Say No To SGC SSL Certificates

SGC SSL Certificates, which enable older browsers to connect to a site using 128-bit encryption even if the normal browser encryption rate is 40-bit, seem to provide a great advantage to many sites. They usually cost significantly more and are only available from certain vendors. However, there are two strong arguments against using SGC SSL Certificates:

Old Browser Usage Is Very Low

Server Gated Cryptography was created in response to US government legislation on the export of strong cryptography in the 1990s. Microsoft developed Server Gated Cryptography and Netscape developed "step-up" technology to enable 128-bit SSL encryption with export browser versions. However in 2000, US Export law was changed to allow the export of strong crypto and Microsoft released IE 5.5 and IE 5.0.1 SP1 which allow those browsers to connect at 128-bit without using an SGC SSL certificate.

Who uses Internet Explorer 5.0 and lower these days? Of course, it depends on who you ask, but let's look at some statistics (as of April, 2008): IE 5.x usage is 2.17%, IE 4 usage is 0.41%

W3 Schools: IE 5.x usage for March 2008 is 1.1% IE 5.x usage for March 2008 is less than 1% IE 5.x usage for December 2007 is 0.2%

Not very big numbers. You need to ask whether the extra money for an SGC SSL certificate is worth supporting that small percent of the market. Still, 1% of visitors can mean a lot of money to many businesses and no one wants to have to turn anyone away. But, there may be a far more important reason NOT to use SGC Certificates:

Allowing Older Browsers Encourages Their Use and Leaves Users Open to Countless Other Attacks

That's great that you can allow users of older browsers to connect to your website at a high encryption rate, but what about all the other security holes that those browsers have? Don't you want to protect them from those? What if someone decides to imitate your website in a phishing attack? Do you want users of older browsers to fall prey to that and then blame you? There are literally hundreds of security flaws in those older browsers that malware authors can take advantage of. Here is what Andrew Codrington thinks about SGC SSL Certificates:

Enabling Server Gated Crypto on your web servers is tantamount to aiding and abetting cyber criminals.

 Wow! Why such harshness against SGC certificates? He explains:

The bad guys are able to install software on those older, unpatched systems that lives inside the browser or inside the operating system. That malicious software can log keystrokes or view submitted information before it is encrypted by SSL. The rogue software can then submit the collected information to a central place for aggregation and collection by the criminal group.

If you haven’t heard of botnets yet, that’s what we’re talking about here. They’re not new - if you’re a details person this three year old paper on botnets is a good introduction to the topic. Shadowserver Foundation has some interesting stats on bot counts and locations – today they’re showing ~110,000 infected systems. These are only the ones that are actively being controlled by a command and control server, and obviously they’re only the ones that they know of.

By requiring users to upgrade their browsers to one that supports 128-bit encryption without SGC SSL Certificates (Internet Explorer 5.0.1 SP1 and later), you will not only be better protecting your vistors from attacks on your own site, but you will be helping them protect themselves from attacks on all other websites. Certainly, that is worth more than what you receive from allowing users to believe they are secure when they really aren't?

Considering PayPal's recent harsh treatment of older browsers, we should all reconsider how much old, insecure technology we should allow.The choice is up to you, but we highly recommend that you Say No To SSL SGC Certificates.

Entrust has written an article including many of these same points in The Myth of Server-Gated Cryptography (SGC).

 Digg  Reddit

Posted on April 19, 2008
Posts: 5
Re: Say YES to SGC SSL
Reply #7 on : Thu July 25, 2013, 11:09:35
I agree with Kevin's opinion. I don't see how a site not having SGC makes any difference in getting users to upgrade their browser.

Users who aren't going to upgrade their browser will continue to surf with the added disadvantage of weak crypto. Unless they are explicitly denied by configuration (as Kevin mentioned), I don't see any difference that not having SGC would have apart from not providing a patch until these users upgrade by their own choice.
Posts: 5
I'M Torn
Reply #6 on : Sat March 09, 2013, 16:46:04
First I thought what is it, read the article, now I am torn between a YES and a NO. It is only 10 bucks more buy at $3.33 per letter (SGC) I wonder if it is worth it.
Posts: 2
Re: Say YES to SGC SSL.
Reply #5 on : Wed November 09, 2011, 06:59:39
Kevin, you've simply made an ad hominem attack and failed to address the primary reason for using SGC: Allowing Older Browsers Encourages Their Use and Leaves Users Open to Countless Other Attacks. Even if it is free, it is not responsible to vulnerable browsers to be used.
Posts: 5
Reply #4 on : Sat November 05, 2011, 20:34:18
This article is absurd. It's similar to refusing to provide care to self-inflicted wounds due to the victim being partially at fault.

Most users of these SGC certificates maintain normal webservers, and don't mess around with configuration files to forcibly deny 40 bit encryption.

When given the choice to get free SGC certificates (which many CA's are doing) it's stupid to refuse. An old browser using 40 bit will have it's built in crypto bumped up to 128 bit, providing increased protection against intercept whereas without it they would be still submitting that same data over a 40 bit connection. The same vulnerabilities exist in any case but one has stronger in-transit protection.

Let's look at this Andrew Codrington fellow. He worked at Entrust, an organization who denounces SGC ssl, and who refuses to issue said certificates. Botnets are nothing new, and I can guarantee you that most browsers getting targeted these days aren't 90's era IE5. His blog post seems nothing more than propaganda of his (ex)-organization being passed off in his personal life. His opinions seem highly hypocritical to the needs of his current organization.

TL:DR - SGC is a GREAT free addition. It increases security for the few who aren't upgraded, and who would otherwise continue to browse your site with only 40 bit crypto. If it's free - get it - otherwise just skip it!
Posts: 2
Re: Just say no
Reply #3 on : Wed May 04, 2011, 21:45:08
Thanks for the video, Zammo. Classic.
Zammo McGuire
Posts: 5
Just say no
Reply #2 on : Wed May 04, 2011, 09:46:43
Posts: 5
Say No To SGC SSL Certificates
Reply #1 on : Fri March 20, 2009, 02:51:14

Write a comment

If you have trouble reading the code, click on the code itself to generate a new random code.
Security Code:
Post Comment