Y2k might 'expire' some e-commerce sites - Digital encription hits major league glitch

greenspun.com : LUSENET : TimeBomb 2000 (Y2000) : One Thread



Tuesday December 07, 1999 Y2K might 'expire' some e-commerce sites

Digital encryption hits major-league glitch

Christopher Guly The Ottawa Citizen

It turns out that the date change that will occur on Dec. 31 and possibly find computers unable to read 2000 isn't the only concern facing businesses as the year winds down.

An important piece of software provided by different suppliers that allows vendors to sell goods and services securely over the Internet will expire on New Year's Day.

Called digital certificates, the software allows electronic-commerce sites to encrypt customer data, such as credit-card information, to ensure privacy. Service providers, known as certificate authorities, or CAs, issue digital certificates to e-commerce sites. Online shoppers also have access to these certificates, which are built into most Web browsers.

Like credit cards or driver's licences, these so-called root certificates have an expiry date. And the certificates belonging to AT&T Certificate Services, GTE CyberTrust and VeriSign, Inc., which are found in some 40 million browsers, will be null and void on Jan. 1.

The glitch couldn't have come at a worse time as businesses scramble to avoid any fallout from the so-called millennium bug when some computer systems may not be able to read the final "00" in 2000. For e-tailers, digital certificate expiry could become a "public relations nightmare," says Carl D. Howe, director of corporate infrastructure at Forrester Research Inc. of Cambridge, Massachusetts.

On Jan. 1, anyone using Netscape's Web browsers up to release 4.05, or about one in four Internet users, will likely encounter a dialog box bearing the message "certificate authority is expired." Internet Explorer 3.x browsers, which also contain root certificates set to expire on Dec. 31, could be even more problematic since they do not display a warning message. Anyone using Netscape's version 4.06 browsers won't experience a problem since they contain root certificates not scheduled to terminate for another 10 or 20 years, such as the digital certificates made by Ottawa-based Entrust Technologies Ltd. that expire in 2020.

"Users are going to blame, not VeriSign, not AT&T, not Entrust; they're going to blame the online retailers for this problem," said Mr. Howe.

He recommends that e-tailers publicize, "that this is not a security or Y2K problem" and that commerce sites alert existing customers immediately via e-mail about the root certificate expiration. As well, he said, e-commerce sites should be equipped to detect a browser with the expiry-date problem, and allow customers to either download a more current browser or a corrective patch.

Alternatively, sites can go to such CAs as Entrust. This year, Entrust launched Entrust.net, an online service that delivers one- or two-year "trusted, Web-server certificates" and doesn't require e-shoppers to download a new version of Web browser, says Chris Voice, director of product management at Entrust.

-- Homer Beanfang (Bats@inbellfry.com), December 07, 1999


Can this be fixed??

-- K. Stevens (kstevens@ It's ALL going away in January.com), December 08, 1999.

Moderation questions? read the FAQ