Verisign Certificate Expiration Causes Multiple Problems

We had to do a little sleuthing today. Many readers wrote in with problems that turned out to be related. A certificate which Verisign used for signing SSL certificates has expired. When applications which depend on that certificate try to make an SSL connection, they fail and try to access crl.verisign.com, the certificate revocation list server. This has effectively DOS'ed that site, and Verisign has now updated the DNS record for that address to include several non-routable addresses, reducing the load on their servers. Some applications affected include older Internet Explorer browsers, Java, and Norton Antivirus (which may manifest itself as Microsoft Word being very slow to start). Hope this helps a few people, and if you have other apps with problems, please post about them below.

Now I'm confused.

[grub]

(which may manifest itself as Microsoft Word being very slow to start)

But.. I thought this SSL certificate expired just today..

Re:Now I'm confused.

[kfg]

Paying for non-free software is tantamount to slaves buying their own chains.

They make me buy my own mechanics tools to fix their cars too. They said something about it being a piracy issue.

What's with that?

This DMCA thingy really sucks.

KFG

Re:Now I'm confused.

SSL certificates. What is it all about... is it good, or is it whack?

Re:Now I'm confused.

lol

Re:Now I'm confused.

And what the hell is that supposed to mean?

Re:Now I'm confused.

Get on teh spoke!

Now, beeeeotch!

Re:Now I'm confused.

[AKAImBatman]

For me, OpenOffice starts faster on the Mac than Microsoft Office (Entourage in particular takes FOREVER). Time for an upgrade maybe?

Re:Now I'm confused.

So what is the solutions for the MS apps loaded slow, anything?

Or just time and waiting for the SSL certificate to be reissued.

Re:Now I'm confused.

It expired on January 07, 2004 23:59:59 GMT time.
(aka. 16:59:59 EST)

Re:Now I'm confused.

[GreySkinnedBoy]

As far as I know, it did. We were automatically alerted by SMS at 00:08 GMT this morning, so we were on the case straight away! Two of our sites were affected - we got one fixed before 8am, and the second before the end of the day. Thank you VeriSign - we don't want another day like that. The cost of real monitoring is well worth it!

The reason is obvious

In an effort to have us forget about SiteFinder, they're going for an even bigger fuck-up.

Nice try, guys... now turn the CRL server back on.

Who needs them?

[TerryAtWork]

There's software out there so anyone can sign a certificate. Who needs the suits at Verisign?

Re:Who needs them?

[grub]

Self-signed certificates are fine for Joe-Hobby website, but when you're about to enter a credit card number online it's assuring to see that the SSL cert is signed by a real organization and not "l33t_d00d@hotmail.com"

Re:Who needs them?

[djh101010]

Unfortunately, unless you buy a cert from one of the officially blessed cert authorities, your users get this ugly-looking "security warning" popup from their browser. While this is fine for clued individuals, or internal sites and so on, things that are public-facing are more sensitive to that sort of thing.

It galls me every time I have to give someone on the officially "blessed CA" list money to do something I can do for myself in less time, but I don't know of an alternative that allows the public users of a secure website to not get alarming messages on their browser when they try to give us money.

Re:Who needs them?

[winse]

unless your an average user who doesn't read certificates anyway, and will just click yes on pretty much everything

Re:Who needs them?

[John+Hasler]

> ...when you're about to enter a credit card number
> online it's assuring to see that the SSL cert is
> signed by a real organization...

Unfortunately, we usually have to settle for Verisign instead.

Re:Who needs them?

Yes, because stupid people exist, we shouldn't use any security at all. Nice logic.

Re:Who needs them?

[Roogna]

The most unfortunate thing about this. Is that with VeriSign especially, I find them to be one of the _most_ untrustworthy companies on the planet (How many times have they mis-issued certificates now? And lets not forget all the screwups related to their DNS scams). So the question is, who do you go to for certificates? Can't sign your own because users may feel you're insecure (justifiable or not) and can't trust certificates from the "official" CA's, because... well that's like trusting the goverment to make sure you get all your tax deductions whether you knew they were owed you or not ;)

I just really wish I could find an affordable CA that I felt was trustworthy enough themselves as to feel safe making my customers trust their certificates.

Re:Who needs them?

[attobyte]

I would have to say more users click on "yes" for everything. I have to reinstall several family members computer because of spy/ad ware and a ton of other crap because the click yes to everything.

Re:Who needs them?

There's actually a good reason for that -- self-signed certs don't protect you from DNS spoofing, which is ridiclously easy to do.

There is a way to install your home-brew cert into IE and Netscape/Mozilla. This works well for internal users.

Re:Who needs them?

[Psychic+Burrito]

Well the question should be: Is there a community effort to provide the essentially same service for free combined with adding their basic certs to open source browsers like Moz and Konqueror?

Because certs don't have to cost money, and the opensource community would be able to pull this off, wouldn't it?

Re:Who needs them?

Thawte - cheaper than Verisign, much easier to work with them, and will work fine in any 4.0+ browser.

Re:Who needs them?

[LostCluster]

There's software out there so anyone can sign a certificate. Who needs the suits at Verisign?

Because a cert signed by you is useful for nothing more than "This conversation is encrypted, and I say I'm me." A cert signed by a Verisign translates to "This conversation is encrypted, and Verisign says I'm me."

What good is that? Well, not much among geeks, we don't trust Verisign further than we can throw them, but we're depending on them to keep this silly DNS thing going. However, web browsers are set with a default list of trusted "Certificate Authorites" who are allowed to sign certificates. Companies who are on those lists can sign a certificate that'll work without errors, anybody else's certificate will prompt a message indicating that the name's right, the time's valid, but the issuing authority isn't on the list of authorities you trust. (You can manually add a new authority if you want... but try convincing users to do that!)

The problem is, so many cheapskates have now signed their own certificate that the bogus authority error isn't stopping users since it's so common when nothing's really wrong. As a result, we're seeing a lot of look alike sites use SSL to get the padlock to come up, and users not being phased by the red-flag alerts that this doesn't seem to be the site they think it is.

Re:Who needs them?

