AT LARGE: I am what I am
- 04 April, 2001 15:04
There's a little bit of a "sleeper" story doing the rounds at the moment. Which is to say, a story that doesn't look like much now, but which I believe will become much bigger at some point in the future.
It's the one about how VeriSign, a company that issues digital certificates for secure online transactions, "accidentally" issued two security certificates to someone it believed was a Microsoft employee at the end of January. Very embarrassing, of course, but both VeriSign and Microsoft have issued warnings telling users to be wary of certificates that were issued on January 29 or 30 this year and to notify either company if they should happen across one. So that ought to take care of that, right?
Poppycock! Hands up everyone who is completely confident that they know how to inspect incoming files for the dates on their digital certificates. Actually, don't bother. This isn't a typical audience, and probably quite a few of you do know how to do it. Plus I can't see you anyway. If you actually did put your hand up just then, you should put it down now, and try to pretend you had a better reason to do so.
The thing is, most of the ordinary folk out there don't know how to inspect digital certificates. If they're informed by "Microsoft" via e-mail that they need to go to some Web site and download some new whiz-bangery, they'll just do it. And even if they have been alerted right now that there's a couple of phoney certificates floating about, the novelty of being paranoid about everything they download will wear off within weeks.
The truly insidious aspect of this fraud is that it plays on people's inherent trust of Microsoft. No, don't laugh. It's only meant to be a sort of half-joke. Those of us "in the know" may accuse Gates et al of every dirty trick in the book and Microsoft bashing is the first international sport originated entirely online, but that actually counts for very little.
Most people have Microsoft operating systems, Microsoft applications, Microsoft e-mail, Microsoft browsers, Microsoft mouses even. You can say over and over and over again, my friends, that this combination of products is a security nightmare waiting to happen, but people still do it. They reckon that if everything on their computer is the same brand, it will work better. And Microsoft is the biggest brand.
So they see Microsoft as a protective uncle - a Big Brother, if you will - making sure that their computing experience is as Microsoft as possible. And they sleep better knowing this. Go figure.
Just look at the number of people who forward that ridiculous e-mail about how Microsoft will pay everyone who gets this e-mail $5000 if it reaches a million people, as some kind of test of "e-mail tracking" software. People still send me that one, three years after I first received it. Forget doing the maths - $5 billion is a lot to pay for beta testing - the people who pass this on believe they are doing the right thing by Microsoft, and therefore they will be rewarded. And they assume that whatever Microsoft wants "e-mail tracking" software for, it must be benevolent and therefore it's OK to help out.
So before too long, expect a rash of people who've received an update to Windows ME, or some new device drivers, or some bit of software they don't fully understand, and it's turned out to be a virus. A particularly nasty virus, if the perpetrator has bothered to defraud VeriSign in preparation for its release. People trust Microsoft far too much for this to be prevented.
And you can expect it to be the end of VeriSign. As much as people trust Microsoft, they trust in the mysterious ways in which the Internet is made "secure" even more. E-commerce is the most incredible leap of faith since fluoridation, yet millions of people do it every day. Because they believe it is secure. Because Microsoft says it is secure. And Microsoft believes it is secure because companies like VeriSign say it is secure. And VeriSign is handing out Microsoft's digital certificates like they're candy.
If the big e-commerce companies cannot trust VeriSign, then the rest of us cannot trust the big e-commerce companies. A little more skepticism might be a handy thing, actually, but we're talking here about a complete crisis of faith.
Of course, this won't lead to the end of e-commerce as we know it. As I said before, people will forget about it in a few weeks. VeriSign will fix its processes, and all will be well.
Matthew JC. Powell was what he was, but now he's got fat. Commiserate on email@example.com