stevencotton

Just a quick survey really - how many of you get warnings in older or export versions of IE saying that "The validity period of this certificate exceeds that of its certification authority" when accessing secure sites running VeriSigns 128-bit cipher? Now most of you will probably be running later browsers with the Class 3 Public Primary CA root cert installed, but I wouldn't mind knowing if it's so common it's expected or if not-so-savvy users worry about such things to the point of "going elsewhere". I know about all the "fixes", just want to know how common it is.

Cheers,
Steve.

stevem2k

Might be worth checking the browser versions that are hitting the site. We checked and anything below NS6 ~ IE5.5 was negligible ( like 3% of traffic ).

I wouldn't worry about it, but I'd expect some users to get scared.


As an aside .. have you had any stress with chained certs from verisign ? We had loads of stress with them and IE5.5 on NT, eventually we swapped to Thawte certs.

Steve

stevencotton

Some not so technical people are saying that 40% of customers are using the problematic browsers, hence the issue. In my opinion it's a non-issue since it's the client software at fault and it still operates at full encryption, but business is business and "they" don't like the warning IE shows the user.

By chained certs you mean Server Gated Cryptography? I haven't tried that yet, but it's one of the options for removing the warning. The problem I have with that without even trying it is that you're presented with an even worse-sounding error should you click on the padlock to inspect the secure session! The other option is to drop to a 40-bit cipher and quite possibly have a lot of credit card details stolen

Cheers,
Steve.

ids

Steve,

'Chained' means where the certificate has been generated by a nLevel CA - for instance have a look at the certification path on https://www.axamotor.co.uk - basically each level in the certificate tree implicity trusts the level/CA above.

We did have this problem, and it is more than 4% hitting retail sites.

One of the other issues is that clients were using 'low encrption' versions of the OS (ie less than 128bit) and as you probabply know the CryptoAPI in WIndows is used by all apps for this kind of thing (IE, Outlook, OX, Certificates etc) - we found that the certificates we had got generated did not have the correct flags set to allow SGC (which as you say negotiates low strength browsers, up to 128bit SSL3 sessions)

Ids