[KlomDark]

Uh, Thawte is owned by Verisign, smart guy...

But they are a lot cheaper for some reason... Go figure...

Re:Who needs them?

methinks your signature is a bit at odds with your post....

Re:Who needs them?

[wasabii]

Really the problem isn't just hte message. It's the Chain Of Trust. It works as follows: Verisign only (in theory! hah!) issues certificates signed by their CA to organizations that can fax in appropiate identificaton. A browser "trusts" VeriSign to make proper decisions. A browser can be extended to trust other CA's, the real world problem is you can't extend every consumers browsers. Or can you? Hmm. :0 For an office, you can create your own CA, to sign other certificates. You can use this one CA, to sign all your services, web, email, etc. Then install the public key of the CA in every workstation during the installation procedure. Proper trust hierarchy... no annoying messages. That would be the point of the entire thing. It makes me wonder if you can attempt to install a self signed certificate in IE, will the user care? Is this a valid way to avoid VeriSign? You can do that by directing the user to a .crt file in IE... it will download it, and open it, and prompt the user to install it. I wonder if there is a way to make this more friendly for the user, through JavaScript for instance. "Dear Customer: you will be prompted on weither or not you trust Shopping.com's Certificate Authority to establish secure connections to our server. Accepting this is required in order to establish a secure connection to our server." I wonder if that would go over well....... seems like a easy way to escape VeriSign.

Re:Who needs them?

[Matrix272]

Unfortunately, unless you buy a cert from one of the officially blessed cert authorities, your users get this ugly-looking "security warning" popup from their browser.

Damnit, I thought this new-fangled Mozilla stopped all popups?





P.S. That was a joke....

Re:Who needs them?

[jmauro]

Thawte is also a wholy-owned subsidary of Verisign. So if you buy from Thawte you're buying form Verisign.

Re:Who needs them?

Hey, What did I do????

signed,
l33t_d00d@hotmail.com

Re:Who needs them?

if you get a homebrewed certificate, IE gives you a big warning box with lots of technical words that looks scary. If you pay $50 a year for a reputable certificate, IE already recognizes the signing authority.

If you do any amount of online sales, the cost will be more than covered by the sales you don't miss from scaring away would-be customers.

Re:Who needs them?

[DonGar]

To do them properly, does cost money.

In theory, the person signing your server certificate has gone to the effort to make sure that you really are who you say you are. This is the service that verisign is supposed to be providing.

This is supposed to keep joe cracker from getting a signed certificate for "www.amazon.com", which would allow them to create a server that posed as Amazon.

Re:Who needs them?

[aled]

Yes.

No wait! damn, too late...

Re:Who needs them?

[GreyPoopon]

well that's like trusting the goverment to make sure you get all your tax deductions whether you knew they were owed you or not ;)

You AREN'T going to believe it, but when I lived in the state of Delaware, they actually did this. Granted, they didn't notify me just so they could send me more money. They sent me a letter because one of my pieces of documentation somehow never got to them. When I called to find out exactly what they were missing, they told me that I had also missed one of my deductions that I could have taken. In the end, it only amounted to about $50, so it wasn't worth it to file an ammendment and chance the audit flags in the future, but I was completely shocked that they pointed my mistake out.

Re:Who needs them?

[jdreed1024]

Because a cert signed by you is useful for nothing more than "This conversation is encrypted, and I say I'm me." A cert signed by a Verisign translates to "This conversation is encrypted, and Verisign says I'm me."

Except the Verisign cert actually translates to "This conversation is encrypted, and I paid Verisign a bunch of money so they'd say I'm me." Verisign does fuck all for identity checking. I'm sure they'd gladly issue an SSL certificate to Santos L Halper, as long as he paid them.

The fact is, this is a huge problem, in that you have to basically pay protection money in order to sell stuff online. SSL certificates should be available from state governments, when you get your "Permit to Make Sales at Retail" and that sort of thing. It wouldn't be that difficult to implement.

Also, someone needs to get together and start a new, free Certificate Authority. Or perhaps a nominal processing fee, like no more than $10. They could easily get their root CA into Mozilla and the other open browsers. Netscape probably wouldn't be terribly difficult. IE would of course be nigh on impossible, but that wouldn't be too terrible, I guess. There are enough huge companies backing Free Software these days that it wouldn't be impossible to convince them to start using this new root CA. After all, a free CA is a logical next step from Free Software, in my opinion. Of course, there's the problem of how to verify that people really are who they say they are, and there's no good way to do that without at least coming in in person. Which is probably why local municipalities are a better choice. Companies have to fill out a bunch of paperwork when they want to get started in an area - it wouldn't be hard to issue certificates then.

The problem is, so many cheapskates have now signed their own certificate that the bogus authority error isn't stopping users since it's so common when nothing's really wrong. As a result, we're seeing a lot of look alike sites use SSL to get the padlock to come up, and users not being phased by the red-flag alerts that this doesn't seem to be the site they think it is.

Calling them cheapskates is a bit harsh. It's like saying "those cheapskates who walked to work instead of buying a Lexus". Personally, I think they're quite right to sign their own certs, explain it to their customers, and help to undermine Verisign's "trust", since it's not really trust anyway. The problem is with the system itself, not that people don't want to prop it up.

Re:Who needs them?

[TekPolitik]

Because certs don't have to cost money, and the opensource community would be able to pull this off, wouldn't it?

The certificates issued by VeriSign are (in principle, assuming you can trust VeriSign, which you can't) based on validated identification using real-world documents. This is done manually, and requires time, hence staff, hence money.

Further, VeriSign has the advantage that their certificates are in Internet Explorer, which is still the dominant browser. In fact *only* VeriSign (and its turncoat subsidiary) offers ActiveX certificates with a trust-chain including a root that is in Internet Explorer. If it weren't for this advantage I'd have started a new "Thawte" myself.

Re:Who needs them?

[br0ck]

Unfortunately, the ugly-looking security warnings are necessary with non-blessed CA certificates because the browser has no way of knowing whether you've been subjected to a Man-In-The-Middle Attack. Wikipedia has a simpler explanation.

