From...

May 31, 1999
Web posted at: 10:39 a.m. EDT (1439 GMT)

ALSO: How to hold the perfect Y2K community meeting

by Pete Loshin

(IDG) -- You've ignored the year 2000 problem -- you just don't think it will affect you. You fully expect to wake up on January 1, 2000, and order from your favorite Internet commerce sites as you always have.

But even if the Y2K problem doesn't hit, you may still have trouble ordering flowers on New Year's Day 2000.

That's because if you've put off upgrading your old (4.05 or earlier) Netscape browser, there's a good chance that your browser won't recognize the certificate for your root certification authorities -- the entities that vouch for all other Web merchants' identities.

Even worse, old (4.x or earlier) Internet Explorer browsers suffer from the same problem and don't tell you.

MORE COMPUTING INTELLIGENCE
	IDG.net home page
PC World home page
FileWorld find free software fast
Make your PC work harder with these tips
Reviews & in-depth info at IDG.net
		IDG.net's desktop PC page
		IDG.net's portable PC page
IDG.net's Windows software page
IDG.net's personal news page
Year 2000 World
Questions about computers? Let IDG.net's editors help you
Subscribe to IDG.net's free daily newsletter for computer geniuses (& newbies)
Search IDG.net in 12 languages
News Radio
	Fusion audio primers
	Computerworld Minute

And when this happens, you don't have full security in place for online purchases.

OK, what's a root CA?

Root CA companies VeriSign, Thawte, GTE CyberTrust, and Entrust.net sell certificate services to Web merchants.

In order to get a certificate from a CA, a merchant submits proof of its identity to the root CA service provider, from which the CA generate a public key pair.

The CA then digitally signs the merchant's certificate, which is installed on the merchant's Web server and used to encrypt sensitive information like credit card numbers.

The root of the problem

CAs too have certificates, which, for security reasons, are themselves hard-coded into most popular browsers, such as those from Netscape and Microsoft. This makes it harder for attackers to misrepresent themselves as a root CA. And like all other certificates, a root CA's certificate expires eventually.

For Netscape browser versions 4.05 and earlier, root CA certificates will expire at the end of the year.

When a root CA's certificate expires, Netscape lets you know by returning an error message.

Microsoft's Internet Explorer 3.x and 4.x browsers don't handle the problem so gracefully -- they don't report expired root CA certificates at all, leaving you unaware of this potential security threat.

In either case, you can choose to ignore the error messages and complete your transactions, and there's probably no immediate threat to your security. But ignoring browser security warnings is a bad habit.

Solution: Upgrade

The quick (and free) solution is to upgrade your browser. It's also possible just to update the root CA certificate itself, but VeriSign describes this as "a multistep process that could be confusing or scary for most nontechnical Web users."

Additionally, online merchants can build some workarounds for 4.x browsers with Entrust.net and other root CA companies.

Given the massive shift toward new browsers, experts predict this problem will affect relatively few users by year's end.

Merchants associated with offending root CAs may face customer problems. And Microsoft will have some explaining to do about why its software doesn't verify certificate expirations.

But (assuming electrical power is still on) most of us will be able to order those flowers, John Grisham's latest, or that classic Beatles CD next New Year's Day.