I recently had the chance to speak with Andrew Kennard of Thawte (www.thawte.com), who answered some questions regarding ssl and browser encryption as a follow up to my recent column Securing Apache 2 with SSL.
As a preface to Andrew’s comments – it should be noted that the use of older 40 and 56-bit encryption browsers is declining internationally as newer, low costs machines with the latest browsers are purchased. However, Kennard does have a valid point in bringing this to our attention.
An assumption I made in the article that caught Andrew’s attention was my failure to mention that the encryption level even of a 128-bit SSL certificate can vary depending upon the browser accessing the secure server.
“This means that users may connect at 40-bit, 56-bit or 128-bit depending on the browser version they are using,” he said.
The majority of digital certificates operate in this manner — providing a supported encryption connection from browser to server and back.
“It is important to understand this distinction as many CAs promote their certificates as 128-bit when in fact they will support sessions of varying encryption strength (128-bit being the strongest possible level of encryption),” Kennard added.
Past US legislation prohibited the export of 128-bit encryption technology, which resulted in the browsers, which Kennard called ‘export’ browsers, that support 40-bit and 56-bit encryption.
In 1997, the US government repealed its ban on 128-bit encryption. Today however, there are still significant numbers of export version browsers in use, mainly internationally but also in the United States.
Server Gated Cryptography
According to Kennard, CA’s responded by developing Server Gated Cryptography, which steps up ‘export’ browsers to 128-bit encryption.
“Only a handful of CAs supply these certificates, so if you require the 128-bit encryption step-up capability, make sure you ask for SGC technology,” Kennard said.
Specialized Industry Needs
Kennard believes that SGC could also address the needs of companies in industries with legal or regulatory requirements to run strong encryption.
“In this case the use of SGC enabled certificates would be the product of choice (rather than a standard digital certificate) as the SGC certificate represents the most proactive attempt to ensure that 128-bit encryption requirement is adhered to,” he added.