Re:Who needs them?

[jlapier]

I haven't tried them personally, but InstantSSL has certificates for much less than Verisign/Thawte.

Re:Who needs them?

[OrangeTide]

We need an OS that clicks "No" on everything for you!

It should refuse to install any software, application, webpage, bookmark, address, document, or configuration option.

Re:Who needs them?

[jalilv]

Just like you sign your own SSL certificates for websites, create a CA cert of your own. Install it on (internal) user's machines. Once installed, the nag screen goes away. We do our SSL testing this way.

Jalil Vaidya

Re:Who needs them?

Hell, where is that l33t_d00d@hotmail.com guy? I'm starting to think he'd be a better person to have in charge of the Internet's core infrastructure than Verisign...

Re:Who needs them?

[R0]

Disclaimer: I haven't thought this through How about the government Organisations responsable for registering companies/charities etc. sign certificates. I would expect them to do a more through job of checking identitiy than verisign etc.

Re:Who needs them?

Wow...I must have missed that one when it happened, as did the DOJ apparently...

For those interested in the history...

That said, getting a cert from Thawte was much easier and cheaper than from their owner. Quicker service and less red tape.

Re:Who needs them?

Thawte is the same as Verisign in everything except their identity warantee. Verisign comes with a $10k/50k (can't remember which) insurance policy, and Thawte has none.

Re:Who needs them?

[badzilla]

Free six-month certificates - these really work, at least for recent versions of IE. I have one installed on the SSL server in my garage. Issued by some good people in Barcelona.

IPSCA

Re:Who needs them?

Excuse me, but I work not 50 feet from VeriSign's Authentication and Verification department, and they do so much verification of businesses purchasing SSL certs that they regularly get bitched out by customers for all the information they have to provide before the cert gets issued.

State DBs are checked, D&B is checked, and multiple phone calls are made. With the obvious exception (remember the MS code signing cert misissue? or do you even know about that, you fucking moron?) of an employee who failed to follow procedure (and was subsequently let go for it), those people work their asses off to verify identities, regularly working overtime to make sure certs are issued in a timely manner.

In short, shut the fuck up asshole. You don't know what the fuck you're talking about.

Re:Who needs them?

[Ben+Hutchings]

Self-certificates are worthless except when distributed through an existing secure channel. Without a proper certificate, all I know is I'm encrypting the session key with someone's public key, but I don't know whose it is. I might as well send the contents in the clear.

Re:Who needs them?

Yeah, they're so fucking dedicated that their asshole staff read slashdot all day instead of doing what they should be doing. Verislime are only one step above SCO - I wouldn't fucking interview you, much less hire you if you have that on your resume. Now fuck off and do some work, if you are able.

Re:Who needs them?

[Fnkmaster]

True, but there are far cheaper options still that are effectively as good for 98%+ of the web surfing population. Go to www.ev1servers.net and get a GeoTrust certificate (GeoTrust acquired the old Equifax cert business, and the Equifax root cert is in browsers going back to IE 5.0 and Netscape 4.something I believe). And ev1servers.net will sell you a $150 retail price GeoTrust cert for 49 bucks. You'd have to really want to capture the "wicked old web browsers and Windows 95" market to justify the marginal cost of a Verisign (or Thawte) cert over this (900 bucks for a 128-bit cert from Verisign... lol).

Re:Who needs them?

[greenhide]

I haven't tried them personally

I have, and we are now actually a reseller for them (although we only "resell" it to the people we host). ChainedSSL (Equifax in Astroturf) has been working hard to switch us over to their certificates. They're trying to spread a bunch of FUD because the InstantSSL certificates have a root that is owned by Baltimore, which has just been bought out. But InstantSSL has much better browser compatibility (something like 99% of all browsers vs. Equifax's 95%).

They generally have very fast turn around, usually you can get the certificates that day if you have your documents in order.

The nice thing is that once you're a reseller, you become responsible for the the validity of the seller, which means that certificates are issued as soon as you submit them.

Re:Who needs them?

I'd trust a cert I signed myself wayyyyy more than one signed by some money grubbing corporation. I'm a very honest person. Most corporations and their employees are not.

Re:Who needs them?

[cyberformer]

Verisign once issued a certificate to a fraudster who claimed to be Microsoft, prompting MS to issue an emergency patch for even otherwise-unsupported OSs.

If Verisign won't even bother to verify the identity of their own partner in monopoly, do you really trust them to check anyone else's?

Re:Who needs them?

[alex_ant]

We already have an OS like that. It's called Linux

Re:Who needs them?

It is easier and less detectable to sniff a connection than it is to intercept and modify all data flowing over the connection. Thus a self signed cert is better than nothing, but it does indeed have obvious security failings.

Re:Who needs them?

[andyrut]

You AREN'T going to believe it, but when I lived in the state of Delaware, they actually did this.

Ditto for the Fed, as a matter of fact. I've also received a check, from the Federal IRS, when I failed to recognize one of the deductions.

Re:Who needs them?

[tepples]

That's called a game console OS.

Re:Who needs them?

from their browser? last time I checked I was running my own browser. If those popups were so annoying, Mozilla could, say, just use a different icon for uncertified secure connections instead of prompting me each time. Now if Microsoft was making a killing on selling certificates, there might be a conflict of interest there given their effective monopoly - but I don't think that's the case yet.

Re:Who needs them?

"Also, someone needs to get together and start a new, free Certificate Authority. Or perhaps a nominal processing fee, like no more than $10. They could easily get their root CA into Mozilla and the other open browsers. "

I agree, though for now if you shop around you can find some cheaper ones that work, like freessl.com and instantssl.com . freessl.com looks like they might be about to jack the price to $70, and that seems a common strategy -- start low and go higher as you get more established. They originally started 'free', thus the domain name. But once they get going it's like free money and hard to resist the allure. However, I think there will always be an affordable alternative. If there isn't an altruistic open source alternative there will always be some new comer like freessl.com once was trying to get on the gravy train, and the rates verisign and thawte charge make it easy for the newcomer to offer a cert at what by comparison looks like an attractive price.

Re:Who needs them?

