Links

Ben Laurie blathering


SGC Makes A Comeback

I got snailmail spam a couple of days ago that made me wonder if I’d wandered into a time warp. Verisign are trying to sell me Server-Gated Cryptography – for those who haven’t been around since the Dark Ages, this was a scheme where US export-strength crypto (i.e. damn weak) could be upgraded to full strength if the server had an SGC certificate.

I imagine that almost no-one runs browsers with this restriction anymore – anyone got statistics?

I also love this quote

All VeriSign certificates offer 256-bit SSL encryption when both the server and browser support a 256-bit session.

This is totally meaningless. Its like saying “all ACME seat covers offer 160 MPH where both car and fuel support 160 MPH”.

4 Comments

  1. Well I poked around in google and yahoo a bit and found a bunch of usage stats. Usage of I.E. 5 (128bit crypto wasn’t available globally until 5.5sp2 IIRC) seems to be about 2%. The number is probably lower since most sites seem to aggregate 5.0 and 5.5 into one number. FWIW, I looked into this about 2 years ago when launching an ASP and the number seemed to be about 5% back then and we just decided that anyone who couldn’t handle 128bit should just upgrade.

    Comment by DM — 26 Jul 2006 @ 16:48

  2. LOL 😉

    Comment by Erik Abele — 26 Jul 2006 @ 23:54

  3. Usage of IE 5.0-5.5 is now about 0.07% according to http://marketshare.hitslink.com/browser-market-share.aspx?qprid=2 , and Verisign are *still* hawking overpriced SGC certs: http://www.verisign.co.uk/ssl/ssl-information-center/strongest-ssl-encryption/index.html

    “Over a Trillion Times a Trillion Times Stronger”, no less. Crikey, that sounds impressive.

    (Netscape up to v4.72 also supported SGC, but no-one still uses that.)

    The SSL/TLS renegotiation attack may be the final overdue nail in SGC’s coffin, since servers patched against this attack might not interoperate with SGC browsers.

    Comment by David-Sarah Hopwood — 13 Nov 2009 @ 8:15

  4. Apparently the last version of IE to use SGC was 5.01, not 5.5, but the 0.07% market share figure was about right:
    http://www.entrust.net/server-gated-crypto/index.htm

    Comment by David-Sarah Hopwood — 13 Nov 2009 @ 8:24

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress