Buy from the highest-rated provider   Buy SSL.com Certificate x

Say No To SGC SSL Certificates

SGC SSL Certificates, which enable older browsers to connect to a site using 128-bit encryption even if the normal browser encryption rate is 40-bit, seem to provide a great advantage to many sites. They usually cost significantly more and are only available from certain vendors. However, there are two strong arguments against using SGC SSL Certificates:

Old Browser Usage Is Very Low

Server Gated Cryptography was created in response to US government legislation on the export of strong cryptography in the 1990s. Microsoft developed Server Gated Cryptography and Netscape developed "step-up" technology to enable 128-bit SSL encryption with export browser versions. However in 2000, US Export law was changed to allow the export of strong crypto and Microsoft released IE 5.5 and IE 5.0.1 SP1 which allow those browsers to connect at 128-bit without using an SGC SSL certificate.

Who uses Internet Explorer 5.0 and lower these days? Of course, it depends on who you ask, but let's look at some statistics (as of April, 2008):

WebReference.com: IE 5.x usage is 2.17%, IE 4 usage is 0.41%

W3 Schools: IE 5.x usage for March 2008 is 1.1%

TheCounter.com: IE 5.x usage for March 2008 is less than 1%

AdTech.com: IE 5.x usage for December 2007 is 0.2%

Not very big numbers. You need to ask whether the extra money for an SGC SSL certificate is worth supporting that small percent of the market. Still, 1% of visitors can mean a lot of money to many businesses and no one wants to have to turn anyone away. But, there may be a far more important reason NOT to use SGC Certificates:

Allowing Older Browsers Encourages Their Use and Leaves Users Open to Countless Other Attacks

That's great that you can allow users of older browsers to connect to your website at a high encryption rate, but what about all the other security holes that those browsers have? Don't you want to protect them from those? What if someone decides to imitate your website in a phishing attack? Do you want users of older browsers to fall prey to that and then blame you? There are literally hundreds of security flaws in those older browsers that malware authors can take advantage of. Here is what Andrew Codrington thinks about SGC SSL Certificates:

Enabling Server Gated Crypto on your web servers is tantamount to aiding and abetting cyber criminals.

 Wow! Why such harshness against SGC certificates? He explains:

The bad guys are able to install software on those older, unpatched systems that lives inside the browser or inside the operating system. That malicious software can log keystrokes or view submitted information before it is encrypted by SSL. The rogue software can then submit the collected information to a central place for aggregation and collection by the criminal group.

If you haven’t heard of botnets yet, that’s what we’re talking about here. They’re not new - if you’re a details person this three year old paper on botnets is a good introduction to the topic. Shadowserver Foundation has some interesting stats on bot counts and locations – today they’re showing ~110,000 infected systems. These are only the ones that are actively being controlled by a command and control server, and obviously they’re only the ones that they know of.

By requiring users to upgrade their browsers to one that supports 128-bit encryption without SGC SSL Certificates (Internet Explorer 5.0.1 SP1 and later), you will not only be better protecting your vistors from attacks on your own site, but you will be helping them protect themselves from attacks on all other websites. Certainly, that is worth more than what you receive from allowing users to believe they are secure when they really aren't?

Considering PayPal's recent harsh treatment of older browsers, we should all reconsider how much old, insecure technology we should allow.The choice is up to you, but we highly recommend that you Say No To SSL SGC Certificates.

Entrust has written an article including many of these same points in The Myth of Server-Gated Cryptography (SGC).

Originally posted on Sun Apr 20, 2008

Comments


Zammo McGuire(2014-12-13)

http://www.youtube.com/watc...

Howard(2014-12-13)

First I thought what is it, read the article, now I am torn between a YES and a NO. It is only 10 bucks more buy at $3.33 per letter (SGC) I wonder if it is worth it.

George(2014-12-13)

Robert,
I agree with Kevin's opinion. I don't see how a site not having SGC makes any difference in getting users to upgrade their browser.

Users who aren't going to upgrade their browser will continue to surf with the added disadvantage of weak crypto. Unless they are explicitly denied by configuration (as Kevin mentioned), I don't see any difference that not having SGC would have apart from not providing a patch until these users upgrade by their own choice.

insidethehackerinsidetheboxbut(2014-12-13)

if you're attempting to be security purists, then just say no to SSL/TLS altogether. people are idiots when it comes to cryptography. despite popular belief, it isn't designed to protect sensitive data. it is designed to protect sensitive data...for a period of time. when that time runs out - the data is free-game.

if you're attempting to be practical about security usage, then the time coverage provided by encryption outlasts the life expectancy of the information (i.e. credit card expiration date).

all these bit-strength arguments encapsulating who is the better agent of well-being (someone who wants people to be protected through enforcement against a seemingly ever-increasing list of threat vectors vs. someone who wants people to do what they want) or the better agent of security practices are a bad wash replayed on spin-dry.

Davor(2014-12-13)

NO!

Robert(2014-12-13)

Thanks for the video, Zammo. Classic.

Kevin(2014-12-13)

This article is absurd. It's similar to refusing to provide care to self-inflicted wounds due to the victim being partially at fault.

Most users of these SGC certificates maintain normal webservers, and don't mess around with configuration files to forcibly deny 40 bit encryption.

When given the choice to get free SGC certificates (which many CA's are doing) it's stupid to refuse. An old browser using 40 bit will have it's built in crypto bumped up to 128 bit, providing increased protection against intercept whereas without it they would be still submitting that same data over a 40 bit connection. The same vulnerabilities exist in any case but one has stronger in-transit protection.

Let's look at this Andrew Codrington fellow. He worked at Entrust, an organization who denounces SGC ssl, and who refuses to issue said certificates. Botnets are nothing new, and I can guarantee you that most browsers getting targeted these days aren't 90's era IE5. His blog post seems nothing more than propaganda of his (ex)-organization being passed off in his personal life. His opinions seem highly hypocritical to the needs of his current organization.

TL:DR - SGC is a GREAT free addition. It increases security for the few who aren't upgraded, and who would otherwise continue to browse your site with only 40 bit crypto. If it's free - get it - otherwise just skip it!

Robert(2014-12-13)

Kevin, you've simply made an ad hominem attack and failed to address the primary reason for using SGC: Allowing Older Browsers Encourages Their Use and Leaves Users Open to Countless Other Attacks. Even if it is free, it is not responsible to vulnerable browsers to be used.

Advertisement • Hide