Saturday, April 2, 2011

Standard or Premium SSL


VeriSign now a Symantec company, a world leader in Secure Socket Layer (SSL) Certificate provider offers two certificate type as base category. Each Standard and Premium SSL has their subcategory as SSL, Intranet SSL and Extended Validation SSL. But what is the main difference between them??
SSL certificates perform three functions: a) They encrypt the transaction b) They provide verification to the visitor of who they are dealing with. c) They provide insurance cover against secure transactions being cracked and intercepted. Any certificate of a given key size will provide the same degree of encryption, regardless of cost. Even common "security errors" such as the certificate being expired or self-signed make no difference to the strength of encryption.
Extended Validation SSL Certificates give high-security Web browsers information to clearly identify a Web site organisational identity. For example, if you use Microsoft® Internet Explorer 7 to go to a Web site secured with an SSL Certificate that meets the Extended Validation Standard, IE7 will cause the URL address bar to turn green. A display next to the green bar will toggle between the organisation name listed in the certificate and the Certificate Authority (VeriSign, for example). Firefox 3 also supports Extended Validation SSL. Other browsers are expected to offer Extended Validation visibility in upcoming releases. Older browsers will display Extended Validation SSL Certificates with the same security symbols as existing SSL Certificates.
Key Difference between Standard and Premium certificates:
Due to regulatory issues the browsers came out before the year 2000 had limited capability to upstream it encryption to 128 bit encryption, which means browsers were able to perform only 40 bit to 56 bit encryption. Hence SGC (Server Gated Cryptography) was introduced which enables older browsers to connect to a site using 128 bit encryption even if the normal browser encryption rate is 40 or 56 bit.
Reason 1: SGC/Premium Certificates are costly and only available with certain vendors like Verisign. However do we really need to go for Premium SSL. The price difference between a Premium EV SSL and Standard EV SLL is 1499 and 995 AUD respectively.

Old Browser Usage Is Very Low

Server Gated Cryptography was created in response to US government legislation on the export of strong cryptography in the 1990s. Microsoft developed Server Gated Cryptography and Netscape developed "step-up" technology to enable 128-bit SSL encryption with export browser versions. However in 2000, US Export law was changed to allow the export of strong crypto and Microsoft released IE 5.5 and IE 5.0.1 SP1 which allow those browsers to connect at 128-bit without using an SGC SSL certificate.
Who uses Internet Explorer 5.0 and lower these days? Of course, it depends on who you ask, but let's look at some statistics (as of Jan, 2011):
WebReference.com: IE 5.x usage is 1.23%, IE 4 usage is 0.03% & W3 Schools: IE 6.x usage for Dec 2010 is 4.4%
Not very big numbers. You need to ask whether the extra money for an SGC SSL certificate is worth supporting that small percent of the market. Still, 1% of visitors can mean a lot of money to many businesses and no one wants to have to turn anyone away. But, there may be a far more important reason NOT to use SGC Certificates.
Reason 2: Insurance? Insurance claim for Premium certificate is 250,000 USD and 100,000 USD for Standard Certificates. But I have never heard of a claim on certificate insurance, although they may well have happened. What would be the cost to you (or your customer) if a transaction was intercepted? For most businesses I suspect that the level of cover on cheap certificates would be more than adequate. It's basically a rort selling unnecessary insurance.
Reason 3: Using Premium certificates means encouraging users to use old browsers which in turn will make their browser more prone to hacking. These old browsers may be un patched/Unsupported and opens the door for phishing and other type of attacks. Do you want users of older browsers to fall prey to that and then blame you? There are literally hundreds of security flaws in those older browsers that malware authors can take advantage of.
To know more on why not to use old browsers, read this article form Paypal and onPhishing..