The Myth of Server-Gated Cryptography (SGC)

As security vendors compete for market share for SSL certificate sales, some attempt to gain a better foothold by claiming that expensive Server-Gated Cryptography (SGC) certificates are required for 128-bit security. This just isn't the case. SGC is not required to enable 128-bit security for virtually all browsers deployed today.

In fact, supporting browsers that require SGC can introduce serious security risks to an organization. These older versions of browsers that do require SGC — sometimes referred to as "export-strength" or 40-bit browsers — can represent increased security vulnerability. Most users who still require SGC are using Web browsers that have not been updated with critical security upgrades.

Whether deploying standard or extended validation (EV) certificates, SSL certificates should support 128- or 256-bit security to provide confidentiality of information traveling via the Internet. What's this mean? Basically, a secure session between a browser and server is encrypted with a 128- or 256-bit key to prevent information from being intercepted and decoded. SSL certificates from Entrust support both 128- and 256-bit security.

Ready to purchase proven SSL certificates without paying a premium for unnecessary SGC?

According to industry statistics¹, more than 99.6 percent of browsers in use today support either 128- or 256-bit encryption without SGC. For the few users with these older browsers (and would require SGC), converting is straightforward with upgrade packs available for most browsers. For this reason, premium-priced "step-up" Web server certificates for SGC support are risky and no longer necessary.

For example, Microsoft Internet Explorer version 5.0.1 — only used by 0.06 percent of the population² — was the last IE version requiring SGC for 128-bit operation, and a longstanding update has been available on Microsoft Windows Update to bring it up to 128-bit encryption.

As such, a user who still requires SGC is using a Web browser that has not had security updates to address the multitude of other identified security issues. This poses a significant risk to both the user and the organization.

EV certificates alone are superior to SGC certificates ... or a combination of EV with SGC certificates. Why? EV certificates require the end-user to use a browser protected by at least 128-bit encryption for SSL security.

This requirement ensures the consumer is using a relatively up-to-date browser (eliminating the need for SGC), thus making the user's Internet session, as well as the organization using the EV SSL certificate, more secure from the onset.

Do you believe it's worth introducing serious security vulnerabilities, not to mention paying an unnecessary premium, to offer the illusion of security to less than 1 percent of the Internet population? Neither does Entrust.