Some Web Browsers Will Display Security Certificate Error Messages After December 31, 1999

Web browser upgrades and patches that can resolve this problem
Tools that administrators of secure Web sites can use to recommend Web browser upgrades to their site visitors
Error messages that some Web browser users will see
For more information

Users of some popular Web browsers will first encounter "certificate authority expired" or "security certificate expired" error messages when connecting to certain secure Web sites on and after January 1, 2000. This is not a Y2K problem. However, this issue will also arise around the same time, and may thus be mistakenly believed to be Y2K-related.

These error messages will be displayed because certain "root" digital certificates for several prominent Certificate Authorities, which have issued site certificates for many secure Web sites, happen to expire in some widely used Web browsers at midnight on December 31, 1999:

• Netscape Navigator and Communicator versions 4.05 and earlier
  (including version 3 browsers)
  
  
• Microsoft Internet Explorer 4.5 and 4.01 for the Macintosh
  (it is unclear whether earlier versions are affected)

Estimates of the percentages of visitors to secure Web sites who use these particular browsers, and thus may be affected by this problem, range from 2 percent to 25 percent. This problem can be straightforwardly resolved by upgrading to a newer version (any version from 4.06 through 4.7) of Netscape Navigator or Netscape Communicator, or by applying a free "Internet Update" to Microsoft Internet Explorer 4.5 for the Macintosh.

Even if you use one of these affected browser versions, you will only encounter a 'certificate authority-expired'-type error message when connecting to some secure Web sites, but not to others. You'll see this error when connecting to secure Web sites that are "vouched for" by certain Certificate Authorities, whose root certificates in your browser expire on December 31, 1999. These include some - but not all - of the root certificates from AT&T Certificate Services, GTE CyberTrust, and VeriSign, Inc. (Some of VeriSign's certificates may be stored in your browser under the name "RSA".)

In addition, each browser (and in some cases, each browser version) contains a somewhat different set of root certificates. This means that, for instance, a user of Netscape Navigator 3.0x might see an error message when connecting to a particular secure Web site after December 31, 1999, while a user of Microsoft Internet Explorer 4.5 for the Macintosh might not encounter an error when doing so.

As a temporary workaround, a user of any of the affected Web browsers listed above can bypass a 'certificate authority expired'-type error message by clicking a button which will allow them to continue with their connection. They can then successfully establish an SSL encrypted session with a secure Web site. However, it is not a good idea to dismiss a security certificate-related error message. First, any such error message might reflect a genuine security risk: that private information that you will be sending via an encrypted connection, such as a password or a credit card number, might not be going where you intended. Second, ignoring security warnings is a poor security practice, one which should never be reinforced.

If you administer a secure Web site, this issue is also of concern to you. It is in your best interest that your users upgrade or patch their Web browsers so that they can access your secure Web site without encountering 'certificate authority expired'-type error messages.

Finally, it should be noted that these error messages result from a deliberate design decision on the part of Certificate Authorities, and not from any unintended "bug" or problem. As one of these Certificate Authorities, VeriSign, notes in its Periodic Root Certificate Expiration: Frequently Asked Questions :

CA Certificates are only issued for a finite period by design, because as computer technology improves, older generations of encryption technology become vulnerable due to newer, more powerful computers. ... VeriSign wants to limit the extent of older technology in circulation and to reduce the risk associated with older products being more susceptible to attack. So, VeriSign issues root certificates that expire in 5 or 10 year periods. ... the CA certificates in the Trusted Root Libraries of certain older browsers will expire on December 31, 1999. .. The Class 1, 2 and 3 PCA root certificates will expire in 2004. ... The new VeriSign RSA root certificates installed in the later-version Netscape and Microsoft browsers do not expire until 2010.

Web browser upgrades and patches that can resolve this problem

Before installing any updates or patches which may alter your computer's operating system software or application programs, and before making any changes to your critical documents (data files), be sure that you have a complete, current backup of your computer's data. For general backup advice, see the Berkeley Computing and Communications articles Ask Dr. Micro: How can I back up the files on my computer and Simplify your life with the UCBackup service .

If you are a user of one of the affected Web browsers, you can straightforwardly resolve this problem by:

• Upgrading to a newer version (any version from 4.06 through 4.7, the current version as of January 10, 2000) of Netscape Navigator or Netscape Communicator.
  
  Newer versions of Netscape's Web browser can be downloaded at no cost via the Latest Netscape Browser Software download page on Netscape's Web site or ordered (for a small fee) on CD-ROM from Netscape's Get Netscape Communicator on CD Web site. These Web browsers contain newer "root certificates" for several Certificate Authorities which do not expire on December 31, 1999.
  
  Note that Netscape offers two different options for upgrading your Web browser:
  
  
  • Netscape Communicator: a suite of programs that includes the Netscape Navigator Web browser. The latest version of this product was 4.7 (with version 4.71 expected shortly) when we last checked Netscape's Web site on January 10, 2000.
    
    
  • Netscape Navigator: a "standalone" Web browser which requires somewhat less memory and disk space than the full Netscape Communicator suite. The latest version of this product was 4.08 when we last checked Netscape's Web site on January 10, 2000.
  
