Firewall Wizards mailing list archives
Re: Expiring root CA in web browsers --Y2K
From: neil lehrer <nlehrer () ibb gov>
Date: Fri, 26 Nov 1999 17:14:07 -0500
at least for netscape, you can go to www.netscape.com/security/index.html?cp=hom11cnse which has info on updating your root CA certificate. i was able to update a netscape 3.x browser this way. don Wang wrote:
Folks, I am not sure if this is the right place to post this message. Since you guys are security experts in general, maybe you can shed some insight? or maybe suggest a better group to post? Thanks and happy holidays! Don -------------------------sorry, load of questions .... ---------------------- As many of you are familiar with this, to communicate securely with online banking sites (among others), one's browser needs to establish a SSL session with the server, certificates are exchanges, and the session is secured subsequently. A lot of companies use VeriSign server certificates, which in turn require users' browsers to have valid VeriSign/RSA Secure Server CAs (root CA). Given that old browsers, such as Internet Explorer (3.02 or older) and Netscape 4.05 or older, all carry VeriSign root CA that expires on December 31, 1999, many users will encounter warning messages when they try to access secure servers that uses VeriSign server cert on January 1, 2000. Yes, this coincide with the Y2K issue, although it has nothing to do with the 2-digit year format. Question: 1. Can secure SSL sessions be established after Y2K, using the older browsers, with expired root CA? What are the risks, if any? 2. Can one simply upgrade the root CA rather than upgrade the whole browser? This may especially make sense if one uses modem dial up and already have relatively recent browser, such as netscape 4.05 communicator? What are the implications and risks? 3. Since IE 3.02 does not warn users about the expiring CA issue, can there be a secure SSL connection? It appears to be so, even without any warning. 4. IE 4 and 5 have two VeriSign CAs, one expiring on Dec. 31, 1999, and the other in 2010. How does IE decide which root CA to use? does it automatically switch to valid CA? One would assume so, but I have yet to get clear technical statement from Microsoft that this is the indeed the case. 5. AOL browser: Since any version of AOL browsers encompasses more than more one version of IE, (e.g. AOL 4.0 can have IE version from 3.01 to 5.0, all under the umbrella of AOL4), how can a web server differentiate different IE versions from AOL? This is important if the secure web server decides to support only certain versions of browsers (such as IE 4 or higher). That's all for now. Thanks again for any input you have! Don
-- regards +++++++++++++++++++++++++++++++++++++++++++++++++ + Neil Lehrer + + United States International Broadcasting Bureau + System Development Division + + voice 202 619-2524 + fax 202 619-3576 + nlehrer () ibb gov + + " is this crisis an opportunity or just + another grab the fire extinguisher moment?" + +++++++++++++++++++++++++++++++++++++++++++++++++
Current thread:
- Expiring root CA in web browsers --Y2K don Wang (Nov 24)
- Re: Expiring root CA in web browsers --Y2K neil lehrer (Nov 29)
- <Possible follow-ups>
- Re: Expiring root CA in web browsers --Y2K Dan Geer (Nov 29)