[RajivSLK]

P.S. That was a joke....

Ummm, no it wasn't. You may *think* it was a joke, but trust me it wasn't.

Re:Who needs them?

[spike2131]

Now if Microsoft was making a killing on selling certificates, there might be a conflict of interest there given their effective monopoly

Actually, Microsoft makes its killing by charging Verisign through the nose to have its certificate authority placed on the "trusted authorities" list that gets distributed with every copy of Internet Explorer. Verisign is only to happy to pay, as it keeps out the competition whilst allowing Verisign to pass on the cost to its customers.

Or so I've heard...

Re:Who needs them?

[glitch23]

I just really wish I could find an affordable CA that I felt was trustworthy enough themselves as to feel safe making my customers trust their certificates.

I hear the USPO has a CA. I doubt that they take private CSRs to sign though but you could always ask. Might mean that stamp prices get lowered if the USPO can start making money off of signing CSRs. Btw...I found this out after seeing how many freaking CAs were listed in Netscape Admin Console for Netscape Directory Server in the SSL section.

Re:Who needs them?

signed by a real organization and not "l33t_d00d@hotmail.com".

Dude, please don't post my email address publicly like that. Now look at all the spam I will get.

Regards,
AC

Re:Who needs them?

[berzerke]

...it's assuring to see that the SSL cert is signed by a real organization...

Such as one who has been slapped down for sending out deceptive renewal notices (see here). <scarasm>Well, that certainly makes me feel secure.</sarcasm>

Re:Who needs them?

Because a cert signed by you is useful for nothing more than "This conversation is encrypted, and I say I'm me." A cert signed by a Verisign translates to "This conversation is encrypted, and Verisign says I'm me."

You mean like "You were redirected to SiteFinder, and Verisign says SiteFinder is a good idea". When Verisign claims that you are you, I would by default assume that they are lying, until you prove that they are not.

Re:Who needs them?

Given that Verisign once issued an SSL certificate to someone who claimed to be me, using nothing more than a stolen credit card, I'm not inclined to believe you. Now get back to work on breaking the DNS.

Uhm...

[metrazol]

... ... ...
HUH!?!

And I thought I was a geek...

What the hell does that mean, what does it do, and who do we sue for the class action lawsuit?

Re:Uhm...

actually, what is needed is the form letter that you send to your congress person demanding government action.

Re:Uhm...

[Neophytus]

It means that verisign's root secure certificate server's certificate has expired, so expiring every certificate below it... i think

Re:Uhm...

[Valdrax]

What the hell does that mean, what does it do, and who do we sue[...]?

With that kind of reaction, I think you've more than proved you've got the mettle to be in management.

Re:Uhm...

That's the problem we're having: the root certificate has expired, not the intermediate one. But for everyone else the intermediate certificate has expired, so I can't convince VeriSign tech support that I have a different problem.

Strange that a different certificate has expired on the same day, but this one is self-signed; it has to be the root. Our intermediate certificate in the chain runs to 2011 just like the new one, but the MD5 hash is different.

Hmmmm...

[TWX]

Well, it's good to know that not only crackers or script kiddies are good at taking down Verisign's services, that their own staff is good at it too.

Re:Hmmmm...

You've got to become your enemy before you can defeat him/her . . .

A little testy...

[tcopeland]

...from the article:

Although VeriSign has been providing instructions on how to manually install
the new Global Server Intermediate Root CA to all GSID customers since
December, 2001, it is possible that some customers may not have noticed the
reminder and are unaware of this issue.

Heh.

Re:A little testy...

[schon]

Although VeriSign has been providing instructions on how to manually install the new Global Server Intermediate Root CA to all GSID customers since December, 2001, it is possible that some customers may not have noticed the reminder and are unaware of this issue.

Of course they neglected to include that the notice was on display on the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying 'Beware of the Leopard.'

Re:A little testy...

[Walterk]

Well, in all fairness, that is the Customer Notice area. I do hope you're referring to the one on Alpha Centauri?

Re:A little testy...

[Atrahasis]

No, that's Arthur Dent's local council's customer notice area. The light was gone. So were the stairs.

Hrm

[Judg3]

hich may manifest itself as Microsoft Word being very slow to start

So I take it this has been a problem with Word for the past 10 years or so? Or did you mean "Microsoft Word being even SLOWER to start"?

hmmm

that's kind of funny...i just checked my router logs right before coming here and noticed a request for crl.versign.com...thanks for the explanation before i even had a chance to ask!

Use Openoffice

[majorluser]

Well thank answers a lot of questions.. My M$ Word has been working terribly, however I thought that was status quo..

Re:Use Openoffice

You mean "Use OpenOffice.org" or "Use OOo" ... saying "Use Openoffice" is rather meaningless. (Hint: The product is called OpenOffice.org, not Openoffice... don't believe me? check their website. Now what would that be .... hmmmm....)

A Slashdot First

[Pave+Low]

We had to do a little sleuthing today.

Maybe if the slashdot editors did more of this regularly, then you would have less dupes, misleading stories, and spelling/grammar errors.

I hope this is a start of a trend.

Re:A Slashdot First

They wouldn't have had to do any "sleuthing" if they had read any of the numerous emails regarding it that Verisign sent out to all their customers. All of our clients received them and took care of it BEFORE it broke. Just another example of a bad sysadmin!

If people are getting errors coming to your site..

[nharmon]

saying that your certificate is expired or not yet valid...except that it is...you need to go here.

But...

[JoeShmoe950]

Do they run linux? j/k

Progress

[Patrik_AKA_RedX]

they fail and try to access crl.verisign.com, the certificate revocation list server. This has effectively DOS'ed that site

They DOSed their own site? Damn, they've made script kiddies obsolete.

Re:Progress

[donutz]

they fail and try to access crl.verisign.com, the certificate revocation list server. This has effectively DOS'ed that site

They DOSed their own site? Damn, they've made script kiddies obsolete.

Nah, they're just lifting plays from the SCO playbook. They'll be blaming Linux users for the DOS soon.

Re:Progress

[Archalien]

Verisign is doing Script Kiddie jobs in-house?

