[lcampbell]

The wildcard fix is annoying when you have everything on SSL but don't want to handle a wildcard cert[1]. When someone typos https://foo.example.com I'd like the UX to be a browser's "could not connect to server" error, not "this site is untrusted, run away as fast as you can".

--

[1] IMO, the use of wildcard certs is a dangerous practice[2] made obsolete by SNI.

[2] If the cert gets stolen from one server, the thief can impersonate any server on that domain.

[JoshTriplett]

Given that no means currently exists to safely hand out a certificate for example.org that can in turn sign separate certificates for arbitrary foo.example.org subdomains, some sites still need wildcards. If you hand customers their own subdomain, and you automatically mint new customer subdomains when new customers sign up, you can't get a separate CA certificate for each one even if SNI does work; you really do need a wildcard for that.