InformationWeek

July 5, 1999

The Year 2000 Certificate Problem

Now that I've got your attention, let me clarify things. The year 2000 certificate problem isn't part of the year 2000 problem; that is, it's not related to poor programming practices or limitations on embedded date fields. It's just a bit of carelessness on the part of browser vendors and public key certificate providers. The problem is noncritical--no software will break, no machines will shut down--but it's still going to be an issue for the larger business-to-consumer Web sites that depend on the Secure Sockets Layer** connectivity in Netscape Web browsers. And it's certainly going to raise awareness about public key infrastructure, since the year 2000 certificate problem is really a problem with digital certificates, the core technology of PKI.
**[SSL is used to create an encrypted point-to-point link between your Web browser and a Web site. SSL is used whenever you go to a "secure" Web site, such as when you browse your account information on Amazon.com (https://www.amazon.com/exec/obidos/account-access-login). When SSL is engaged, you'll see a little padlock icon, in the lower left-hand corner of your Web browser, that's in the locked position] (See Figure 1).

Figure 1: The lower left corner of your browser shows a locked padlock when you've connected to a secure Web site using Secure Sockets Layer.

The Problem
Here's the problem: Establishing a secure connection using SSL requires that your Web browser "trust" the server to which you're trying to connect. That trust can be established because your browser comes bundled with certain certificate authority certificates.

Figure 2: Some certificate authorities that your Browser trusts. This is from Netscape Navigator 4.5.

Those CA certificates let your Web browser "trust" sites that have public key certificates signed by any of those CAs. The problem is that CA certificates in certain versions of the Microsoft and Netscape browsers expire Dec. 31, 1999.***
***While certification authority certificates from Verisign, AT&T Certificate Services, and GTE Cybertrust all suffer from the year 2000 certificate problem as described in this column, CA certificate's from Thawte only have problems under certain conditions. Thawte CA Certificates in the Netscape 4.0-4.05 browsers do not expire until the year 2020, so sites using Thawte don't suffer from the year 2000 certificate problem for users of the Netscape 4.0-4.05 browsers. However, users of Netscape 3.x browsers that connect to sites that use the Thawte CA certificate will hit the problem immediately since the Thawte CA certificate in those browsers expired on July 27th, 1998.

Figure 3: The Root CA certificate for VeriSign. Note that it expires Dec. 31, 1999. This is from Netscape Navigator 3.04.

Users running those browsers, and connecting using SSL, will be confronted with a cryptic warning message after Dec. 31.

Figure 4: Example of the warning message users will see on Jan. 1, 2000, if they are using Navigator 3.04 and try to connect to Amazon.com using Secure Sockets Layer.

The good news is that the public key certificate implementation in those browsers, (in fact, in all 4.x and earlier Netscape and Microsoft browsers) will let you ignore the fact that the root CA certificate has expired. All the user needs do when confronted with the certificate expiration warning message (Figure 4) is hit the "Continue" button and the SSL connection will be established. The nut of the year 2000 certificate problem then is simply whether users will understand the warning message (Figure 4), or whether they will think something has gone wrong with the server.

The year 2000 certificate problem affects Netscape Web browsers, versions 4.05 and earlier.

Table 1: Affected browser matrix**
Netscape Navigator
All 3.x browsers	4.0, 4.01, 4.02, 4.03, 4.04, 4.05
**Microsoft 3.x browsers contain expiring certificates like the affected Netscape browsers; however, the Internet Explorer 3.x browsers don't check for expiring certificates, and so no warning message will pop up for those users.

With Dec. 31 just six months away, and about 20% of all Web-browser users still using Netscape Navigator versions 3.x to 4.05 (different browser surveys come up with different percentages, but 20% is typical), business-to-consumer Web sites may want to investigate ways to avoid the year 2000 certificate problem.

The Solution
Solutions to the year 2000 certificate problem come in various flavors. The easiest solution is to convince all your users to upgrade to newer versions of the Netscape and Microsoft browsers. Those browsers contain Root CA Certificates that won't expire until 2010 or later (we hope that there aren't any users still running Navigator 4.5 or Internet Explorer 4.x in 2010, but you never know). This solution isn't practical, though, for large business-to-consumer Web sites. Those sites don't know who might be trying to connect to their site, and few are in the position to demand that users upgrade browsers. Another solution is to get users to upgrade just the CA certificates in their browser. Since most Web sites use CA certificates from either VeriSign (www.verisign.com) or Thawte (www.thawte.com), upgrading the CA certificates in your browser for VeriSign and Thawte will ensure that you can connect using SSL without getting a warning message. Again, however, upgrading those certificates is not completely trivial. Users have to download the new certificates and install them in their browsers.

Another possibility is to look into some vendors that are just getting into the certification business, and that have made cross-certification deals with Thawte that can solve the problem from the server side for Navigator 4.0 to 4.05 users (There are no server-side fixes for Navigator 3.x users). Entrust.net (www.entrust.net), a spin-off of Entrust Technologies (www.entrust.com), and Equifax Secure (www.equifaxsecure.com), a spinoff of Equifax (www.equifax.com), are offering a server-side solution in cooperation with Thawte.

Conclusion
As you can see, the year 2000 certificate problem was brought on by some carelessness on the part of browser vendors and certificate authorities. On the other hand, it should raise awareness of PKI and security issues. Users need to start being aware of certificate usage and what various warnings about security infractions can mean to them. On the downside, the problem is a fine example of what happens when tougher security techniques aren't carefully implemented. Business-to-consumer Web sites are the ones likely to be hit hardest by this problem, with higher volumes of technical-support calls and possibly even loss of sales.

AuthorITies Archive

Send Us Your Feedback

Top of the Page


Karyl Scott: Enterprise View Karyl will explore the business and technology issues surrounding enterprise systems.		Stuart J. Johnston: Redmond Watch As our eyes and ears in Redmond, Stuart gives his perspective on the latest events at Microsoft.		Charles Pelton: Eye On IT Charles explores IT management issues and strategies that business and technology managers must face.		Sean Gallagher: The Bleeding Edge From his vantage point of managing editor of InformationWeeek Labs, Sean will explore the impact of new technologies on the evolving world of electronic business.