Next thing you know businesses will be out-sourcing these valuable Script Kiddie jobs to India too.

America, protect our last remains of the Child Workforce!

(seriously though, who can imagine anything called a "sweatshop" running off of scripts?)

Re:Progress

Nothing like taking out the middleman to streamline your business model.

Huh?

"Many readers wrote in with problems..."

So Slashdot editors will give us tech-support too?

Duke Nukem

[pantycrickets]

and if you have other apps with problems, please post about them below.

I can't get the DOS version of Duke Nukem to run in Windows XP. Is this at all somehow related? Is there a fix??

Re:Duke Nukem

"...Is there a fix??"

Yeah, you need to uninstall Windows.

Re:Duke Nukem

I sincerely hope that you are kidding. If not please keep in mind that DOS/Win9x programs will often times be incompatible with NT variants (xp included) due to significant differences between these families of operating systems. DOS emulation is possible using DOSBox (sorry, no link, browse sourceforge) so perhaps that will allow you to play your game or other DOS programs.

Re:Duke Nukem

[Valegor]

I have installed and still occasionally play the dos version of Duke Nukem(and of course doom) on an XP machine. I just had to change the compatibility mode on the executable. Compatibility mode is the only reason I upgraded to XP from 2000.

Re:Duke Nukem

[Electrum]

I can't get the DOS version of Duke Nukem to run in Windows XP.

Duke3d_w32

Re:Duke Nukem

[pantycrickets]

Duke3d_w32 is a port of Duke3d to the Win32 platform.

Hehe, that's pretty cool actually. Duke Nukem was a pretty fun game. I think my all time favorite DOS FPS though was probably Rise Of The Triad. That game was great.

Re:Duke Nukem

[Politburo]

Compatibility mode exists in Windows 2000, unless you meant to imply that compatibility mode works better in XP. I have not used it in XP and cannot comment on that, but have had a low rate of success using it in win2k.

Re:Duke Nukem

[Exiler]

Duke Nukem wasn't an FPS, it was a side scroller.

Re:Duke Nukem

[netsharc]

Actually, one of MS's boasting points for XP is that it's more backwards compatible, even for ancient DOS programs.. it's one of the things they added to Windows 2000 to make XP.

Re:Duke Nukem

[jez9999]

DOSbox link :-)

Re:Duke Nukem

Rise of the Triad...
for Linux!
(and Win32, and OSX)
Even DreamCast

http://icculus.org/rott/

nice gamingtime :)

Re:Duke Nukem

You get the same compatibility blaah-blaah for Windows 2000 with a Service Pack.

Absolutely no reason to use a FUBAR operating system just for that. Stick to w2k.

Re:Duke Nukem

[zerocool^]

From the DOSBox faq:

Game X doesn't Run?
Shit happens, wait for another version.


Wow. Although, that's fairly typical of a lot of sourceforge projects. But, come on, guys? A little politeness goes a long way.

Re:Duke Nukem

[pantycrickets]

Duke Nukem wasn't an FPS, it was a side scroller.

Yeah, and Golden Eye was a movie, not a video game. But if you were talking about "playing golden eye on the nintendo 64", a person who responded "Golden Eye is a movie, not a game" would look like a bigger jackass than the first guy.

But yeah, I've played the original Duke Nukem.. I never liked it.

Re:Duke Nukem

[wishus]

Wow. Although, that's fairly typical of a lot of sourceforge projects. But, come on, guys? A little politeness goes a long way.

I can't say I blame them. "Bug Reports" and "Feature Requests" from users are almost never polite. Here you are, giving away your code for the common good, and all the users do is whine and complain. The only group worse than the Mac users is the university professors.

You're right, they could be more polite - but knowing where they're coming from, I can't say I blame them.

Re:Duke Nukem

Actually, Duke Nukem was both. :-)

Re:Duke Nukem

[zerocool^]

ok, i'll agree to that.

I just hate being an end user and being taken for granted, or assumed to be stupid (university professors do this, too).

~Will

Re:Duke Nukem

[TrancePhreak]

DOSBox is very slow. It's nice that it's free, but I can't run software intended for a 12mhz machine on my P3-1gHz. I doubt he'd be able to run Duke Nukem with decent performance.

Re:Duke Nukem

Try running it on Linux. There's a great port for it on http://www.icculus.org

Re:Duke Nukem

[TrancePhreak]

The idea was that I didn't have to close down Windows to run the games. Linux is a no go for that purpose. Virtual PC runs a little faster than DOS Box, so I suspect something can be done to speed it up... What that is, I have no clue. If I was going to install another OS to play these games, I'd just dual boot Win98SE/XP or something and run it on an OS that can handle it directly.

Re:Duke Nukem

[Valegor]

You get the same compatibility blaah-blaah for Windows 2000 with a Service Pack.

Absolutely no reason to use a FUBAR operating system just for that. Stick to w2k.

XP is not "FUBAR" unless of course you are refering the the home edition. Yes you can get compatibilty mode on 2000 if you install Service Pack 3(not sure about 4), but I refuse to install Service Pack 3 because I don't care for the licensing agreement with it(same reason the company I work for has refused to install it.) Also has a previous post mentioned it does not work as well on 2000 as it does on XP. If I had to guess I would say that it has to do with it being slapped on as apposed to being built in, but I am not a programer. XP has it's quirks, and takes much longer to adjust all the settings, but once it is running I have few complaints about it. It's no Slackware, and it took me a long time to come around to not hating it, but it is a good OS.

Fixed this today...

[heironymouscoward]

On one of our customers' systems (IIS). Turns out they had already installed the new Verisign intermediate certificate but had not removed the old one. IIS happily used the old one...

Lesson: if the certificate expired yesterday, remove it from IIS and then reboot the thing.

Re:Fixed this today...

[Soko]

One fix up to this:

Lesson: if the certificate expired yesterday, remove IIS and then reboot the thing.

HTH. HAND.

Soko

Re:Fixed this today...

[nettdata]

Or, in the case of MS:

Lesson: If __________________, reboot the thing.

Re:Fixed this today...

