# Server Name Indication (SNI)

Domain names are associated with IP addresses. Since IP addresses are limited in their number, there's a need to host multiple websites (multiple domains) under a single IP address.


With just HTTP (without TLS), we can solve this issue with the Host header sent in the request. The server can read that header and serve the right content.


The issue comes when we switch to HTTPS. During the TLS handshake, the server is supposed to send the client the certificate of the website. Since the Host header I mentioned above is part of HTTP (layer 7 of OSI), there is no access to it during the TLS handshake. SNI comes with an alternative solution.


During the client-hello of TLS 1.3, SNI is sent - a domain name that we're trying to reach. This way, the server can send server-hello with the right certificate.

Plain Text

The SNI information (domain name) is unencrypted. The Encrypted Client Hello (ECH) (previously ESNI) resolves that problem (TLS 1.3 only).

Last Updated: 11/28/2022, 9:27:43 AM