You Don't Need Server Gated Cryptography

Server Gated Cryptography (SGC) was created because of United States legislation on the export of cryptography in the 1990s. SGC allows very old browsers to use 128bit encryption where they’d normally use 40bit.

Verisign offers a SGC certificate for US $995 per year, so is it really worth it? I’ve been asked by a few eCommerce businesses why I haven’t opted for a SGC certificate for them, last week was no exception although these aren’t that frequent as this post makes it out to be. Hopefully in the future I can point someone here. :)

1. Browsers that support them have major security flaws:

Internet Explorer export browser versions from 3.02 but before version 5.5
Netscape export browser versions after 4.02 and up through 4.72
Windows 2000 systems shipped prior to March 2001 that have not downloaded Microsoft’s High Encryption Pack or Service Pack 2 and that use Internet Explorer

N.B. Internet Explorer browser versions prior to 3.02 and Netscape browser versions prior to 4.02 are not capable of 128-bit encryption with any SSL Certificate.

2. You can force SSL/TLS to require certain ciphers.

See these?
DHE_RSA_WITH_DES_CBC_SHA
RSA_WITH_DES_CBC_SHA
RSA_EXPORT_WITH_DES40_CBC_SHA
RSA_EXPORT_WITH_RC2_CBC_40_MD5
RSA_EXPORT_WITH_RC4_40_MD5
RC4_128_EXPORT40_WITH_MD5
RC2_128_CBC_EXPORT40_WITH_MD5
DES_64_CBC_WITH_MD5
Get rid of them and no one will be able to use bad crypto with your servers.

3. Those browsers don’t support most web technologies

Are you going to spend the effort creating an alternate site for the already insecure users who can’t browser your current site? Didn’t think so.

4. Are people with a badly outdated machine going to purchase anything from you?

So is the rare person (you’d need alot of site traffic, statistically speaking, to have a visitor that have a browser that old) with a machine 12+ years old going to purchase something that is going to make the $995 a year worth it? Are you running a software company and your software only runs on Windows 2000 SP4+ and the rest of the NT line up to Windows 7?

5. They cost much more

You can get an EV certificate for a tenth of the price of a SGC standard certificate if you know where to look. Is it really worth going with a SGC cert just to “secure” users who can’t navigate your site anyway?

6. They don’t make normal users any more secure

In fact browsers today can’t even use the flawed SSL2.

Just a tip: sometimes I come across someone asking if EV certificates support SGC, and yes some do.

Cheers,

Steve