Some Microsoft IE Digital Certificates Near Expiration

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

The digital certificate for Internet Explorer's Java 2 Runtime Environment has expired, while several more are set to lapse January 7.

Digital certificates from vendors like VeriSign let online users verify that they're dealing with real companies or persons. They also can secure all communications to and from the Web server where they're installed, via public key encryption.

Depending on who you ask, the discovery is an oversight that will cause only a minor inconvenience to IE users, or a signal that Microsoft has all but ceased browser development efforts and pays little attention to security details.

Microsoft's expired certificate for Java 2 Runtime Environment won't be renewed. According to a spokesperson at Microsoft's PR firm, as part of Microsoft's settlement with Sun Microsystems in Jan 2001, it is no longer allowed to distribute certain versions of the Microsoft Virtual Machine as of Jan. 2, 2004.

Also as part of the agreement, Microsoft has been phasing out the Virtual Machine from all of its products; it's allowed to continue releasing security fixes for the Microsoft Java Virtual Machine until Sept. 30, 2004. (In all, Microsoft has stopped downloads of 23 products, and is re-releasing another seven without the Virtual Machine.)

The other rapidly aging certificates relate to secure e-mail, code signing, client authentication and server authentication.

Joe Wilcox, a senior analyst for Jupiter Research (owned by the same parent as this Web site), exposed the problem in his Microsoft Monitor blog.

He worries that the expiring certificates are a sign that neither IE development, nor security, is a priority at Microsoft.

"Just because (Microsoft) won the browser wars doesn't mean (it) should stop innovation in the browser market," Wilcox said. "There's a real customer benefit to it, and because Microsoft integrated it into the operating system, there's an onus on the company to put more punch into its development effort."

But there's another issue that Wilcox thinks is just as serious. Call it pop-up fatigue.

"There's already a problem with consumers being assailed with pop-ups of all kinds," Wilcox said. "Now, we have yet another because of expiring certificates. It numbs consumers and creates the opportunity for them to make mistakes with pop-ups."

It's all too easy for people to start automatically click those 'okay' buttons, he said, even in a secure transaction setting. Taken together, it shows that Microsoft isn't as avid about security as it says it is, Wilcox said.

"Microsoft talks about taking a more serious approach," he said. "But sometimes in security it's the little details that get you. This may seem like a little detail, but this little detail can raise a big question about how seriously Microsoft treats security."

Other industry watchers are less critical of Microsoft in this instance. A spokesperson for VeriSign, which has issued about 400,000 digital certificates, said it's not that uncommon for people to forget to renew them. VeriSign lets certificate holders renew automatically as long as the certificate hasn't expired.

They can also be fixed by a patch, according to Rob Helm, research director for the analyst firm Directions on Microsoft, and Microsoft has done this in the past.

"Users who don't get the new certificates will no longer be able to verify the source of some code that they run," he said, such as controls on Web sites, signed macros in Office documents or the identity of companies running secure Web sites.

"This sounds worse than it is," Helm said. "The reality is that very few users ever check certificates when they use signed code or secure Web sites, so expiration of those certificates will have little effect on their security. Nevertheless, users will get some potentially annoying warnings and some Web site features or macros could stop working until they install the new certificates."

Helm said IE will likely be updated as part of Microsoft's regular bi-annual Service Pack update, due mid-2004. The company could update the certificates during a monthly Windows updates. However, if users don't have the auto-update feature turned on, they won't know they need it.

Part of the problem is that there's often not a clear responsibility for renewing certificates. Often engineers working on the code handle the certificates, while VeriSign recommends that its customers designate a security manager to maintain all the certificate accounts.

In theory, said Internet security expert James Sinclair, the accounting department could handle renewals, but in reality, they wouldn't be aware of the need, so the task is left to engineering by default, with the CTO having ultimate responsibility.

"Microsoft is just a little too large to be able to handle the number of issues that are coming across," Sinclair said. "It was evidently just an oversight."

It's not the first time this has happened to Microsoft. According to The Register, in June 2001 the company forgot to renew one of the certificates on a secure site for purchase of pre-release software by developers. In 1999, the company issued a patch that replaced two certificates in IE 4.5 for Macintosh that were due to expire on December 31 (no relation to Y2K).

In the Microsoft Security Bulletin issued at that time made the expiring certificates seem minor. "All digital certificates have an expiration date," it read. "These just happen to be expiring soon. If you visited a secure web site, you'd get a dialogue telling you that the certificate has expired. You could still choose to use the certificate anyway, if you wanted to, and could still set up a secure session."

Helm, of Directions on Microsoft, said that renewing the certificates via Windows Update rather than issuing a patch makes sense.

"No doubt, IE is much less strategic for Microsoft than it used to be. Browsers don't make any money, and, with no competitive threat on the horizon, there's not a strong business case to keep pouring money into it."

Submit a Comment

Loading Comments...