I'd be curious to know what the actual numbers are...IE 7 even supports SNI, as long as it is running on Vista+. I've seen stats that say XP usage is near 15% now, and some portion of that must include non-IE browsers, so perhaps 10% might be an accurate estimate? When you "last looked", where did you find that 50% stat?
With regards to the security hole, do you mean to say that having the ___domain name sent in the clear before the secure session is established is the problem? Other than some narrow privacy concerns, I can't see the real issue here, given that most of the time a certain IP address implies a certain ___domain name, and the destination IP address needs to be sent in the clear.
With regards to the security hole, do you mean to say that having the ___domain name sent in the clear before the secure session is established is the problem? Other than some narrow privacy concerns, I can't see the real issue here, given that most of the time a certain IP address implies a certain ___domain name, and the destination IP address needs to be sent in the clear.