CA Memo

Trusted Root Certificate Authorities & Browser Compatibility Study

On behalf of the Board of Digi-Sign, The Certificate Corporation [Digi-Sign], the following General Release Document is being published as a direct reaction to recent 'information' regarding Trusted Root Certificate Authorities and Browser Compatability. This document shows the recent statements to be factually incorrect or misleading.

As a result of extensive research over a four month period, it was decided that the following interim results should be released:

• 0.2% of users worldwide still use the 7 year old IE4.0. Since January 1, 2002, support for Windows 95/IE4.0 is no longer available from Microsoft. This means no patches, no updates and no security service packs.
  
  
• Internet Explorer 4.x was developed using an 'ancient' engine and is much more friendly for hacker threats than its later versions, therefore it is no longer supported by Microsoft. This browser indicates a lot of threats to its users including:
  
  
  • Embed issue: buffer overrun, exploitable. Microsoft has issued a patch. Vulnerable: IE 4.0, 4.01 Win95/NT.

  
  

  • Buffer overrun in the OBJECT tag. Vulnerable: IE 4.0

  
  

  • Buffer overrun in the JScript external. Microsoft has issued a patch. Vulnerable: IE 4.0, 4.01 Win95/NT

  
  

  • IE can read local files. Vulnerable: IE 3, 4.0, 4.01

  
  

  • IE can read local files and spoof windows. Vulnerable: IE 4.0, 4.01

  
  

  • IE Cross-frame vulnerabilities - %01 bug again. Vulnerable: IE 5.0, 4.x

  
  

  • Favourites vulnerabilities. Vulnerable: IE 5.0, 4.x, Win9x

  
  

  • The release of IE5.0 in 1998, saw a considerable increase in Root CAs with extended expiry dates like 2015, 2020 and beyond.

  
  

• This highlights the significance of the year 1998 and the fact that most CAs, like Digi-Sign created new Roots in this year




• 87.6% of IE browsers in use are IE6.0. 12.2% continue to use IE5.x+. All of these browsers contain Digi-Sign 1998 Roots and those of other major vendors.




• Netscape & Opera represent less than 3% of users worldwide. Digi-Sign's Root CAs are comparable with those of other major vendors.




• Mozilla, at circa 10% of the world market, contains comparable Root CAs from Digi-Sign to those of other major CA vendors.

In summary, a detailed report on the interim findings from the investigation was neither required nor warranted.

IE4.0 or Netscape 3.x+ browsers are seven years old and few, if any, vendors support this ageing technology. As a security company, Digi-Sign tries to promote safe computing and internet usage in its security awareness initiatives. Encouraging users toward a more current and secure browser forms part of these initiatives.