While, I am here and in a mood to post something, I decided to transfer one post I created  about a year ago about SGC certificates. It was a part of my supervisor test. It was also originally posted using WordPress on https://ncsslcs.wordpress.com created specifically for this purpose. Today I was quite surprised that I still remember the password. However, I believe that it is due to the fact that before attending the company workshop on Internet security, I was using the same set of passwords. 🙂

So I removed it from wordpress.com site and brought it here.Not that I care greatly about Google SEO ranking and this stuff, but the articles with the same title are not that uncommon in the web, taking into account for some time that it is one of three possible articles, one can choose on SSL supervisor test.

So SGC (Server Gated Cryptography) is one of the legacy technologies used in the SSL certificates sphere. More information is in the original post below:


 

Among the list of SSL Certificates that are offered by Namecheap one may notice several SSL certificates that support SGC. So what is SGC then?

To understand what this term means and what it was created for let us go deep into the history of cryptography. In the 1990s, the US government imposed restrictions on exporting strong cryptography to other countries. The restriction meant that software implementing SSL, such as web browsers, operating systems and web servers, had to limit encryption to weak algorithms and shorter key lengths if it was used outside the United States. Therefore some versions of browsers from Netscape and Microsoft intended for export usage (outside of the USA) were supplied with strong cryptography code included but disabled by default, allowing to establish only 40-bit or 56-bit encryption in result of handshake between the server and the client.

Server Gated Cryptography (SGC) was created as an extension to SSL for such export versions of web browsers. It allowed to force stronger 128-bit SSL encryption instead of standard 40/56-bit when connecting to the site. Here is what happens during the handshake:

SGCAccording to US export laws SGC certificates can be issued only to eligible financial institutions to ensure that customers all over the world could safely use online transactions using strong encryption,greater privacy and reduced risks of fraud and identity theft. A limited number of Certificate Authorities were authorized to issue such special certificates which could unlock stronger cryptography levels when communicating with the sites that have SGC SSL Certificates installed.

However, since January 2000, US Export Law was changed and the restrictions on exporting strong cryptography were removed. It allowed all new versions of browsers use strong cryptography without SGC (providing that the server supports strong cryptography too).

The following browsers and operating systems require SGC certificates to establish strong encryption:

  • MS Internet Explorer export browser versions from 3.02 to 5.01
  • Netscape Communicator export browser versions from 4.02 to 4.72
  • Windows 2000 systems released before march 2001 without Microsoft’s High Encryption Pack or Service Pack 2 that use Internet Explorer

Internet Explorer versions prior to 3.02 and Netscape versions prior to 4.02 are not able to establish 128-bit encryption with any SSL certificate. All versions later than 5.01 and 4.72 for IE and Netscape respectively do not require SGC for connection with strong 128/256-bit encryption.

The main purpose of Server Gated Cryptography is rather clear; however for now the part of the legacy browser usage worldwide is less than 0.1%. Moreover, there are other drawbacks of old browsers versions that heavily overweight the benefits granted from SGC. Legacy browsers have not received required security updates since the previous millennium; SGC will upgrade the weak encryption but will not protect from thousands of viruses, keylogger exploits and malicious software that have been created and spread across the web. These browsers are much more endangered to malicious attacks than users with upgraded versions and modern web browsers. One more point against SGC browsers is that they do not recognize the latest classification of SSL certificates. For instance Extended Validated certificates were implemented 7 years after the last SGC browser released; and greenbar for the EV SSLs will not be seen in such a legacy browser. Besides, SGC certificates are typically more expensive than standard ones.

Taking into account the above-mentioned – the low usage of and high risks of SGC browsers – I would say the game is not worth the candle. Server Gated Cryptography is rather a myth now than a solution. That is why Certificate Authorities, browser vendors and site owners should encourage their clients to use the latest software to ensure strong encryption and be safe from various security threats.


Here it goes. Does not look like a valuable thing at present, does it? Thawte CA has already took the measures directed to discontinue the usage of their only SGC certificate (Thawte SGC SuperCert). I think nobody will ever miss it!