The global, Internet economy knows no boundaries, except, perhaps, when it comes to cryptography. A recently discovered digital certificate bug in Microsoft Internet Information Server (IIS) causes Netscape Communicator 4.7 browsers to crash while negotiating encryption key lengths with affected Microsoft servers. Touching both Macintosh and Windows browsers, the problem stems from a miscommunication between Communicator 4.7 and Microsoft's IIS 4. By default, international versions of Communicator 4.7 come prepared to accept 56-bit digital certificates (American companies doing business overseas can use these certificates). But IIS 4 does not correctly support 56-bit certificates, so when Communicator tries to step up to the highest level of security (128-bit key length certificates), it simply crashes with an invalid page fault in NETSCAPE.EXE. According to Netscape, the problem rests not with Communicator but instead with IIS. "What we found is that during the step up handshake IIS violates the SSL [Secure Socket Layer] 3 specification for performing this operation," explained Chris Nalls, senior product manager for client outbound marketing at Netscape. "It sends a request to communicate that's too short, which causes Communicator to crash." Microsoft is aware of the problem and is working on either a patch or an update for IIS that will repair the communication error. "Apparently there are bugs in IIS and Netscape Navigator, and we're both working on a solution to solve this," said a spokesperson at Microsoft. "[However] the important thing to remember is that no information is exposed or unencrypted." Upon learning of the bug, Netscape promptly updated their software to prevent Communicator from crashing. "We fixed it so Communicator doesn't crash," added Nalls. "It was a short fix (it was about 3 lines of code)." However, Nalls admits that the fix isn't perfect. "Communicator won't crash, but the connection will still fail." Point your browser at the wrong IIS site via HTTPS and watch it melt down. The bad news is that this new code won't be made available to the public until Netscape ships the next version of Communicator. In the mean time, users will have to contend with the fact that there are over 2.2 million IIS Web servers out there, according to Netcraft. Although not all of these utilize digital certificates, the entire number accounts for approximately 24 percent of all Web servers, as measured by Netcraft. And of all the Netscape browsers out there, Netscape estimates that over 50 percent of those browsers are international versions (though it is not clear how many of those are in use overseas.) The good news is that domestic, 128-bit versions of Communicator are immune. Testing conducted at KeyLabs verifies that users (on Macintosh and Windows platforms) can work around this problem by disabling 56-bit encryption in international versions of communicator as follows: From the Communicator pull-down menu, select Tools, and then click on Security Info. On the resulting web page, click on the Navigator link in the left-hand column and then select Configure SSL v3 from the right-hand pane. On the subsequent pop-up menu, remove the check marks from the following two options: "RC4 encryption with a 56-bit key and a SHA-1 MAC" "DES encryption in CBC mode with a 56-bit key and a SHA-1 MAC" Click the OK button to close this window and then from the original Security Info Web page, click on the OK button to finish. When you're done, your cryptography settings should look like this. To date, only select companies can establish 128-bit key length connections outside of US borders. Because of this restriction, the above solution unfortunately prevents foreign customers from using anything but the lowest level of security (40-bit key lengths). That's what Forum Financial Group discovered. With offices in America, Poland, and Bermuda, Forum Financial utilizes VeriSign's Global Site Services digital certificates to create SSL connections with both foreign and domestic clients. "We screen people up front and determine which browser they have and whether they're international. If they're using version 4.0 and above (both Navigator and Internet Explorer), VeriSign's global certificate auto negotiates up to 128-bits," said Jeff Richard, manager, Internet services at Forum Financial. "But with this problem, everyone gets stuck at 40-bit encryption." Fortunately, today the Bureau of Export Administration at the U.S. Department of Commerce amended the Export Administration Regulations (EAR) to allow domestic companies to more freely export strong encryption. This means that vendors like Netscape may soon be able to export a 128-bit version of its browser to everyone, regardless of their nationality (except those nations deemed to be terrorist-friendly). Until that day arrives, concerned users will have to apply their own workaround. And international businesses like Forum Financial will have to await a solution from Microsoft.