The big concern surrounding the new year is obviously Y2K, but on-line shoppers may run into one problem in the new year that actually isn’t Y2K-related at all. And for an industry that is trying very hard to gain consumer acceptance, it could turn out to be a public relations nightmare.
The expiration of many digital certificates, or root certificates, was set to occur at midnight on New Year’s Eve. The expiration just happened to coincide with the same problematic date that has plagued people for the past few years.
For on-line shoppers, this means that a visit to a site
could result in the appearance of “scary” dialogue boxes they have never seen before.
In early December, a tele-news conference was held during which Carl Howe, the director of corporate infrastructure at Boston-based Forrester Research Inc., spoke about what the problem was, how it can be remedied, and what the damage might be for on-line retailers.
Digital certificates purchased by e-commerce sites allow data to encrypt information between the site and the user, protecting transactions from hackers. These certificates are signed or authenticated by service providers or certificate authorities such as VeriSign Inc., Entrust Technologies, CyberTrust and AT&T Corp., explained Howe.
“Those root certificates are built into most browsers,” he said.
Specifically, browsers prior to Netscape Navigator’s 4.06 are affected, and Internet Explorer 3.x and earlier.
If using an older browser, a dialogue box might pop up to indicate that the certificate has expired, giving the user the option to ‘continue’ or ‘cancel’. The problem is, said Howe, that many people don’t know what to do when that happens.
“We believe users are going to blame not VeriSign, not AT&T, not CyberTrust, not Entrust. They’re going to blame the on-line retailers for this problem,” said Howe. And, he continued, thinking that the problem is Y2K related, the very first thing customers will do is “pick up their phone and call the site, thereby flooding the retailer’s voice lines at a time when they’re already pretty busy processing post-Christmas returns.”
Forrester Group’s recommendations for on-line merchants include making sure customers understand that this is not a security or Y2K problem, and that certification expiration is normal. Press releases, said Howe, would be an ideal way to get the message out, or posting a message directly on the site. E-mailing current customers about the expiration is another option.
On-line businesses should “think about employing some scripts, some basic programming code on their Web site, that can detect a browser that visits the Web site and has this problem,” Howe said. “So by inserting some extra code into the Web site it will pop up a dialogue box, say ‘your browser has an issue with certificate expiration’, and will either suggest downloading a new browser or downloading a patch to the existing browser.”
Users should upgrade their browsers, or apply a “root patch” if it isn’t possible to upgrade.
Richard Pendergrast is the director of information systems at Travelocity Systems. He noted that his company, which is on-line, was preparing for all the problems it knew it would have to face.
“First of all, we took a look at this problem, and we took a look at our users’ browser mix and recognized that a significant percentage of our users could be affected by this problem should they not upgrade,” Pendergrast explained. “And knowing users in general, a large percentage won’t even (upgrade) if we warn them. So what we’ve chosen to do is to switch certificate authorities,” he said.
According to Pendergrast, customer trust is very important to Travelocity, and it does not want its customers to assume any problems are Y2K or security related.
“End-users in general will be confused by such a mess and may fear our particular Web site as a result of that. We just want to make sure we manage the users’ perception and manage their ability to do business with us,” he said.
The new certificates the business has chosen to go with from Entrust Technologies will not expire until 2020, but other companies, such as Thawte Consulting Inc., are offering certificates with an expiration date of 2010.
Howe said he believes it is very doubtful that in 20 years companies will be using the same technologies to ensure users’ security, so the expiration date is not unreasonably far away. Before then, businesses will probably be using whatever is new.
Chris Voice, the director of product management at Entrust, said with that much time before expiration, companies will have the chance to update root certificates and will not be caught “in the constraint where we’ve got simply a few months to get a very large deployed base on the latest browser technology.”
While he said over the next 20 years we will definitely see new technologies emerge, “what we’re (Entrust) doing at this point is making sure we give our user community and e-commerce providers sufficient margin to ensure they can transfer and transition to any new technology, again with the goal of not impacting adversely their end-users.”
