Thawte SGC SuperCert:
The SGC SuperCert is Thawte's strongest encryption
certificate. It automatically steps up protection to
a minimum of 128-bit encryption even if your customers
use older browsers which have limited 40-bit or 56-bit
encryption capabilities. 256-bit encryption can be enabled
if your client's browser capability and the cipher suite
installed on your web server are both 256-bit compatible.
Thawte's SGC SuperCert delivers the best security
for both the vendor and the user. Recent studies conducted
by the Yankee Group showed that SGC-enabled certificates
do deliver as described, thereby providing increased
security for tens of millions of PC users if all e-commerce
vendors were to use SGC-enabled certificates.
Certificate Features and Benefits:
| Encryption: |
256-bit with lowest possible encryption
level of 128-bit protection for 99.9% of users
even with older browsers |
| Browser Compatibility: |
Highest in industry |
| Certificate Details: |
Domain and identity authentication and verification |
| Thawte Trusted Site Seal: |
Yes - free (available in 18 multiple languages) |
| Free Reissues: |
Yes - unlimited for the lifespan of the
certificate |
| Technical Support: |
Free, 24/5 multi-lingual for all global
time zones |
| Secures Internationalized Domains: |
Yes - Thawte is the first Certification
Authority to have all its SSL certificates support
IDNs character sets |
| SGC Technology: |
Yes – only a few CAs can offer this |
| CRL: |
Yes - Certificate Revocation List fully
supported |
| Online Certificate Status Protocol: |
Yes |
Is this the right product for my business?
Discover how Thawte's SGC SuperCert certificates
allow every site visitor to enjoy the strongest SSL
encryption available to them, regardless of their browser
version or operating system.
Unlike normal SSL certificates that are only capable
of negotiating with an internet browser to establish
the strongest possible encryption that both the server
and the browser can agree upon, SGC-enabled SSL certificates
can, in very specific instances, automatically step
up a browser to 128-bit. With the proper cipher suite
installed on the server it would be possible to provide
256-bit encryption.
Essentially, unlike most other SSL certificates,
SGC-enabled SSL certificates can help older browsers
overcome prescribed limitations that have been programmed
into them, which would otherwise restrict these browsers
to connect at weaker 40 and 56-bit encryption levels.
For your business this means that with an SGC-enabled
SSL certificate installed on your server, your customers
will be able to connect at 128-bit encryption level
even if they use certain older versions of Windows and
Internet Explorer browser.
256-bit encryption can be achieved if the user's
browser capability and the cipher suite installed on
the web server are both 256-bit compatible.
In an independent study conducted by the Yankee Group
in September 2005 it was shown that SGC-enabled certificates
enable more Windows 2000 users (without Service Pack
4 or the high-encryption pack) to connect with 128-bit
encryption. The difference means tens of millions more
users worldwide would get 128-bit or higher encryption
if all e-commerce businesses used SGC. This means greater
security for more customers and for your business.
Greater security equates with more trust from users.
According to a survey conducted by Questus, as many
as 17% of internet users leave e-commerce websites simply
because they have perceived them as being untrustworthy
or not secure. So, ask yourself, are you doing enough
to build confidence and trust in your users?
What does the certificate do?
Thawte's SGC SuperCert certificates enable more Windows
2000 users (without Service Pack 4 or the high-encryption
pack installed) and others to connect with 128-bit encryption.
The difference means tens of millions more users worldwide
would get 128-bit encryption, if all e-commerce businesses
used SGC.
This was emphatically confirmed by an independent
study conducted by the Yankee Group in September 2005.
During the study the security consultants examined 23
combinations of client configurations and four typical
web servers, running no less than 368 tests and using
video to document results.
In the 1990s, the US government imposed restrictions
on exporting strong cryptography to other countries.
The restriction meant that software implementing SSL,
such as web browsers, operating systems and web servers,
had to limit encryption to weak algorithms and shorter
key lengths if it was sold for use outside the United
States. Lawmakers included an exception for financial
transactions to ensure that customers worldwide could
safely transact online using strong encryption.