[Penguinshit]

Reboot == PC_Panacea

Re:Fixed this today...

[Vengeance]

Actually, I think they screwed it up like this:

if (lvbShouldReboot);
reboot();

Those semicolons will get you every time.

Round Robin?

[Stonent1]

Does nobody use DNS Round Robin?

Re:Round Robin?

[AKnightCowboy]

Does nobody use DNS Round Robin?

Well, people that don't have proper load balancers do. Why do you ask?

Re:Round Robin?

[pacman+on+prozac]

The DNS held up it was the cert revocation server at crl.verisign.com that died.

Yeah, because we all know

StarWrite is breaking speed records.

Norton Anti-virus and word

which may manifest itself as Microsoft Word being very slow to start

Sounds like your Norton is functionally normally. Perhaps it may have been more accurate to say 'slower.' Or even 'slower than the interminably long slow you may be used to in a Norton product.'

Re:Norton Anti-virus and word

[Airconditioning]

My PC may run slower but at least I know that the virus scanner is working! Better than the alternative.

Heh.

[American+AC+in+Paris]

We had to do a little sleuthing today.

In other news, Microsoft, Red Hat, Oracle, Sun, and Apple had to do a little coding today.

Rumors abound that Arnold Schwarzenegger had to do a little governing today, but these allegations remain unconfirmed at this time. More at eleven.

Re:Heh.

[Kris_J]

I think you mean "governatoring". Ahh-nahld is the Governator.

Re:Heh.

[gad_zuki!]

> Arnold Schwarzenegger had to do a little governing today

Sure did! College costs 10% more and grad school costs %40 more in Cali now.

No car tax means you can afford to drive to your permanent McJob now!

Re:Heh.

[ectoraige]

You know, for a news site, you'd expect them to do a little sleuthing *the whole damn time*...

You asked for it...

[Black+Parrot]

> if you have other apps with problems, please post about them below.

How 'bout if I just give you a link to Bugzilla?

null routing Certificate Revocation List Server.

[Dengue]

I find it particularly disturbing that their solution to too much traffic to their CRL server is to use non-routable addresses in DNS. As a result of this action, they have reduced the integrity of their certificates (yes, that means diluting TRUST, which is the foundation of PKI) by making the revocation lists unavailable. Without CRL checking, Verisign certificates have no inherit integrity advantage over self-signed certificates. This is what we pay for?

Non-authoritative answer:
Name: crl.verisign.net
Addresses: 10.0.0.1, 10.0.0.2, 10.0.0.3, 64.94.110.11
198.49.161.200, 198.49.161.205, 198.49.161.206
Aliases: crl.verisign.com

Saw this last night

[gazuga]

I noticed the problem last night while paying my credit card bill online. Got a warning from IE that the site's certificate had expired. I was a little confused because the date for my CC company's cert was indeed valid. I thought it was just IE being stupid, but it makes sense now.

Re:Saw this last night

Haha. You use IE.

Re:Saw this last night

[Necrobruiser]

I had the same problem. When I called the cutomer support line to pay over the phone instead, I told the lady on the other end of the line that she may want to have someone let their IT guys know there was a problem with the certificate. She told me there was nothing wrong with the website, and that it must be my computer because she had "paid her bill online earlier in the day." I assured her that it was not my computer.
By sheer coincidence, I had called to pay off and close my account (about $3000.) I think she thought she had really pissed me off when I closed the account!

Windows Explorer

[thedillybar]

I noticed this happening yesterday on my WinXP machine. After clicking Start->Programs and right-clicking on any icon, c:\windows\explorer.exe attempts to connect to crl.verisign.com [198.49.161.200], port 80.

As the article states, this also resolves to some unroutable IPs:
198.49.161.205
198.49.161.206
10.0.0.1
10.0.0.2
10.0.0.3
64.94.110.11
198.49.161.200

Windows Explorer also appears to freeze (at least temporarily) if a firewall (or presumably a lack of Internet connection) prevents this from being made. It's possible, however, that if crl.verisign.com will not resolve, it will not freeze as it will if it resolves but cannot connect. Unfortunately, this is still a problem even if you have an Internet connection because of the stability (or lack thereof) of the Verisign site.

Re:Windows Explorer

[mgpeter]

I noticed this happening yesterday on my WinXP machine. After clicking Start->Programs and right-clicking on any icon, c:\windows\explorer.exe attempts to connect to crl.verisign.com [198.49.161.200], port 80.

Now let me get this straight, even if you are not using a web browser, or doing anything related to the Internet, this still happens ?

Who in the heck does Microsoft have coding their products ? And what else does Windows XP do without your knowledge ?

Re:Windows Explorer

[Politburo]

I've never heard of this, and wouldn't trust only one post on slashdot to prove it to me, like you just did.

Re:Windows Explorer

[Politburo]

Having more information, this does seem to be a problem, but I cannot reproduce it (I have the offending option on), possibly due to the firewall here.

Re:Windows Explorer

[Zloopy]

Did a little test and came up with this:

When right-clicking on a directory in Explorer, the hour-glass shows up for like 10 seconds, and the firewall complains about Explorer wanting to access the internet. Turning it off, I notice that a connection to 64.94.110.11:80 is made.

That IP resolves to:
Search results for: 64.94.110.11

Internap Network Services PNAP-05-2000 64.94.0.0 - 64.95.255.255
VeriSign/Network Solutions PNAP-LAX-VERISI-RM-13
64.94.110.0 - 64.94.110.255

If I turn off Check for revocation in IE Advanced settings, the delay is gone and nothing shows up in the connection log.

Re:Windows Explorer

If you believe your Windows Explorer right-click problem has anything to do with Verisign, you should not be allowed to use sharp objects...

Re:Windows Explorer

[asdfghjklqwertyuiop]

The linked article says that this was an intermediate certificate that expired. Only the top level certs are stored in the web browser. Or does IE store or cache these intermediate ones or something?

It would make sense if it only hung while connecting to an ssl web site whose cert's trust path contains the expired intermediate cert....

