ad info
   personal technology

 custom news
 Headline News brief
 daily almanac
 CNN networks
 CNN programs
 on-air transcripts
 news quiz

CNN Websites
 video on demand
 video archive
 audio on demand
 news email services
 free email accounts
 desktop headlines

 message boards




PC World

Y2K browser bug to affect e-commerce

May 31, 1999
Web posted at: 10:39 a.m. EDT (1439 GMT)

How to hold the perfect Y2K community meeting

by Pete Loshin

(IDG) -- You've ignored the year 2000 problem -- you just don't think it will affect you. You fully expect to wake up on January 1, 2000, and order from your favorite Internet commerce sites as you always have.

But even if the Y2K problem doesn't hit, you may still have trouble ordering flowers on New Year's Day 2000.

That's because if you've put off upgrading your old (4.05 or earlier) Netscape browser, there's a good chance that your browser won't recognize the certificate for your root certification authorities -- the entities that vouch for all other Web merchants' identities.

Even worse, old (4.x or earlier) Internet Explorer browsers suffer from the same problem and don't tell you.

  PC World home page
  FileWorld find free software fast
  Make your PC work harder with these tips
 Reviews & in-depth info at
 *'s desktop PC page's portable PC page's Windows software page's personal news page
  Year 2000 World
  Questions about computers? Let's editors help you
  Subscribe to's free daily newsletter for computer geniuses (& newbies)
  Search in 12 languages
 News Radio
 * Fusion audio primers
 * Computerworld Minute

And when this happens, you don't have full security in place for online purchases.

OK, what's a root CA?

Root CA companies VeriSign, Thawte, GTE CyberTrust, and sell certificate services to Web merchants.

In order to get a certificate from a CA, a merchant submits proof of its identity to the root CA service provider, from which the CA generate a public key pair.

The CA then digitally signs the merchant's certificate, which is installed on the merchant's Web server and used to encrypt sensitive information like credit card numbers.

The root of the problem

CAs too have certificates, which, for security reasons, are themselves hard-coded into most popular browsers, such as those from Netscape and Microsoft. This makes it harder for attackers to misrepresent themselves as a root CA. And like all other certificates, a root CA's certificate expires eventually.

For Netscape browser versions 4.05 and earlier, root CA certificates will expire at the end of the year.

When a root CA's certificate expires, Netscape lets you know by returning an error message.

Microsoft's Internet Explorer 3.x and 4.x browsers don't handle the problem so gracefully -- they don't report expired root CA certificates at all, leaving you unaware of this potential security threat.

In either case, you can choose to ignore the error messages and complete your transactions, and there's probably no immediate threat to your security. But ignoring browser security warnings is a bad habit.

Solution: Upgrade

The quick (and free) solution is to upgrade your browser. It's also possible just to update the root CA certificate itself, but VeriSign describes this as "a multistep process that could be confusing or scary for most nontechnical Web users."

Additionally, online merchants can build some workarounds for 4.x browsers with and other root CA companies.

Given the massive shift toward new browsers, experts predict this problem will affect relatively few users by year's end.

Merchants associated with offending root CAs may face customer problems. And Microsoft will have some explaining to do about why its software doesn't verify certificate expirations.

But (assuming electrical power is still on) most of us will be able to order those flowers, John Grisham's latest, or that classic Beatles CD next New Year's Day.

In-Depth: Looking at the Y2K Bug
Discussion: Year 2000 bug

Utilities pose biggest worldwide Y2K threat
May 28, 1999
'Scanner' eyes Y2K problems in e-mail attachments
May 28, 1999
FDA: Y2K readiness for hundreds of medical devices unknown
May 27, 1999
Postal Service gears up for Y2K
May 21, 1999
The seedy side of Y2K
May 18, 1999

The Y2K problem has a silver lining
How to hold the perfect Y2K community meeting
What's the deal with Y2K cards?
(PC World Online)
Will a Y2K bug blow up in your face?
(PC World Online)
As the Y2K deadline approaches, don't overlook PCs
Americans are becoming complacent about the Year 2000 issue
Cultivating the right Y2K image
(Computerworld)'s Year 2000 World
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

VeriSign Inc.
Thawte Consulting
CyberTrust Solutions
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.
Enter keyword(s)   go    help

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.