What is weak SSL encryption?

VeriSign's homepage recently featured a graphic advising visitors to avoid "Weak VeriSign SSL Encryption". What is that supposed to mean? Do they offer specialized certificates that make the encryption stronger? No.

Practically all SSL certificates work with strong and weak encryption.

Reality check. The strength of an encrypted SSL  connection is determined by the  web server and the browser. The  server will specify what types and strengths of encryption it will be willing to use, the client's browser does the same and the encryption type and strength is agreed upon. Whether you get a $20 domain validated GoDaddy SSL Certificate or a $1500 VeriSign EV SSL Certificate, you can secure the connection at 40-bit (weak) or 256-bit (very strong) just by configuring the server.

Andrew Codrington recently mentioned this and stated:

The only case I'm aware of where a special certificate influences the available cryptography in SSL sessions is with ancient Server Gated Crypto certificates. I've written about Server Gated Crypto (SGC) before, but since VeriSign are still beating that dead horse, I'll follow their lead.

SGC certificates 'step up' cryptographic strength of SSL sessions from 40bit DES to 128 bit for web browsers that fit these criteria:

• International Versions of IE and Netscape browsers
• Unpatched since approximately 2001

We can't know for sure how many of these there are, but my guess is much less than 1% of deployed browsers fit these criteria.

Server Gated Cryptography certificates are clearly, rarely, if ever needed. This means that the strength of your SSL connection practically always relies on your server configuration and not on the SSL certificate that you are using.

For information about SGC Certificates, read Say No To SGC SSL Certificates.

Originally posted on Sun Nov 18, 2007