VeriSign root certificated expiration in Java JRE

[Boris Gruschko]

According to the Sun alert Nr 57436

( see: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57436
)

the Verisign Level 2,3 root certificates wil expire on January the 7th
2004.

The implications are that signed code can not be verified anymore and
that the JRE is not able to establish an SSL connection if the default
security provider is being used.

May be I am wrong, but I think, that the implications of this are
somehow being overseen by the majority of java developers and system
administrators.

I think, that there will be a tremidous number of systems which will
be affected by this expiration. The users of this systems may very
well overread the tiny alert on sun's site, or not even consider
looking there untill January the 7th.

I would like to discuss this topic and to see my view of the
implications being prooved wrong, since the implication from my point
of view is, that numerous systems will fail to comply with their
duties on 7th January and will through exceptions instead.

Especially the users of application servers who rely on handling the
SSL connections through the JSSE and not outsource such duties to the
apache or any other HTTP server may see their machines fail.

so long...
Boris Gruschko

 

[Sudsy]

Boris Gruschko wrote:

I would like to discuss this topic and to see my view of the
implications being prooved wrong, since the implication from my point
of view is, that numerous systems will fail to comply with their
duties on 7th January and will through exceptions instead.

Especially the users of application servers who rely on handling the
SSL connections through the JSSE and not outsource such duties to the
apache or any other HTTP server may see their machines fail.

<snip>

Before pulling a Chicken Little, let's see what Sun has to say:

"It is highly unlikely that you will encounter a web site with a SSL
server certificate that is a subordinate certificate of the expiring
Class 3 Verisign PCA root certificate. In addition, Java applications
and applets signed after August 2002 should not be signed by a code
signing certificate that is a subordinate certificate of the expiring
Class 3 Verisign PCA root certificate."

So how many sites can we realistically expect to go dark? It should
also be noted that Verisign is only one of many root CAs. My certs
are signed by Thawte, for example.
Further, most certificates have a validity period of one year. You
have to renew on an annual basis and so will always be using the most
up-to-date root certificate available.
I would also expect that those sites affected will have received an
e-mail (or six) warning them of the implications and offering to re-
sign the certificate.
But that's just my take.

 

[Roedy Green]

the Verisign Level 2,3 root certificates wil expire on January the 7th
2004.

The implications are that signed code can not be verified anymore and
that the JRE is not able to establish an SSL connection if the default
security provider is being used.

they made this same error before. I'd suggest giving up on Verisign.
Try Thawte (even though Verisign owns it). They are much better
organised and cheaper.

 

[Hans Granqvist]

they made this same error before. I'd suggest giving up on Verisign.

With 'they' I assume you mean Sun, since this is their mistake.
But, then, shouldn't you urge people to give up on Sun instead?
I don't understand.

Try Thawte (even though Verisign owns it). They are much better
organised and cheaper.

Oh, I see, your post is about bashing VeriSign, not providing
facts. I'm sorry, my mistake. Won't happen again!

-Hans

 

[Guest]

With 'they' I assume you mean Sun, since this is their mistake.
But, then, shouldn't you urge people to give up on Sun instead?
I don't understand.

Obviously. The problem lies with Verisign's poor planning. Sun, like a
number of other suckers^Wvendors, bought Verisign's marketing hook, line,
and sinker. That aside there's little utility in blaming the victim.

Oh, I see, your post is about bashing VeriSign, not providing
facts. I'm sorry, my mistake. Won't happen again!

The post, like many before it, points out Verislime's shortcomings.
But the facts themselves are clear enough for those who, unlike Hans,
aren't too blind to see.

<http://groups.google.com/groups?q=verislime&ie=ISO-8859-1&hl=en>

<http://www.geotrust.com/equifax/>

<http://www.sslreview.com/content/pricing.html>

...

WP

 

[FOGAL]

I work for tech Support at a large bank in Australia,

We were caught completely unaware and are now inundated with calls
from concerned customers - as it closely followed a widespread fraud
issue.

Cheers
FOGAL

 

[Andrew Thompson]

| I work for tech Support at a large bank in Australia,

Not S- G---g-, by any chance? I dropped their
applet a while ago after receiving some less than
convincing answers in relation to problems with it.

It seemed they did not know some very
rudimentary things about Java and applets, and
that introduced enough doubt about their
competence that I chose not to use it.

| We were caught completely unaware..

Sounding more like them by the second..

| ..and are now inundated with calls
| from concerned customers - as it closely followed a widespread
fraud
| issue.

A _bank_ of all places, should be keeping
abreast of the developments in the technology
they are using.

[ It's not as if they are lacking the money
required to hire 'top-gun' programmers ]

 

[Michel Gallant]

| I work for tech Support at a large bank in Australia,

Not S- G---g-, by any chance? I dropped their
applet a while ago after receiving some less than
convincing answers in relation to problems with it.

It seemed they did not know some very
rudimentary things about Java and applets, and
that introduced enough doubt about their
competence that I chose not to use it.

Probably a contractor was hired to implement the Java and he/she
is long gone. One of the things enterprises have to do better is
determine their long-term support support requirements for their infrastructure
and ensure they have guaranteed reliable resources to address important
issues like this.

- Mitch Gallant
MVP Security
http://pages.istar.ca/~neutron

 

[Mickey Segal]

Probably a contractor was hired to implement the Java and he/she
is long gone. One of the things enterprises have to do better is
determine their long-term support support requirements for their infrastructure
and ensure they have guaranteed reliable resources to address important
issues like this.

The certificate expiration issue has turned into a big fiasco:
http://news.zdnet.co.uk/internet/security/0,39020375,39118996,00.htm
Symantec has blamed VeriSign after support forums were flooded with Norton
AntiVirus users complaining of slow and unstable computers after the latest
virus updates.

Users of the Norton products reported that their PCs locked up or slowed
down after downloading the latest virus definitions on Wednesday and
Thursday. Symantec itself reported that "after January 7th your computer
slows down and Microsoft Word and Excel will not start."
In a statement issued to address the certificate revocation problem,
VeriSign said that since 2001 it had taken steps to notify customers of the
situation and, with each communication, alert them to the expiration date
and steps necessary to obtain a new Intermediate CA.

 

[Mickey Segal]

The certificate expiration issue has turned into a big fiasco:
http://news.zdnet.co.uk/internet/security/0,39020375,39118996,00.htm
Symantec has blamed VeriSign after support forums were flooded with Norton
AntiVirus users complaining of slow and unstable computers after the latest
virus updates.

Symantec is now directing users:
http://service1.symantec.com/SUPPORT/sharedtech.nsf/docid/2004010810205113
to download a certificate update if needed. It is not clear how relevant
this suggestion is for most people because absence of the certificates
elsewhere is often the problem. It looks like there will be a lot of finger
pointing before the dust settles and we get a sense of who messed up here.

 

[FOGAL]

No Andrew it wasn't that bank 'WHICH' I work for. To make matters
worse the Customer Service/Tech Support is soooo isolated from the
Techs that these issues take hours to invesitgate and come up with a
solution. Doesn't help being behind a really big ass firewall that
lowly Tech Support Officers can't research the issue themselves.

Anyways its the weekend now so there will be hundreds calling us about
it Monday.

 

[Andrew Thompson]

| No Andrew it wasn't that bank 'WHICH' I work for.

;-)

I suppose there all as bad as one another,
I'd previously left that one!