In the competitive SSL marketplace, some certification authorities seek
to gain advantage by claiming that expensive Server-Gated Cryptography
(SGC) certificates are required for comprehensive website security.
However the security benefit from using SGC is questionable, as SGC is
not required to enable strong SSL security for virtually all browsers in
use today.
Server Gated Cryptography (SGC) was created in response to United States
federal legislation on the export of strong cryptography in the early
1990s. The legislation had limited encryption to weak algorithms and
shorter key lengths if used in software outside of the United States.
As the legislation included an exception for financial transactions, SGC
was created as an extension to SSL, with SGC certificates only issued
to financial organisations. A small number of "approved" CA's were
authorised to issue SGC certificates would unlock strong cryptographic
capabilities when communicating with the websites of approved
organisations using SGC SSL.
The cryptography restraints were repealed in January 2000, and SGC was
made broadly available. However, SGC is not required for any browser
version issued since that time. Most certification authorities do not
offer SGC-enabled SSL certificates.
Therefore SGC certificates will only make a difference to connections
established from very old browsers. The market share of those older
browsers is miniscule (not even registering on many browser market share surveys), and at the same time those older browsers contain other vulnerabilities that render encryption irrelevant.
Microsoft Internet Explorer version 5.01 was the last IE version
requiring SGC for 128-bit operation, and a longstanding update has been
available on Microsoft Windows Update to bring it up to 128-bit
encryption. 4.74 was the last “step up” version of the discontinued
Netscape browser. No browsers that require SGC are currently supported
by their vendors.
As such, a user who still requires SGC is using a defunct browser that
has not had security updates to address a multitude of known
vulnerabilities that have been closed in more recent versions. This
poses a significant risk to both the user and the organization.
Moreover, the "Terms and Conditions" of most e-commerce websites require
users to have up-to-date browser software. The best solution for
website operators is to block older browser versions and request that
users update their software.