The year 2000 has been the big concern recently, but on-line shoppers may run into one problem in the new year that actually isn’t Y2K-related at all.
And for an industry that is trying very hard to gain consumer acceptance, it could turn out to be a public relations nightmare.
The expiration of many digital certificates, or root certificates, was set to occur at midnight on New Year’s Eve. The expiration just happened to coincide with the same problematic date that has plagued people for the past few years.
For on-line shoppers, this means that a visit to a site could result in the appearance of disconcerting dialogue boxes they have never seen before.
Digital certificates purchased by e-commerce sites allow data to encrypt information between the site and the user, protecting transactions from hackers. These certificates are signed or authenticated by service providers or certificate authorities such as VeriSign Inc., Entrust Technologies, CyberTrust and AT&T Corp.
“Those root certificates are built into most browsers,” said Carl Howe, the director of corporate infrastructure at Boston-based Forrester Research Inc.
Specifically, browsers prior to Netscape Navigator’s 4.06 are affected, and Internet Explorer 3.x and earlier.
If using an older browser, a dialogue box might pop up to indicate that the certificate has expired, giving the user the option to Continue or Cancel. The problem is, said Howe, that many people don’t know what to do when that happens.
“We believe users are going to blame not VeriSign, not AT&T, not CyberTrust, not Entrust. They’re going to blame the on-line retailers for this problem,” Howe said. And thinking that the problem is Y2K related, the very first thing customers will do is “pick up their phone and call the site, thereby flooding the retailer’s voice lines at a time when they’re already pretty busy processing post-Christmas returns.”
Forrester Group’s recommendations for on-line merchants include making sure customers understand that this is not a security or Y2K problem, and that certification expiration is normal. Press releases, Howe said, would be an ideal way to get the message out, or posting a message directly on the site. E-mailing current customers about the expiration is another option.
On-line businesses should “think about employing some scripts, some basic programming code on their Web site, that can detect a browser that visits the Web site and has this problem,” Howe said. “So by inserting some extra code into the Web site it will pop up a dialogue box – ‘Your browser has an issue with certificate expiration’ – and will either suggest downloading a new browser or downloading a patch to the existing browser.”
Users should upgrade their browsers or apply a root patch if it isn’t possible to upgrade.
Richard Pendergrast is the director of information systems at Travelocity Systems. He noted his company is preparing for all the problems it knew it would have to face.
“First of all, we took a look at this problem and we took a look at our users’ browser mix and recognized that a significant percentage could be affected by this problem should they not upgrade,” Pendergrast explained. “And knowing users in general, a large percentage won’t even (upgrade) if we warn them. So we’ve chosen to switch certificate authorities.”
According to Pendergrast, customer trust is very important to Travelocity, and it does not want anyone to assume problems are Y2K or security related.
“End-users in general will be confused by such a mess and may fear our particular Web site as a result of that. We just want to make sure we manage the users’ perception and manage their ability to do business with us,” he said.
The new certificates the business has chosen to go with from Entrust Technologies will not expire until 2020, but other companies, such as Thawte Consulting Inc., are offering certificates with an expiration date of 2010.
Howe said he believes it is very doubtful that in 20 years companies will be using the same technologies to ensure users’ security, so the expiration date is not unreasonably far away.
