A company I'm working with recently asked for my assistance in renewing an
SSL key on an IIS server. It was a verisign key, so I'm relatively
familiar with these.

Looking at the certs they had ordered before, they had opted for the
"secure site pro" keys. In the past, I had used regular "secure site"
keys. The Secure Site Pro keys are billed as "128 bit keys" and the
regulars are billed as "40 bit keys", however as you read the fine print,
you see that regular non-"pro" keys are capable of 128 bit communication as
well, just with domestic grade browsers. Secure Site Pro keys are capable
of 128 bit communication with international/export grade browsers as well.

I've tested it, and on exportable IE 6 (says cypher strength of 56 bit in
the "about" box), it does indeed indicate that the SSL connection is 128
bit with an Secure Site Pro key. A non-pro key won't connect at 128.

Does anyone know if this is true 128 bit communication with export grade
browsers, or some kind of kludge that is degraded for use with exportable
crypto? The reason this is important is because

a) The company with the key is representing to customers with domestic IE
that this is "strong" encryption. If it isn't, or if it's some sort of
hacked version, then it shouldn't be called "strong".
b) It's twice as expensive for the "pro" keys.

Also, does anyone have any knowledge of how IE would allow true 128 bit
encryption and still remain exportable?

As a side note, Verisign does some very slick advertising in this
area. Unless you read carefully, you'd think you needed to use the Pro
certificate to use 128 bit at all. There's not telling how many people
have purchased Pro when they don't need it.

Any input or wisdom is appreciated.

-Mike

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]