Google announced recently that sites using HTTPS (secure web connections, aka SSL) may be given preferential search rankings, and there is a general widespread call to use HTTPS everywhere. is offering a free security certificate with every new domain registration, and presumably other registrars will follow suit.

But the big bottleneck to HTTPS adoption for smaller sites is that it is not easy to use with the most common kind of virtual hosting: name-based virtual hosting. That’s where you have many different sites on one server, and they all share the same IP address.

In name-based virtual hosting, when the server receives a request for a web page, it checks to see what domain name is being asked-for and then serves up the correct page. Unfortunately, with HTTPS, the domain name is encrypted along with the rest of the request, so the encrypted connection must be set up, with the correct certificate, before the name can be determined by the server. It’s a classic chicken and egg problem.

There are two ways around this, neither of which scales very well:

1) Use a different IP address for each domain.
2) Use a single certificate that is valid for multiple domain names.

Number 1 doesn’t scale because IPv4 addresses are a finite resource. ISPs and cloud providers are already getting antsy about handing them out.

And number 2 doesn’t scale because certificate authorities limit the number of alternate names you can add to any one certificate. 20 is a common limit. There is also an administrative burden of matching websites to certificates to configurations as customers sign up and leave, which is a bit like playing Tetris.

Switching (finally!) to IPv6 would solve the scarcity problem and allow us to assign a unique IP address to each website, which in turn allows each customer to bring their own TLS certificate to the table. 

I hope that our evolving common understanding of Internet security and the need for HTTPS connections everywhere (which is constantly being reinforced!) will give end-user ISPs the push they finally need to implement end-to-end IPv6.

AuthorChris Snyder