Re:Windows Explorer

[Mr_Silver]

I noticed this happening yesterday on my WinXP machine. After clicking Start->Programs and right-clicking on any icon, c:\windows\explorer.exe attempts to connect to crl.verisign.com [198.49.161.200], port 80.

I noticed this yesterday on my Win2k machine. Occasionally the dialer would appear asking me if I wanted to connect to the internet.

How did you stop it doing so? My PC is no-where near a phone line so I can't get it to dial up.

Re:Windows Explorer

[Gambit+Thirty-Two]

For this, go into IE. Tools/Internet Options. Connections tab, Then "Setup" to go through the wizard.

"I want to set up my Internet connection manually.."
"I connect through a LAN"

This'll make it look for a network card and not the modem. no more "wanna dial out?" windows.

Fee was too high

[sphealey]

I bet their CFO wouldn't approve payment of Verisign's tremendously high fee to renew the certificate. "'Highway robbery,' he fumed. 'We aren't paying that fee!'".

sPh

You mean they didn't...

[ricochet81]

route the traffic to some "SiteFinder service"?

VeriSign is lame

It is stupid for VeriSign not to have taken the steps necessary to keep their CRL available under these conditions seeing that they get paid a lot of money to do only 2 things:

1) Be trustworthy
2) Be competent

Re:VeriSign is lame

and all being competant would have taken would have been to stagger the expiration date over two or three months.... or know FOR SURE that they had the bandwidth to handle the massive load on expiration day.

Re:VeriSign is lame

[TekPolitik]

[Verisign] get paid a lot of money to do only 2 things: 1) Be trustworthy; 2) Be competent

It's a shame they have never been able to do either one of these then isn't it?

Final Fantasy XI

I had an SSL error last night while trying to access Extra's in the Play Online Browser used for Final Fantasy 11. I guess this could explain it.

Slow Word

Flame away, but what can I do about it? I heard from some people in my office that Word is running slow. (something about scanning for viruses). I assume it is because of Norton Antivirus (I don't specifically know what they are using out there). Is there something I have to do? Or am I stuck until Norton is fixed?

Re:Slow Word

[dablob]

To get Word and Excel to start working again:

Open Nortons Control Panel - this might take
a few minutes while it is broken but it
will come up eventually. Under the Miscellaneous
Section of Anti Virus, deselect the Enable Office
Plug-in.

That will not fix any general slowness in Norton,
but it will allow you to read your Word/Excel
documents.

Re:Slow Word

That is so funny, I was wondering why the heck word and excel all of a suddent started to take forever to boot. Thanks for the tip.

Verisign sucks

To KEEP the server down, you should have linked to it in the story. Hah!

(being anti-Verisign is still cool, rite guys?)

Set the clock back

[SuperDry]

Setting the clock back a day will "fix" the problem until a more permanent solution is posted.

Re:Set the clock back

[Neophytus]

and any postings you make to usenet or emails you send won't be seen because they appear a day back in the inbox

Re:Set the clock back

[jridley]

There's already a solution posted. There's been an updated version of the root certificate available from Verisign for quite a while, it's just that many admins didn't bother to install it.

Also problems with Oracle

[jgerry]

Well, not the Oracle database directly... But Oracle sent out a memo that certain Oracle products (Oracle Wallet Manager, in particular) would simply cease to function properly until the user upgraded their Verisign certificate(s).

I can't find ANY info on Oracle's website about this, though. The memo was sent to Oracle Premium Support customers but I don't know if the info has been generally distributed.

Woops!

Re:Also problems with Oracle

Oracle has posted information about this on their support site, metalink.oracle.com.

Check out Metalink doc #260332.1

Re:Also problems with Oracle

[BMarkmann]

It can be found here.

Oracle notified me of this yesterday...

[Perrin7]

I received the following email yesterday: Oracle Corporation has been notified by Sun that the set of VeriSign Class 2 and Class 3 Certificates used in Oracle products will be expiring on January 7, 2004. Please review MetaLink Doc 260332.1: Expiration of VeriSign Class 2/Class 3 Certificates on Jan 7,2004 for detail information.

problems

[chunkwhite86]

...if you have other apps with problems, please post about them below.

Well, now that you mention it, my mother hasn't been able to print for a week, my uncle's PC keeps running checkdisk on startup, and I'm having trouble compiling kernel 2.6.0.

Oh yeah, and Unreal 2k3 has crappy frame rates on the 'Antalus' level, but maybe thats just my old ti4200 card.

Um. I think that's it for now. So when are you going to help me with these?

Re:problems

[tx_kanuck]

1)Install the print driver...

2)Remove Windows

3)Post your error messages, and you might get help (but not likely)

4)And last but not least, buy a better video card.

Re:problems

my dog died, my fridge isn't set correctly any more, the weather is too cold here. my car has been making funny noises, i kan't spel wort a ship, and my wife is leaving me. ... well i guess that last one isn't such a bad problem as the others... can i blame Verisign for those too?

This would be a great opportunity...

[greg_barton]

If you have to upgrade and you're running Java on a Linux system that also runs RPM, why not head over to JPackage and download the spec for the 1.4.2_03 SDK? It would be a great opportunity to run an LSB compliant Java installation and support a fantastic open source project.

Re:This would be a great opportunity...

[Trejkaz]

So was it actually fixed in 1.4.2_03? That version has been out for quite a while now.

Re:This would be a great opportunity...

[greg_barton]

That's what the resolution to the Sun alert notificatioin says...

Re:This would be a great opportunity...

[Trejkaz]

Interesting. So companies did know about this in advance. It's just certain users didn't upgrade. Some by choice, some by force... personally Gentoo doesn't want me to install 1.4.2_03 yet, so I guess they might have to be jabbed to unmask that package.

BTW.. that JPackage project... what pathnames does it give for the things it extracts? I'm curious because Gentoo uses a certain path which I've come to use for my development and it would be a nice coincidence if all the LSB drones happened to have the same path to their JAR files.

To give you an idea of Gentoo's layout, the JAR file for JDOM is in /usr/share/jdom/lib/jdom.jar.

