Comment by dangrossman
11 years ago
Lots of services create dynamic subdomains in the form of "username.domain.com". To offer SSL on those domains without a wildcard certificate, you'd need to obtain a new certificate and a new IPv4 address every time a user signs up. You also need to update configuration and restart the web server process.
You don't need a new IPv4 address for each cert. That's for Windows XP. Just stop giving a shit about XP and use SNI. Problem solved.
Try telling that to any business. XP's marketshare worldwide is between 10-20% according to some metrics (cursory google result: http://www.netmarketshare.com/operating-system-market-share....)
There are very few companies out there that are okay with serving 1/5th of their potential customers an error page, and for good reason.
Looking at a recently created map by cloudflare (http://blog.cloudflare.com/introducing-universal-ssl/ http://cloudflare.github.io/sni-visualization/) it looks that a large portion of that seems to come from china.
A quick glance over EU countries reveals that more than 91% of potential users support SNI.
It might depend on your line of business but I think for some entities this might be a viable option