3

I would like to get SSL-EV certification for my company website. After comparing a list of providers, I am confused by their advertisements.

  1. Why do all providers say that their certifications support 40-128 bit encryption? In my mind, it only related to the handshake stage of SSL. It is controlled by Apache/Nginx server. If I only keep 128 bit encryption algorithms in candidate list, there is no way to create a 40 bit SSL connection. What does it matter to the certification?

  2. SSL-EV in GeoTrust has lowest price. Does their certification have lower security or credit comparing to Symantec/Verisign?

  3. My website is located in China. I heard a rumer "Due to US export rules, if out of USA, in SSL handshake stage, the calculated master key is 128 bit, but only 40 bit is encrypted, the other 88 bit is plain text." Is it true?

  4. Is SGC useless? If so, why do the providers still sell them with very high price?

Z.T.
  • 7,963
  • 1
  • 22
  • 36
ShenLei
  • 133
  • 4
  • 1
    The 40bits/>40bits thing is about [*Server Gated Cryptography (SGC)*](https://en.wikipedia.org/wiki/Server-Gated_Cryptography). Which I *think* is dead. – StackzOfZtuff Nov 17 '15 at 11:29
  • 1
    Related question: [*Browsers and export regs. Is SGC still valid?*](https://security.stackexchange.com/questions/13922/browsers-and-export-regs-is-sgc-still-valid) – StackzOfZtuff Nov 17 '15 at 12:48
  • Thank you @StackzOfZtuff. Now I confirmed SGC is useless to me. What about other questions? – ShenLei Nov 17 '15 at 13:16
  • 1
    As for the price see http://security.stackexchange.com/questions/18666/is-there-any-technical-security-reason-not-to-buy-the-cheapest-ssl-certificate-y – Steffen Ullrich Nov 17 '15 at 13:56

1 Answers1

4

  1. Marketing. The providers want you to select them because they list something that someone else doesn't list, even though all certs support the same level of encryption as you noted.

  2. Price has nothing to do with security. In fact, all the SSL certificates depend on the lowest level security of any of them.

  3. No. The SSL handshake has zero to do with location of either endpoint.

  4. SGC is dead. My guess is anyone that needs it for some strange reason (really old legacy applications?) are a niche market. Niche markets have high prices because they can.

  5. You didn't ask this, but why do you care about EV? Literally the only advantage of EV is that it gives you a green bar in the browser window. Almost nobody knows what this means.

Steve Sether
  • 21,530
  • 8
  • 50
  • 76
  • Thank you. I need EV because my website has online payment module. When users prepare to pay a lot of money, they will really care about the credit of the website. Similar websites in China are all employ SSL-EV certification, so I have to buy one. :) – ShenLei Nov 18 '15 at 02:09