I was surfing on the web to a “secure site” on Netscape, where personal information is supposedly transmitted without interception. However, I encountered this pop-up message:
<<This site uses encryption to protect transmitted information. However one of the Certificate Authorities that identifies this site has expired. This may be because a certificate has actually expired, or because the date on your computer is wrong. Press the More Info button to see details of the expired certificate.
Certificate Authority:
Expiration Date:
RSA Data Security, Inc.
Fri Dec 31, 1999 >>
What exactly does this mean? Is the site no longer secure? What is a certificate authority anyway? Is this a problem with the site itself, or is it the fact that I’m using an old version of Netscape (3.0)?
Whoa. As much as I’ve studied it, I hate trying to explain PKI (public key infrastructure). Here’s a first stab (largely adapted from http://www.whatis.com):
PKI enables users of a basically unsecure network to securely and privately exchange data and money through the use of a pair of cryptographic keys obtained from a trusted authority. The public key infrastructure provides for a digital certificate that can identify an individual or an organization and directory services that can store and, when necessary, revoke the certificates.
PKI uses public key cryptography, the most common method on the internet for authenticating a message sender or encrypting a message. Traditional cryptography has usually involved the creation and sharing of a secret key for the encryption and decryption of messages. This system has the major flaw that if the key is intercepted by someone else, messages can easily be decrypted.
To answer your specific questions:
My understanding is that the Certificate Authority that (if you like) “guaranteed” the security says that the certificate they provided has expired. The guarantee of security is no longer valid. This doesn’t mean the site is insecure, though: it’s just that nobody is independently agreeing it. If it’s a reputable site it could be an oversight on their part; if it’s not someone you’re familiar with I’d look around elsewhere.
Drop them an email and ask them to investigate. If it’s an honest mistake they’ll appreciate the heads-up.
With public key cryptography, a public and private key are created simultaneously using the same algorithm (a popular one is known as RSA) by a certificate authority (CA). The private key is given only to the requesting party and the public key is made publicly available (as part of a digital certificate) in a directory that all parties can access. The private key is never shared with anyone or sent across the internet.
You use the private key to decrypt text that has been encrypted with your public key by someone else (who can find out what your public key is from a public directory). Thus, if I send you a message, I can find out your public key (but not your private key) from a central administrator and encrypt a message to you using your public key. When you receive it, you decrypt it with your private key. In addition to encrypting messages (which ensures privacy), you can authenticate yourself to me (so I know that it is really you who sent the message) by using your private key to encrypt a digital certificate. When I receive it, I can use your public key to decrypt it.
The organization that is responsible for the security measure changes the key (code, password, what-have-you) every once in awhile. Why? In the wonderful world of paranoia, anybody who wants to break a key badly enough will sooner or later manage to do it. To thwart these super-bad-guys the organization occasionally changes the key.
Big surprise, nothing on your PC is worth the hundreds of thousands of dollars it would take to break the key. So, basically, any key, even an old key, is good enough. The “expiration date” is what’s called in the used car market a “scam”. The old key still works. What has “expired” is the company’s patience waiting for you to pay for another key. No kidding.
Unless you are a very high risk site, any old key is good enough. If you are a high risk site, for example, your entire business depends on secrecy, then you need to hire a security expert. Buying a new certificate would just be a Band-Aid.
That particular message and date is definitely a bug in older version of Netscape. Netscape 3.0 wasn’t Y2K compliant (check the date) and couldn’t handle authorization dates past 12/31/99. There was probably a proper secure certificate on the site, but Netscape didn’t recognize the date.