You might come across the term “SGC certificate” when you are purchasing SSL, Secure Sockets Layer, protection for your business website. SGC stands for “Server Gated Cryptography”, and refers to a special SSL certificate that enables strong encryption in browsers that support weak encryption. It is an extension of a secure sockets layer, which is an encryption program that encodes information so that hackers and identity thieves can’t read it. SGC certificates allow older browsers, with weak general encryption protocols, to temporarily allow strong encryption for certain ecommerce websites. While it is possible to get an SSL certificate augmented by an SGC certificate, it is not necessary; it may not even be desirable.
History of SGC certificates
Back in the 1990s, the U.S. Government was concerned about exporting strong cryptography (128 bit and higher) to other countries. As a result, most organizations were forbidden to use anything other than 40 bit or 56 bit encryption. However, it was evident that financial organizations needed better protection. So, these institutions were allowed to make use of 128 bit encryption. Unfortunately, many of the Internet browsers sold before the turn of the century couldn’t handle 128 bit encryption. In order to “step up” the browser security, SGC certificates were developed. Browsers had code buried in them (disabled) that allowed them to use 128 bit encryption if – and only if – they came to a site with a properly issued SGC certificate. 128 bit communication was only used when an SGC certificate came into play.
However, recognizing the growing importance of the Internet in the lives of citizens, and recognizing that cryptography had become very widespread around the world, a new law was made that overrode the old law restricting strong cryptography. Since January 2000, almost no restrictions exist with regard to exporting strong cryptography of 128 bits and higher. As long as the server supports the cryptography, there usually is not a problem. Virtually all new versions of Internet browsers come with at least 128 bit encryption capability – and many come with 256 bit encryption capability as well. SGC certificates can be issued by any organization; it is no longer necessary to get approval before you get an SGC certificate.
Do you need an SGC certificate?
As you might guess, adding an SGC certificate to your SSL certificate encryption costs extra money. In many cases, the difference in price is rather large. However, it is probably not necessary. These days, a separate SGC certificate allowing strong encryption is only needed if your customer is using an old version of an Internet browser. Most new versions have strong encryption built in, since 128 bit encryption is now the industry standard. The only way there would be a need for the SGC certificate is if you wanted to accommodate those with older browsers. However, this is a small group, and few people who shop online are still using older browsers. Additionally, it is worth noting that older browsers often have other security issues that make them ill suited for secure transactions – even if you get an SGC certificate to help older browsers make the upgrade.
Instead of getting an SGC certificate, consider re-configuring your Web servers. It doesn’t take too much code to direct your servers to reject any browser with weak encryption. Include a message that recommends that your customers upgrade to a newer Web browser that is more secure. Most customers are happy to upgrade their browsers since it is free to do so, and they want to be secure.
Over all, SGC certificates are superfluous. They can be costly, and they do not actually provide the kind of additional protection that you would expect. With the new industry standards, there is very little reason to spend the money for an SGC certificate in addition to your SSL certificate.