Server Gated Cryptography (SGC) SSL Certificates

Server Gated Cryptography (SGC) SSL Certificates, which enable older browsers to connect to a site using 128-bit encryption even if the browser only supports 40-bit encryption, seem to provide a great advantage to many sites. But, to understand this apparent advantage, we need to understand a bit more about SGC:

Server Gated Cryptography was created in response to US government legislation banning the export of strong cryptography in the 1990’s. The legislation limited encryption to weak algorithms and shorter key lengths if used in software outside of the United States. As the legislation included an exception for financial transactions, SGC was created as an extension to SSL, with SGC certificates only issued to financial organisations. (This legislation was revoked and SGC certificates can now be issued to any organisation.)

When an SSL handshake takes place, the web browser lists the ciphers that it supports. Although the weaker exported browsers would only include weaker ciphers and shorter key lengths in its SSL handshake, the browser did also contain stronger cryptography algorithms. e.g., Internet Explorer used SGC with 40-bit and 128-bit encryption starting with patched versions of Internet Explorer version 3, version version 4, and version 5+.

However in 2000, US Export law was changed to allow the export of strong cryptography and the browsers that used SGC (i.e., Microsoft IE version 3, version 4, and version 5) became obsolete: Microsoft released IE 5.5 and IE 5.0.1 SP1. (Both of these browsers are able to connect using 128-bit encryption without using an SGC SSL certificate.)

So, before purchasing an SGC certificate, you should ask one simple question: Who uses Internet Explorer 5.0 and lower these days? Of course, it depends on who you ask, but let’s look at some statistics from a very long time ago (as of April, 2008):

