SGC Makes A Comeback
I got snailmail spam a couple of days ago that made me wonder if I’d wandered into a time warp. Verisign are trying to sell me Server-Gated Cryptography – for those who haven’t been around since the Dark Ages, this was a scheme where US export-strength crypto (i.e. damn weak) could be upgraded to full strength if the server had an SGC certificate.
I imagine that almost no-one runs browsers with this restriction anymore – anyone got statistics?
I also love this quote
All VeriSign certificates offer 256-bit SSL encryption when both the server and browser support a 256-bit session.
This is totally meaningless. Its like saying “all ACME seat covers offer 160 MPH where both car and fuel support 160 MPH”.
Well I poked around in google and yahoo a bit and found a bunch of usage stats. Usage of I.E. 5 (128bit crypto wasn’t available globally until 5.5sp2 IIRC) seems to be about 2%. The number is probably lower since most sites seem to aggregate 5.0 and 5.5 into one number. FWIW, I looked into this about 2 years ago when launching an ASP and the number seemed to be about 5% back then and we just decided that anyone who couldn’t handle 128bit should just upgrade.
Comment by DM — 26 Jul 2006 @ 16:48
LOL 😉
Comment by Erik Abele — 26 Jul 2006 @ 23:54
Usage of IE 5.0-5.5 is now about 0.07% according to http://marketshare.hitslink.com/browser-market-share.aspx?qprid=2 , and Verisign are *still* hawking overpriced SGC certs: http://www.verisign.co.uk/ssl/ssl-information-center/strongest-ssl-encryption/index.html
“Over a Trillion Times a Trillion Times Stronger”, no less. Crikey, that sounds impressive.
(Netscape up to v4.72 also supported SGC, but no-one still uses that.)
The SSL/TLS renegotiation attack may be the final overdue nail in SGC’s coffin, since servers patched against this attack might not interoperate with SGC browsers.
Comment by David-Sarah Hopwood — 13 Nov 2009 @ 8:15
Apparently the last version of IE to use SGC was 5.01, not 5.5, but the 0.07% market share figure was about right:
http://www.entrust.net/server-gated-crypto/index.htm
Comment by David-Sarah Hopwood — 13 Nov 2009 @ 8:24