Y2K browser bug to affect e-commerce
May 31, 1999
by Pete Loshin
(IDG) -- You've ignored the year 2000 problem -- you just don't think it will affect you. You fully expect to wake up on January 1, 2000, and order from your favorite Internet commerce sites as you always have.
But even if the Y2K problem doesn't hit, you may still have trouble ordering flowers on New Year's Day 2000.
That's because if you've put off upgrading your old (4.05 or earlier) Netscape browser, there's a good chance that your browser won't recognize the certificate for your root certification authorities -- the entities that vouch for all other Web merchants' identities.
Even worse, old (4.x or earlier) Internet Explorer browsers suffer from the same problem and don't tell you.
And when this happens, you don't have full security in place for online purchases.
OK, what's a root CA?
Root CA companies VeriSign, Thawte, GTE CyberTrust, and Entrust.net sell certificate services to Web merchants.
In order to get a certificate from a CA, a merchant submits proof of its identity to the root CA service provider, from which the CA generate a public key pair.
The CA then digitally signs the merchant's certificate, which is installed on the merchant's Web server and used to encrypt sensitive information like credit card numbers.
The root of the problem
CAs too have certificates, which, for security reasons, are themselves hard-coded into most popular browsers, such as those from Netscape and Microsoft. This makes it harder for attackers to misrepresent themselves as a root CA. And like all other certificates, a root CA's certificate expires eventually.
For Netscape browser versions 4.05 and earlier, root CA certificates will expire at the end of the year.
When a root CA's certificate expires, Netscape lets you know by returning an error message.
Microsoft's Internet Explorer 3.x and 4.x browsers don't handle the problem so gracefully -- they don't report expired root CA certificates at all, leaving you unaware of this potential security threat.
In either case, you can choose to ignore the error messages and complete your transactions, and there's probably no immediate threat to your security. But ignoring browser security warnings is a bad habit.
The quick (and free) solution is to upgrade your browser. It's also possible just to update the root CA certificate itself, but VeriSign describes this as "a multistep process that could be confusing or scary for most nontechnical Web users."
Additionally, online merchants can build some workarounds for 4.x browsers with Entrust.net and other root CA companies.
Given the massive shift toward new browsers, experts predict this problem will affect relatively few users by year's end.
Merchants associated with offending root CAs may face customer problems. And Microsoft will have some explaining to do about why its software doesn't verify certificate expirations.
But (assuming electrical power is still on) most of us will be able to order those flowers, John Grisham's latest, or that classic Beatles CD next New Year's Day.
In-Depth: Looking at the Y2K Bug
Utilities pose biggest worldwide Y2K threat
RELATED IDG.net STORIES:
The Y2K problem has a silver lining
|Back to the top||
© 2001 Cable News Network. All Rights Reserved.|
Terms under which this service is provided to you.
Read our privacy guidelines.