are used to seeing and bypassing those warnings. I'll pull my XP laptop out of the closet later on, see what happens.

I thought Chrome and FF did support SNI on WIndows XP?

Does your site work with those browsers anyway? Have you tested the design with them?

So it's not that these older browsers or Windows XP users can't access an HTTPS site, just that they will receive continued cert warnings they will need to click through even if your cert is valid.

I would assume these users are accustomed to seeing these warnings given the huge number of sites moving to secured. I also think many of these users understand what the issue is by now, and that they are either tentative or can't afford the hardware upgrade.

SNI & ShmeSeNay is all moot.

Real question is: Are major Search Engines able to distinguish when the user is using their search utility(and let you them/you in their own words in "So called Control Panels" in clear wording what needs to be done).

Using an outdated browser? Or is it that Goog Said 1.1 and $M said "I don-now-dude"?

Can Someone on WebmasterWorld open a real issue?

i bought ssl and hosting told u should have unique IP

i bought ssl and hosting told u should have unique IP

You've been upsold. Or their technology is outdated.

Real question is: Are major Search Engines able to distinguish when the user is using their search utility(and let you them/you in their own words in "So called Control Panels" in clear wording what needs to be done).

Using an outdated browser? Or is it that Goog Said 1.1 and $M said "I don-now-dude"?

I have no idea what you're saying.

@lammert unless you are using free certificates, and IP plus a certificate per site seems to cost about the same, at least for some combinations of hosts and issuers - near enough that price is not going to be the deciding factor anyway.

Also, some options for hosting have limited flexibility about IPs (e.g. a limit on the number of IPs per VPS) so requiring more IPs might limit your hosting options.

Or can the SNI problem be bypassed? Perhaps XP/IE users are used to seeing and bypassing those warnings. I'll pull my XP laptop out of the closet later on, see what happens.

To follow up on this: yes, the certificate warning is pretty easy to circumvent by clicking "Proceed to this website", although it's "(not recommended)". That's on Windows XP with IE8. It's annoying to have to click through all the time, but people may be used to it.

Interestingly, I cannot access WebmasterWorld at all on that setup (unrelated to the HTTPS certificate).

Interestingly, I cannot access WebmasterWorld at all on that setup (unrelated to the HTTPS certificate).

You cannot access WebmasterWorld because it uses TLS only. SSL has been switched of server side. I have the same setup on my servers and no Windows XP or other older clients without TLS support are able to connect.

Windows XP supports TLS 1.0, so unless they have that disabled, it should work. I also have SSL disabled server-side and my sites load just fine on that machine.

Then it may be the cypher set available on the server. I recently did a security scan on my servers which advised me to switch off weak cyphers.

"Server sent fatal alert: handshake_failure" is what SSL Labs [ssllabs.com] tells me. Could be the ciphers.

If that is the case, then we can maybe conclude that https sites which have disabled weak ciphers have no advantage of serving their content over individual IPs, because clients which cannot use SNI are already blocked from those sites because they cannot use high strength encryption ciphers.

RE: the ssllabs.com test

They rated my site "A" for all 4 categories: certificate, TLS 1.2 (with backward support) Protocol, Key Exchange & Cipher Strength.

And I'm using a free Let's Encrypt cert without a unique IP address :)

@KP

What OS/WebServer Ver. is this on?

@blend27 - sticky sent

Linux, apache2