Server Gated Cryptograpy SGC SSL

Background & Summary

SGC Certificates were introduced back in the 1990s as a way to enable 128-bit encryption in web browsers that were only capable of lower levels of encryption due to U.S. Government export regulations. At the time of their introduction, Server Gated Cryptography SSL certificates were issued only to the web servers of financial organizations so that when they engaged in transactions with browsers shipped outside the U.S. they could "bump up" the cryptographic strength of the SSL connection from 40 or 56 bits to 128 bits.

The full capabilities of encryption software in versions of Internet Explorer and Netscape Navigator destined for use outside the U.S. were disabled except when the browser connected to a financial institution's SGC-enabled server which could provide the key to unlock them, hence the term "Server-Gated Cryptography." However, by the late 1990s the U.S. Government had begun relaxing its encryption export policy, leading to the allowed use of 128-bit encryption in browsers without the need for SGC certificates.

Today very few people still use these old, intentionally disabled browsers, and there is no reason why they should. While one could argue that these users potentially receive some benefit from certificates using Server Gated Cryptography, the risks associated with encouraging the use of old browsers and SGC SSL certificates far outweigh the potential benefits.

Not only does the use of SGC-enabled SSL certificates facilitate the use of legacy browsers with heightened vulnerability to malicious software, but there are numerous alternatives more cryptographically secure than SGC that are less expensive and easy to implement.

DigiCert strongly recommends that server administrators currently running SGC SSL implementations replace them with DigiCert's Extended Validation Certificate and consider heightening server security settings.

Dangers of Facilitating the Use of Legacy Web Browsers

Legislation regulating the use of strong encryption was phased out beginning in 1999. Here are some facts that modern web users of 40-bit or 56-bit browsers may benefit from:

  • Their web browsers and/or operating systems have not received necessary security updates since December, 1999.
  • Hundreds of thousands of viruses, keyloggers, and other malicious software programs have been created and spread across the web, via websites and email, since their last browser or OS security update.
  • Easily exploitable vulnerabilities in their web browsers, many of which have since been remedied, could easily be used to facilitate the criminal exploitation of sensitive information entered into online forms, regardless of any action taken by site administrators.
  • These legacy browsers are many times more susceptable to malicious attacks than users who upgrade to more secure, modern web browsers.
  • Many of the steps that legacy browser users could take to reasonably protect themselves are simple, free, and readily available.

By allowing legacy web browsers to connect to their servers with SGC SSL certificates, server administrators enable a very small percentage of web users to access their sites, while putting the sensitive information that those users enter into their sites at heightened risk of misappropriation for malicious intent.

SGC No Longer the Answer

In the late 1990s SGC SSL Certificates provided 128-bit encryption when it would not have otherwise been available, and Certificate Authorities were acting in the best interest of server administrators and the people who used their websites alike.

However, today it is not only common, but normal that browsers will provide 256-bit encryption without the use of SGC. "Older" web browsers encrypt at 128-bits, and lower encryption levels are all but unheard of.

It is the belief of DigiCert that many Certificate Authorities that actively market SGC certificates as an SSL "upgrade" are knowingly engaging in deceptive business practices, sacrificing the integrity of their certificate services in exchange for corporate profit.

The best protection a server administrator can offer to legacy browser users is to encourage them to upgrade to modern, secure browser versions. For most common server types, requiring more secure connections is as easy as clicking a checkbox.

By requiring 256-bit secure connections, server administrators help to keep their user's private data secure by motivating those users with less secure browsers to upgrade to a more secure computing environment.

We recommend that all server administrators currently managing an SGC certificate replace it with an Extended Validation Certificate and force users to replace their older browsers that once relied on Server Gated Cryptography to obtain secure connections with 2048-bit SSL encryption.