From...

by Ann Harrison

(IDG) -- E-commerce sites that use digital certificates to encrypt and authenticate transactions are being warned to upgrade their server digital certificates, which are set to expire Jan. 1.

The root certificates for AT&T, GTE CyberTrust Solutions Inc. and VeriSign Inc., which have been used to sign e-commerce site certificates for the past five years, will expire New Year's Day. A Web site certificate identifies itself to the user's browser, and then a root certificate is used by the user's browser to validate the Web site certificate. Although vendors of expiring certificates have installed new root certificates and alerted commerce sites, problems could still occur. That could cause trouble for information technology teams and unnerve customers, said Carl D. Howe, research director at Forrester Research Inc. in Cambridge, Mass.

According to Howe, thousands of root certificates still must be replaced. And even if sites renew their certificates, visitors with Netscape Communications Corp. browsers prior to Communicator 4.05 may continue to see confusing warning messages. Users of Microsoft Corp.'s Internet Explorer won't see error messages. Howe noted that while users can still conduct transactions securely, they must upgrade their Netscape browsers to avoid receiving the warning on subsequent visits that the "certificate authority is expired."

Howe said customers may misconstrue the certificate warnings as a Y2K problem and flood post-Christmas customer support lines. "New Internet shoppers will phone customer support to complain or shop online elsewhere --- even though the retailer is blameless," Howe predicted.

Anil Pereira, vice president of Internet and corporate marketing at Verisign, issued a statement recommending that e-commerce vendors instruct users to upgrade their browsers. Pereira also advised e-commerce sites to delete specified root certificates from certificate authorities, back up their keys and digital certificates and test their systems with VeriSign's free testing services.

MORE COMPUTING INTELLIGENCE

IDG.net home page

Tips for safe shopping online

The Y2K silver lining

Y2K predictions

IDG.net's product reviews page

News Radio

Fusion audio primers

Computerworld Minute

Howe added that companies can also purchase equivalent site certificates from certificate authorities such as Entrust Technologies Inc., Equifax Inc. or Thawte Consulting, whose certificates expire in 2010 and 2020.

Richard Pendergast, director of Travelocity systems at Travelocity.com in Fort Worth, Texas, said his company is using the Entrust certificates to update users with Netscape browsers and new root certificates from VeriSign to update Explorer browsers 3.0 and 3.02, which don't recognize Entrust certificates.

"The customer isn't always going to understand that this problem isn't a Y2K problem or a Web site problem but a browser problem. So not to cause visitors any grief and offer uninterrupted service, we have done both," Pendergast said.