SSL is available with 128-bit SSL or 256-bit SSL encryption, actual strength may vary
When you shop for SSL certificates, you’ll see options for 128-bit SSL or 256-bit SSL encryption strength. Which is better?
The bigger one!
Stay cautious, my friends… [Editor’s Note: Sit back down, Carl. You’re not done…]
Ok, ok. There’s a little more to this than just bigger is better. And I hate to break this to everyone but a lot of this discussion about 128 bit vs 256 bit encryption that gets done is more just slick marketing than an objective representation of factual information.
Here’s the thing, your SSL certificate isn’t the only that that has an impact on your actual encryption strength. Period.
Anyone who tells you different deserves a swift kick in the shin.
Let’s start from the top…
First, some background on Encryption
Around 1990, back when people still had social skills, e-commerce emerged as the internet started to facilitate business. Unfortunately, the internet was designed in a way that communication takes place in plaintext unless encrypted, so the nerds of the day set to work devising a mean to encrypt communication.
Now, at the outset information was sent over the internet using Data Encryption Standard or DES. That method used a 56-bit key for symmetric encryption. Symmetric encryption is when both keys are the same and can both encrypt and decrypt the communication.
Unfortunately, DES proved susceptible to hacking attempts so a new method was created, AES or Advanced Encryption Standard. This facilitated more robust encryption.
Cutting through the Marketing Speak
A lot of companies will try to sell you a 128 bit SSL certificate or a 256 bit SSL certificate. This is, at best, misleading and at worst it’s outright lies. Your SSL certificate actually has little bearing on the actual strength of your encryption. That relies entirely on your server configuration and the capabilities of the browser connecting with it.
To put it another way, purchasing a 256-bit SSL certificate does not mean your website will be using 256-bit symmetric encryption for every connection. In fact, depending on the technology in place you could be looking at as little as 40-bits of protection. You’ll have the capability to facilitate encrypted connections up to 256-bits, but there are a lot more variables in this equations than just your certificate.
So, when encryption strength is mentioned in SSL marketing what you’re actually referring to is the length of the key used for cryptographic operations. The key itself may be 256-bits, which is actually how resistant something is to guessing, but the actual strength of the encryption may be much less as a result of a range of factors.
How long would it take to crack my cryptographic key?
|Key Size||Time to Crack|
|128-bit||1.02 x 1018 years|
|192-bit||1.872 x 1037 years|
|256-bit||3.31 x 1056 years|
What should I pick?
With symmetric encryption, we use slightly smaller key sizes that are, in all honesty, slightly less secure as a trade-off for better performance. Frankly, either is probably fine given that neither will be crackable, in practice, until quantum computers advance a little bit more. Still, within the AES encryption algorithm, it’s better to go with the 256-bit key given that it is substantially more difficult to crack.
However, once again, remember that your key length is not a true indicator of your actual encryption strength. 256-bit SSL may not always facilitate 256-bit encryption in practice.