Articles in Root

Server-Gated Cryptography (SGC) browsers pose security risks


In the competitive SSL marketplace, some certification authorities seek to gain advantage by claiming that expensive Server-Gated Cryptography (SGC) certificates are required for comprehensive website security. However the security benefit from using SGC is questionable, as SGC is not required to enable strong SSL security for virtually all browsers in use today.

Server Gated Cryptography (SGC) was created in response to United States federal legislation on the export of strong cryptography in the early 1990s. The legislation had limited encryption to weak algorithms and shorter key lengths if used in software outside of the United States.

As the legislation included an exception for financial transactions, SGC was created as an extension to SSL, with SGC certificates only issued to financial organisations. A small number of "approved" CA's were authorised to issue SGC certificates would unlock strong cryptographic capabilities when communicating with the websites of approved organisations using SGC SSL.

The cryptography restraints were repealed in January 2000, and SGC was made broadly available. However, SGC is not required for any browser version issued since that time. Most certification authorities do not offer SGC-enabled SSL certificates.

Therefore SGC certificates will only make a difference to connections established from very old browsers. The market share of those older browsers is miniscule (not even registering on many browser market share surveys), and at the same time those older browsers contain other vulnerabilities that render encryption irrelevant.

Microsoft Internet Explorer version 5.01 was the last IE version requiring SGC for 128-bit operation, and a longstanding update has been available on Microsoft Windows Update to bring it up to 128-bit encryption. 4.74 was the last “step up” version of the discontinued Netscape browser. No browsers that require SGC are currently supported by their vendors.

As such, a user who still requires SGC is using a defunct browser that has not had security updates to address a multitude of known vulnerabilities that have been closed in more recent versions. This poses a significant risk to both the user and the organization.

Moreover, the "Terms and Conditions" of most e-commerce websites require users to have up-to-date browser software.  The best solution for website operators is to block older browser versions and request that users update their software.