SGC was created as an extension to SSL for consumers
with export versions of web browser software to use
strong cryptography for financial transactions. US export
laws were upheld by issuing SGC certificates only to
eligible financial institutions, creating an enforcement
point at the server without any impact to the client.
The restrictions on export of strong encryption have
since been lifted, and SGC certificates may be issued
to any institution.
Restrictions on encryption are evident in old versions
of Windows 2000 running Internet Explorer that are still
in use. Consumers and e-commerce vendors, particularly
those outside the United States, are still using weak
encryption, despite the fact that safer, stronger alternatives
are available.
Although newer versions of Windows 2000 provide these
features, millions still use old versions. Users who
are still using old browser versions that only provide
weak 40-bit or 56-bit encryption can gain full-strength
128-bit encryption when conducting business with SGC-enabled
web sites.
With SGC, browser and operating system versions -
whether exports or domestic - that would otherwise connect
with weak encryption are afforded much stronger security.
Until older versions of browser and operating systems
disappear completely, SGC certificates can protect this
portion of the user population.
Technical Details:
The Thawte SGC SuperCert in action
Thawte's SGC SuperCert certificates enable 128-bit
SSL sessions in older browsers that are usually restricted
to 40/56-bit encryption. The difference between SGC
SuperCerts and normal SSL Web Server Certificates is
that whenever one of these older browsers connects to
a site that has a SGC SuperCert installed, the SSL session
will be automatically 'stepped-up' to 128-bits, instead
of being negotiated at an encryption level that the
browser has been defaulted to (40/56 bits).
Certificate Signing Request (CSR) File
The process of applying for a Thawte SGC SuperCert
begins with the completion and submission of a Certificate
Signing Request (CSR) file. Thawte then verifies your
identity, and when satisfied, signs that request file,
using the trusted Thawte CA root key, and issues it
to you as your certificate.
Valid Certificate Request Formats
When we issue your certificate it will contain two
critical pieces of information about you. The first
is the "Distinguished Name", which is a set of values
that describes your country, state or province, city
or town, organization, division within that organization
and your web server domain name. The second is your
public key.
Keys
Session keys are made up of a public key (issued
to you with your SGC SuperCert) and randomly selected
private keys created by each browser when it connects
to your server. Session keys are used to encrypt and
decrypt data (transmitted to and from the server) after
the initial browser/server 'handshake'. (A session key
is not your Server Certificate key, which is either
1024-bit, or 512-bit).
Compatible web servers
Please note that the SGC SuperCert is chained, therefore
please check that your web server supports Certificate
chaining. Click to download a complete list of compatible
web servers.
Upgrading Browsers
Those running 3.x generation browsers can upgrade
their security to the same level as that supported by
4.0 generation browsers. The process takes about 2 minutes
and ensures that your browser works with the tens of
thousands of Thawte certified secure servers out there.
You only need to do this once for your browser to be
updated permanently!
Secure Internationalized Domains:
Thawte now provides SSL certificates to customers
who use Internationalized Domain Names – the first Certification
Authority to offer this. Internationalized Domain Names
(IDNs) provide a convenient mechanism for users to access
websites in their preferred language.
Thawte's systems are now able to recognize and issue
certificates that contain local language characters
in all certificate fields.
What this means is that you can now buy an SSL123
Certificate, an SSL Web Server Certificate or an SGC
SuperCert to secure the website you have hosted on an
Internationalized Domain Name.
Not only will your secured Internationalized Domain
content be reflected in the certificate details, but
your Thawte Trusted Site Seal will also reflect your
local language content. Thawte systems are also fully
internationalized across all certificate enrollment
details including Code Signing Certificate product lines.
Online Certificate Status Protocol:
A major software vendor has released a beta version
of their browser that will have automatic certificate
revocation checking as a default option
This new checking protocol will maximize the speed
of checking the status of Thawte certificates and will
minimize the possibilities of online fraud as invalid
certificates and companies will immediately be exposed
to the end customer
Thawte has invested significantly in the infrastructure
which can support OCSP - something not all CAs will
be able to provide and support.
SGC
SuperCerts