ad info




CNN.com
 MAIN PAGE
 WORLD
 ASIANOW
 U.S.
 LOCAL
 POLITICS
 WEATHER
 BUSINESS
 SPORTS
 TECHNOLOGY
   computing
   personal technology
   space
 NATURE
 ENTERTAINMENT
 BOOKS
 TRAVEL
 FOOD
 HEALTH
 STYLE
 IN-DEPTH

 custom news
 Headline News brief
 daily almanac
 CNN networks
 CNN programs
 on-air transcripts
 news quiz

  CNN WEB SITES:
CNN Websites
 TIME INC. SITES:
 MORE SERVICES:
 video on demand
 video archive
 audio on demand
 news email services
 free email accounts
 desktop headlines
 pointcast
 pagenet

 DISCUSSION:
 message boards
 chat
 feedback

 SITE GUIDES:
 help
 contents
 search

 FASTER ACCESS:
 europe
 japan

 WEB SERVICES:
COMPUTING

From...
PC World

Y2K browser bug to affect e-commerce

May 31, 1999
Web posted at: 10:39 a.m. EDT (1439 GMT)

graphic
 ALSO:
How to hold the perfect Y2K community meeting

by Pete Loshin

(IDG) -- You've ignored the year 2000 problem -- you just don't think it will affect you. You fully expect to wake up on January 1, 2000, and order from your favorite Internet commerce sites as you always have.

But even if the Y2K problem doesn't hit, you may still have trouble ordering flowers on New Year's Day 2000.

That's because if you've put off upgrading your old (4.05 or earlier) Netscape browser, there's a good chance that your browser won't recognize the certificate for your root certification authorities -- the entities that vouch for all other Web merchants' identities.

Even worse, old (4.x or earlier) Internet Explorer browsers suffer from the same problem and don't tell you.

MORE COMPUTING INTELLIGENCE
IDG.net   IDG.net home page
  PC World home page
  FileWorld find free software fast
  Make your PC work harder with these tips
 Reviews & in-depth info at IDG.net
 *   IDG.net's desktop PC page
  IDG.net's portable PC page
  IDG.net's Windows software page
  IDG.net's personal news page
  Year 2000 World
  Questions about computers? Let IDG.net's editors help you
  Subscribe to IDG.net's free daily newsletter for computer geniuses (& newbies)
  Search IDG.net in 12 languages
 News Radio
 * Fusion audio primers
 * Computerworld Minute
   

And when this happens, you don't have full security in place for online purchases.

OK, what's a root CA?

Root CA companies VeriSign, Thawte, GTE CyberTrust, and Entrust.net sell certificate services to Web merchants.

In order to get a certificate from a CA, a merchant submits proof of its identity to the root CA service provider, from which the CA generate a public key pair.

The CA then digitally signs the merchant's certificate, which is installed on the merchant's Web server and used to encrypt sensitive information like credit card numbers.

The root of the problem

CAs too have certificates, which, for security reasons, are themselves hard-coded into most popular browsers, such as those from Netscape and Microsoft. This makes it harder for attackers to misrepresent themselves as a root CA. And like all other certificates, a root CA's certificate expires eventually.

For Netscape browser versions 4.05 and earlier, root CA certificates will expire at the end of the year.

When a root CA's certificate expires, Netscape lets you know by returning an error message.

Microsoft's Internet Explorer 3.x and 4.x browsers don't handle the problem so gracefully -- they don't report expired root CA certificates at all, leaving you unaware of this potential security threat.

In either case, you can choose to ignore the error messages and complete your transactions, and there's probably no immediate threat to your security. But ignoring browser security warnings is a bad habit.

Solution: Upgrade

The quick (and free) solution is to upgrade your browser. It's also possible just to update the root CA certificate itself, but VeriSign describes this as "a multistep process that could be confusing or scary for most nontechnical Web users."

Additionally, online merchants can build some workarounds for 4.x browsers with Entrust.net and other root CA companies.

Given the massive shift toward new browsers, experts predict this problem will affect relatively few users by year's end.

Merchants associated with offending root CAs may face customer problems. And Microsoft will have some explaining to do about why its software doesn't verify certificate expirations.

But (assuming electrical power is still on) most of us will be able to order those flowers, John Grisham's latest, or that classic Beatles CD next New Year's Day.


RELATED SECTIONS:
In-Depth: Looking at the Y2K Bug
Discussion: Year 2000 bug

RELATED STORIES:
Utilities pose biggest worldwide Y2K threat
May 28, 1999
'Scanner' eyes Y2K problems in e-mail attachments
May 28, 1999
FDA: Y2K readiness for hundreds of medical devices unknown
May 27, 1999
Postal Service gears up for Y2K
May 21, 1999
The seedy side of Y2K
May 18, 1999

RELATED IDG.net STORIES:
The Y2K problem has a silver lining
(Computerworld)
How to hold the perfect Y2K community meeting
(Civic.com)
What's the deal with Y2K cards?
(PC World Online)
Will a Y2K bug blow up in your face?
(PC World Online)
As the Y2K deadline approaches, don't overlook PCs
(CIO)
Americans are becoming complacent about the Year 2000 issue
(Civic.com)
Cultivating the right Y2K image
(Computerworld)
IDG.net's Year 2000 World
(IDG.net)
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.

RELATED SITES:
VeriSign Inc.
Thawte Consulting
CyberTrust Solutions
Entrust.net
Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.
 LATEST HEADLINES:
SEARCH CNN.com
Enter keyword(s)   go    help

Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.