Tested against: https://www.buro9.com/ , which is my own domain running behind CloudFlare using their SSL cert (it's a Pro account - my free accounts have not yet been enabled with the free SSL).
IE6 on WinXP accesses this without warning providing CloudFlare Apps are disabled.
If CloudFlare Apps are enabled, then IE6 gives a mixed-content warning but is fine with the SSL cert.
Caveat: This WinXP+IE6 version might not be precisely the same as whatever is in the wild and has never been updated. For reference WinXP is Service Pack 3, and IE6 is 6.0.2900.5512
So a pure SNI test using https://sni.velox.ch/ on IE6 on WinXP does produce a warning dialog, "The name on the security certificate is invalid or does not match the name of the site".
Clicking OK clears it for the remainder of the browser session.
Just a normal SSL error, or would they be able to see another site?
I had an issue like this with SNI where a client reported being able to see another site that was on the same IP. The issue was that she was using IE on Windows XP, and SNI didn't work.
A web server can be configured to send a default ssl cert if the browser does not support SNI, but can still route the request to the correct virtual host based on the HTTP Host: header if the customer clicks through the warning.
The following two https sites exist on the same IP:
grepular.com
emailprivacytester.com
If your browser doesn't support SNI, then the cert for "grepular.com" will be returned by default. So browsers which don't support SNI will not notice anything unusual when visiting https://grepular.com/, but will get the cert for grepular.com instead of emailprivacytester.com when visiting https://emailprivacytester.com/
Unless you have IPv6 support, in which case the sites have different IPs so SNI isn't required (exactly like cloudflare have just done)
Are you sure chrome on xp wouldn't have the issue? Previous tests we've done and documentation from chrome showed on xp chrome used the same network stack that IE used. Has that changed in newer releases?
So whose responsibility it is to make sure that those pages are not requested via HTTPS from older browsers? Cloudflare or website owner? And how would website owner do that? Based on User-Agent?
Tested against: https://www.buro9.com/ , which is my own domain running behind CloudFlare using their SSL cert (it's a Pro account - my free accounts have not yet been enabled with the free SSL).
IE6 on WinXP accesses this without warning providing CloudFlare Apps are disabled.
If CloudFlare Apps are enabled, then IE6 gives a mixed-content warning but is fine with the SSL cert.
Caveat: This WinXP+IE6 version might not be precisely the same as whatever is in the wild and has never been updated. For reference WinXP is Service Pack 3, and IE6 is 6.0.2900.5512