Links

Ben Laurie blathering

«
»

SGC Makes A Comeback

I got snailmail spam a couple of days ago that made me wonder if I’d wandered into a time warp. Verisign are trying to sell me Server-Gated Cryptography – for those who haven’t been around since the Dark Ages, this was a scheme where US export-strength crypto (i.e. damn weak) could be upgraded to full strength if the server had an SGC certificate.

I imagine that almost no-one runs browsers with this restriction anymore – anyone got statistics?

I also love this quote

All VeriSign certificates offer 256-bit SSL encryption when both the server and browser support a 256-bit session.

This is totally meaningless. Its like saying “all ACME seat covers offer 160 MPH where both car and fuel support 160 MPH”.

This entry was posted on Wednesday, July 26th, 2006 at 14:23 and is filed under Crypto, Rants. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

4 Comments

  1. Well I poked around in google and yahoo a bit and found a bunch of usage stats. Usage of I.E. 5 (128bit crypto wasn’t available globally until 5.5sp2 IIRC) seems to be about 2%. The number is probably lower since most sites seem to aggregate 5.0 and 5.5 into one number. FWIW, I looked into this about 2 years ago when launching an ASP and the number seemed to be about 5% back then and we just decided that anyone who couldn’t handle 128bit should just upgrade.

    Comment by DM — 26 Jul 2006 @ 16:48

  2. LOL 😉

    Comment by Erik Abele — 26 Jul 2006 @ 23:54

  3. Usage of IE 5.0-5.5 is now about 0.07% according to http://marketshare.hitslink.com/browser-market-share.aspx?qprid=2 , and Verisign are *still* hawking overpriced SGC certs: http://www.verisign.co.uk/ssl/ssl-information-center/strongest-ssl-encryption/index.html

    “Over a Trillion Times a Trillion Times Stronger”, no less. Crikey, that sounds impressive.

    (Netscape up to v4.72 also supported SGC, but no-one still uses that.)

    The SSL/TLS renegotiation attack may be the final overdue nail in SGC’s coffin, since servers patched against this attack might not interoperate with SGC browsers.

    Comment by David-Sarah Hopwood — 13 Nov 2009 @ 8:15

  4. Apparently the last version of IE to use SGC was 5.01, not 5.5, but the 0.07% market share figure was about right:
    http://www.entrust.net/server-gated-crypto/index.htm

    Comment by David-Sarah Hopwood — 13 Nov 2009 @ 8:24

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress