Server Gate Cryptography secrets
Published: Sun, 29 Aug 2010 23:55:23 GMT
Padlock photo by Ralph Aichinger
Certification Authorities (CAs) offer two types of SSL certificate, one type includes Server Gate Cryptography (SGC) and is often promoted as a premium, or high security option and is charged at a much higher price than the non-SGC equivalent. So, it should be a no-brainer that you should buy the best, most expensive certificate you can afford to ensure the security of traffic with your website, shouldn't it?
Well, no.
Until late 1999, the United States were imposing restrictions on the export of strong cryptography which resulted in 'export versions' of Internet Explorer, Netscape and other web browsers which did not enable high encryption by default. Instead, browsing SSL sites with an 'export version' browser resulted in a connection which was encrypted with 40 or 56-bit encryption. A non-export version would negotiate 128-bit encryption.
To allow very sensitive sites to step-up the encryption to 128-bit even on an export version browser, special certificates were issued to authorised sites, for example government sites and financial institutions, which would unlock the high encryption functionality and allow 128-bit secure connections.
By 2000, the export restrictions were dropped and the international browser versions began supporting 128-bit encryption by default. At the same time, SGC certificates were offered to anyone who wanted them to allow older export browsers to use high encryption. For a few years after 2000, it made sense to use an SGC enabled certificate if you wanted to ensure everyone could access your site securely and it was worth paying a premium to ensure that your site was available to the maximum number of customers. Now, though, there are many fewer users with the old browsers, so you won't affect as many customers by removing the SGC capability.
But, it can't hurt to use an SGC certificate, can it?
*Well, yes. *
These old browsers (e.g. Internet Explorer 4.01 to 5.01, Netscape 4.07 to 4.72) are over 10 years old now, they have not received security updates or patches since 2000. The security patches which have been released for more modern browsers in the past ten years help to protect the system against keyloggers, viruses and other malware which can intercept data on the client, even if it is transmitted across the network securely encrypted. This means that the connection which is assumed to be secure by the user probably isn't, and malware in the browser could potentially be carrying out unauthorised transactions on your server using the client's credentials.
Worse still, the malware could hide the fraudulent transactions from the user so he never sees evidence of a problem. Updating these browsers to modern, secure versions is free and simple.
High-encryption packs are available from Microsoft for older operating systems - Windows 95, Windows 98, Windows NT and Windows 2000, and a huge variety of secure browsers are available for free download.
So, how many customers are likely to be unable to access my site when I move to non-SGC certificates?
In an Entrust Whitepaper on the subject from July 2009, the estimate is that 0.07% of browsers on the Internet would be affected, less than 1 in a thousand, and this number is likely to be even lower now. This small percentage of users who will be unable to connect to your site are unlikely to be surprised as more and more of the Internet will be becoming unavailable to them every day as other sites move away from these outdated certificates.
It really is time they dragged themselves into the 21st Century and spent 5 minutes upgrading their browsers to ensure their connection is secure. By making sites unavailable to them, you are doing your customers a favour by encouraging them to upgrade, and are helping to protect your other customers by making it harder for malware to get a foothold on your server. There is one very important change you need to make to your server though, ensure that weak encryption is not supported otherwise these old browsers will negotiate 40 or 56-bit connections with your server!