  These options are described in more detail on this vendor's Netscape Communicator Product Information Web page.
  
  
• Applying an "Internet Update" to Microsoft's Internet Explorer 4.5 for the Macintosh.
  
  This Update is described on documents linked from Microsoft's Internet Explorer 4.5 home page . This Update installs new root certificates that do not expire on December 31, 1999. It also patches the 40-bit version of Internet Explorer so that it can accept version 3 digital certificates, allowing Web servers to update this Web browser "with new certificates with appropriate expiration dates." Finally, it also includes two other patches, resolving certain JavaScript errors in Internet Explorer and Outlook Express (Microsoft's e-mail program for the Macintosh) and fixing a security problem in Outlook Express.
  
  Note that there are two separate Internet Updates available. To identify which version of Microsoft Internet Explorer you're using, and hence which Internet Update is appropriate, select "About Internet Explorer..." from the Apple menu, then click the "Support ..." button. Then select one of the following options from Microsoft's Other Macintosh Downloads page:
  
  
  • An Internet Update if you have the 40-bit "International/Export" version of Microsoft Internet Explorer.
    
    or
    
    
  • A 128-bit Internet Update if you have the "128 Bit US Domestic" version of Microsoft Internet Explorer for the Macintosh. (This version offers a higher level of security and its distribution is legally restricted to the USA and Canada.)
  
  
  If you're using a PowerPC-based Macintosh and are still using version 4.01 (or earlier) of Internet Explorer for the Macintosh, you can upgrade your browser to version 4.5 and then apply the appropriate Internet Update. However, if you're using a 680x0 Macintosh, this upgrade path is (unfortunately) not available. In an e-mail message dated December 22, 1999, and titled "Internet Explorer 4.5 Security issue SPECIAL BULLETIN", Microsoft Corporation stated that:
  
  

  Microsoft will no longer offer Internet Explorer 4.01 as a download to our customers, as Internet Explorer 4.01 does not support the newer Version 3 certificates. There is no scheduled fix for Internet Explorer 4.01, although this is the last version to support 68K Macintoshes. ... For all Internet Explorer 4.01/ 68K users making secure and confidential transactions over the Internet, Microsoft recommends that you upgrade your hardware and your software.

Tools that administrators of secure Web sites can use to recommend Web browser upgrades to their site visitors

If you are an administrator of a secure Web site, you might consider using free tools from VeriSign, a prominent certificate authority vendor, on your site. These tools can help alert your site's visitors that they may need to upgrade their Web browsers in order to avoid encountering 'certificate authority expired'-type error messages. You can download these tools from VeriSign's Important Security Alert for Webmasters: Instruct Users to Upgrade Their Browsers page.

(Note that, as of December 8, 1999, these tools did not identify Microsoft Internet Explorer 4.5 for the Macintosh as a browser which also requires a patch or upgrade to avoid this problem. Perhaps this is because VeriSign's own root certificates in this browser will not expire on December 31, 1999, unlike the root certificates of some other Certificate Authorities.)

Error messages that some Web browser users will see

For Netscape Navigator and Communicator versions 4.05 and earlier

Netscape's A Message for Users of Older Versions of Netscape (pre-August 1998) page notes that, when you use Netscape Navigator or Netscape Communicator versions 4.05 or earlier (including version 3.x browsers) to connect to certain secure Web sites on or after January 1, 2000, you may encounter a dialog containing the error message:

Certificate Authority Is Expired

<Site> is a site that uses encryption to protect transmitted information. However, one of the Certificate Authorities that identifies this site has expired.

For Microsoft Internet Explorer 4.01 and 4.5 for the Macintosh

Microsoft's Internet Explorer 4.5 Security Issue page notes that, when you use Internet Explorer for the Macintosh version 4.5 to connect to certain secure Web sites on or after January 1, 2000, you may encounter a dialog containing the error message:

Unable to establish a secure connection to "<site>." There is a problem with the security certificate from that site (The identity certificate has expired.)

According to Microsoft, "the user has the option of continuing with the connection, but Internet Explorer will not display the visual cue (a lock icon will not appear) that indicates a secure connection. The user also has the option of stopping the connection."

Although Microsoft does not provide information regarding older versions of its Web browser for the Macintosh, CA vendor VeriSign notes that one or more of its own root certificates are set to expire on December 31, 1999 in Microsoft Internet Explorer 4.01 for the Macintosh.

For more information

The following Web sites provide much more detail regarding this issue:

• Generally:
  
  Pete Loshin, The Y2K Certificate Problem: Come the new year, old browsers won't work properly with online merchants
  PC World News, May 28, 1999 (a highly readable, non-technical discussion)
  
  Entrust Technologies' Root CA Expiration and Year 2000
  
  VeriSign's Periodic Root Certificate Expiration: Frequently Asked Questions
  
  
• For Netscape Navigator and Communicator versions 4.05 and earlier:
  
  Netscape's A Message for Users of Older Versions of Netscape (pre-August 1998)
  
  
• For Microsoft Internet Explorer 4.5 for the Macintosh:
  
  Microsoft's Internet Explorer 4.5 Security Issue