Browser Comparison

The figure above illustrates the primary difference between export-grade and fortified web browsers. The export-grade browser - on the left - can only communicate securely with a certain very specific set of web servers. The fortified browser - on the right - can communicate securely with any full strength web server anywhere on the Internet (for the purposes of the diagram, the fortified browser is equivalent to any other strong-SSL browser).

Web servers can be categorized according to their respective encryption capabilities.

1. Class A web servers only accept weak, export-grade SSL connections, regardless of the browser being used. The international versions of Microsoft's IIS and Netscape's Enterprise Server fall into this category.

   These servers are widely regarded as inadequate for any purpose that involves the need for security, privacy, authentication or message integrity. Do not trust your data to a class A server. Electronic commerce services that employ these web servers should be avoided at all costs; instead you should complain to the site web master!

   Some examples of operational class A servers are:

   • B.H. Blackwell Ltd.,online bookstore.
   • Lindt Chocolates, online ordering service.
   • OzEmail Ltd., ISP members on-line services.
   • Thomas Cook (U.K.), online travel services.
   • Travelocity, online travel services.

2. Class B web servers are full, 128-bit capable servers that originate outside the U.S. Their encryption capabilities are not artifically weakened. Two leading examples of servers under this heading are Stronghold, by C2 Net, and Apache-SSL in its various forms.

   Export-grade Netscape (and Microsoft) browsers do not use strong encryption when communicating with class B servers. A fortified browser can communicate securely with a class B server.

   Some examples of operational class B servers are:

   • Aloud.com, online booking agency.
   • Netcraft Ltd., online ordering service.
   • Sofcom Distributors, online shopping mall.
   • Thawte Consulting, online CA services.

3. Class C web servers are the U.S. domestic equivalent of the class A servers. These servers are manufactured by U.S. based organizations. Their distribution and availability is controlled by the U.S. Government. Within U.S. borders, class C servers represent the largest slice of all strong SSL web servers.

   Export-grade Netscape (and Microsoft) browsers do not use strong encryption when communicating with class C servers. A fortified browser can communicate securely with a class C server.

   Recent changes to the U.S. Government's export regulations made this class of server software more accessible for some non-U.S. organizations - e.g. foreign subsidiaries of U.S. companies, and health and medical organizations. Unfortunately, the relaxation does very little - if anything - to improve overall security levels on the World Wide Web, since the same export-grade limitation remains in place on the Netscape and Microsoft browsers.

   Some examples of operational class C servers are:

   • Amazon.com Inc., online store.
   • Dell Computer Corp., online store.
   • E*Trade Group Inc., online brokerage house.
   • Swisspost, Telegiro online services.
   • Verisign Inc, Digital ID enrolment service.
   • Wells Fargo Bank, Internet banking.

4. Class D embodies those web servers that are approved under the Verisign Global Server programme to conduct strongly encrypted web services internationally. Global Server IDs are available only to qualifying U.S. companies and international financial organizations that hold a Dun & Bradstreet D-U-N-S number.

   Recent versions of Netscape's and Microsoft's export-grade browsers are able to perform strongly encrypted communications with class D servers. Such browsers initially connect to the web server using 40-bit encryption. Upon receiving and recognising the web server's Global Server ID certificate, the browser automatically closes the connection, and then re-opens it using 128-bit encryption. Thus the network connection is negotiated twice.

   A fortified browser will communicate with a class D server using strong encryption, and it will negotiate the initial connection only once.

   Some examples of operational class D servers are:

   • A.N.Z. Bank (Aust.), Internet banking service.
   • Commerzbank (Germany), Internet banking service.
   • Lloyds Bank (U.K.), Internet banking service.
   • Westpac Bank (Aust.), Internet banking service.