I recently had the chance to speak with Andrew Kennard of Thawte (www.thawte.com), who answered some questions regarding ssl and browser encryption as a follow up to my recent column Securing Apache 2 with SSL.
As a preface to Andrew’s comments – it should be noted that the use of older 40 and 56-bit encryption browsers is declining internationally as newer, low costs machines with the latest browsers are purchased. However, Kennard does have a valid point in bringing this to our attention.
An assumption I made in the article that caught Andrew’s attention was my failure to mention that the encryption level even of a 128-bit SSL certificate can vary depending upon the browser accessing the secure server.
“This means that users may connect at 40-bit, 56-bit or 128-bit depending on the browser version they are using,” he said.
The majority of digital certificates operate in this manner — providing a supported encryption connection from browser to server and back.
“It is important to understand this distinction as many CAs promote their certificates as 128-bit when in fact they will support sessions of varying encryption strength (128-bit being the strongest possible level of encryption),” Kennard added.
Past US legislation prohibited the export of 128-bit encryption technology, which resulted in the browsers, which Kennard called ‘export’ browsers, that support 40-bit and 56-bit encryption.
In 1997, the US government repealed its ban on 128-bit encryption. Today however, there are still significant numbers of export version browsers in use, mainly internationally but also in the United States.
Server Gated Cryptography
According to Kennard, CA’s responded by developing Server Gated Cryptography, which steps up ‘export’ browsers to 128-bit encryption.
“Only a handful of CAs supply these certificates, so if you require the 128-bit encryption step-up capability, make sure you ask for SGC technology,” Kennard said.
Specialized Industry Needs
Kennard believes that SGC could also address the needs of companies in industries with legal or regulatory requirements to run strong encryption.
“In this case the use of SGC enabled certificates would be the product of choice (rather than a standard digital certificate) as the SGC certificate represents the most proactive attempt to ensure that 128-bit encryption requirement is adhered to,” he added.
Frequently Asked Questions about SSL and Encryption Strength
What is the difference between 128-bit and 256-bit SSL encryption?
The primary difference between 128-bit and 256-bit SSL encryption lies in the length of the encryption key. A 128-bit encryption key is shorter and thus, theoretically, less secure than a 256-bit key. However, in practical terms, both are considered extremely secure. The longer key length of 256-bit encryption makes it exponentially more difficult for a hacker to crack, but it also requires more computational resources to implement.
Is 128-bit SSL encryption still secure?
Yes, 128-bit SSL encryption is still considered secure for most online transactions. It provides a high level of security that is sufficient for most everyday online interactions, such as online shopping or banking. However, for highly sensitive data, 256-bit encryption may be preferred due to its increased security.
How does SSL encryption work?
SSL encryption works by encrypting data that is transmitted over the internet, making it unreadable to anyone except the intended recipient. This is achieved through a process known as asymmetric encryption, where a public key is used to encrypt the data and a private key is used to decrypt it.
What is the role of SSL certificates in encryption?
SSL certificates play a crucial role in the encryption process. They contain the public key that is used to encrypt data, as well as information about the identity of the website owner. When a user connects to a website, the SSL certificate is used to establish a secure connection and encrypt any data that is transmitted.
How can I tell if a website is using SSL encryption?
You can tell if a website is using SSL encryption by looking at the URL of the website. If it begins with “https” instead of “http”, then the website is using SSL encryption. Additionally, most web browsers will display a padlock icon in the address bar to indicate that a website is secure.
Is 256-bit SSL encryption necessary for my website?
Whether or not 256-bit SSL encryption is necessary for your website depends on the nature of the data you are handling. For most websites, 128-bit encryption is sufficient. However, if you are handling highly sensitive data, such as credit card information or personal health information, you may want to consider using 256-bit encryption for added security.
How can I upgrade from 128-bit to 256-bit SSL encryption?
Upgrading from 128-bit to 256-bit SSL encryption typically involves purchasing and installing a new SSL certificate that supports 256-bit encryption. This process can vary depending on your web hosting provider, so it’s best to contact them for specific instructions.
Can SSL encryption slow down my website?
While SSL encryption does require some additional computational resources, the impact on website performance is generally minimal. In fact, many users will not notice any difference in speed. Furthermore, the benefits of providing a secure connection for your users far outweigh any potential drawbacks.
What is the future of SSL encryption?
The future of SSL encryption is likely to involve even stronger encryption methods and more widespread adoption. As cyber threats continue to evolve, so too will the methods used to protect against them. This could include the development of encryption keys that are even longer than 256 bits.
How can I ensure my SSL encryption is working correctly?
You can ensure your SSL encryption is working correctly by using an SSL checker tool. These tools can verify that your SSL certificate is installed correctly and that your website is properly configured to use SSL encryption.