Though the cool thing about Gentoo is it provides java-config so I just have to type java-config -p jdom and it dumps out the appropriate classpath. Tasty... I just wish LSB or someone would standardise a command like that for everyone's sake.

Re:This would be a great opportunity...

[greg_barton]

For the most part jars are put in /usr/share/java. Links to specifically versioned jars are put there too.

i.e.

$ ls /usr/share/java/jdom* -lh
-rw-r--r-- 1 root root 123K Mar 27 2003 /usr/share/java/jdom-1.0.jar
lrwxrwxrwx 1 root root 12 Oct 31 15:47 /usr/share/java/jdom.jar -> jdom-1.0.jar

For complete packaging guidelines, see their policy.

I've never used Gentoo or java-config, but JPackage provides similar sounding scripts: build-classpath, build-classpath-directory, and build-jar-repository.

AIM?

AOL IM has been acting really strange today, I'm not sure if it's related...

Re:AIM?

AIM has been acting really strange since the beginning.

What are you talking about?

[Pieroxy]

Unless you have a P75, I don't see what you are talking about. MSWord has always started in less that 3 seconds on my system (PIII 700) and I can tell you that sometimes it is terribly bloated (My system, not Word).

Wait, did I just admit running Windows on slashdot? Bye bye Karma.

Re:What are you talking about?

[whoever57]

Install Acrobat (not just the reader) and then see how quickly (slowly) Word starts!

Re:What are you talking about?

Don't fucking blame it on Word then!

Re:What are you talking about?

[pclminion]

Don't fucking blame it on Word then!

Wait a second. You're saying that if a user installs some unrelated piece of software and that causes Word to break, that's not Word's fault?

I also suppose that if you were to buy a bicycle and put it in your garage, and that caused your car to stop functioning, you wouldn't blame the car manufacturer?

Twit.

Re:What are you talking about?

Am running on a P-III-1000 (1G) (Mobile) with a 1.1Mb two-way SDSL link.
Fully defrag'ed disk, have 7 gig free out of 22 gig partition.

System is dual boot between Suse and WinXP...running WinXP booted native.
Have 512M physical memory (current 356M committed, peak has been 481M), so
the 512M fixed size page file shouldn't be a big issue (it is also defrag'ed)).

Word (2002) take 25 seconds from click till it can accept text.

Re:What are you talking about?

[MattCohn.com]

If you were to buy a bicycle, have it work fine, buy and install training wheels, and then have the bike fall apart afterward, you'd blame it on the bike, wouldn't you?

Bigger twit.

Re:What are you talking about?

[Gunzour]

A more appropriate analogy would be if you bought a bicycle and put it in your garage, and that caused your car to no longer fit in your garage. The problem is the garage is too small. In this analogy, the garage is the OS. If installing one piece of software breaks another, the problem is not with either piece of software, it is with the OS.

Re:What are you talking about?

[Pieroxy]

Wait a second. You're saying that if a user installs some unrelated piece of software and that causes Word to break, that's not Word's fault?

Well, I can build a software that will break any application on any OS. As long as the installer has the right priviledges. And that would be true for 95% of the apps on 95% of the OSes. So well, I guess you would blame ALL APPLICATIONS, because mine is breaking them.

I also suppose that if you were to buy a bicycle and put it in your garage, and that caused your car to stop functioning, you wouldn't blame the car manufacturer?
You got the wrong analogies. If I was to buy a bicycle and attach it to the back of my car. Then I would notice that my gas consuption has dramatically increased, then no, I wouldn't blame it on the car manufacturer. Even if my "enhanced car" (ie: a car that could lead me on small trails with the embedded bike) doesn't respect the manufacturers promises anymore.

Re:What are you talking about?

[Pieroxy]

Then you have a problem. I just started Word and here is my config:

1. PIII 700
2. never defragged my HDD, ever.
3. 413 MB of memory used, 256MB of memory installed
4. Network is irrelevant, I don;t know why you felt you had to notice it. Anyways, I also have a 1.1Mbps DSL, 128k upload
5. I have some apps running: Tomcat, seti, cygwin, xfree86, 7xterms, Outlook, Mozilla, 2xIE, MozillaMail, jEdit (bloated java-based text editor), Psi, MSN Messanger, McAfee Guardian, VNC Server, WinAmp, VShield.
6. I have not used word in the last 48 hours.
7. My system is up since several month.

Total: 4 seconds. Started when I clicked the icon in the start menu, ended when I started my first letter. Word 2000 though.

I seriously suggest you check your system for something wrong. Or maybe you roll back your Office 2002 install, if 2002 is the problem.

Re:What are you talking about?

413 MB of memory used, 256MB of memory installed

Skill.

Re:What are you talking about?

[leonard_chung]

This is a really poor analogy and understanding of the problem. Acrobat actually installs a Word plug-in (PDFMaker) and macros which run when Word starts up if you do a full install. This is similar to when Acrobat reader hangs when viewing a PDF in IE and takes out the IE instance.

Re:What are you talking about?

All right, now remove all of the Office start-up crap on boot and try again. Either that, or add your boot-up time to the Word start-up time. See, some of us don't like having Office suck up all of our RAM when we're not using it.

Re:What are you talking about?

I'd also like to point out that when my system is idle, it has about 160 megs of RAM used, and little more than a hundred just after boot-up. Maybe turning off the Office boot-up crap will reduce your memory consumption.

Of course, my linux machine boots to about thirty megs, and ups to maybe 80 after the windowing environment comes up....

Re:What are you talking about?

[Pieroxy]

Skill.

That's called a swap file. ;-) The real skill is in the O.S. ;-) ;-)

Re:What are you talking about?

[Pieroxy]

All right, now remove all of the Office start-up crap on boot and try again.
I don't have that.

Either that, or add your boot-up time to the Word start-up time.
Yes, that would make it pretty slow. But I guess you would have to add this time to EVERY application startup, right? How can you start an application without the OS first? Maybe I should add the BIOS boot time too, and the time I spent building the computer, installing the O.S., earning the money to buy it, learning my job to earn this money... Well, finally if we add-up all that, 30 years was about the time it took to start Word after all.

See, some of us don't like having Office suck up all of our RAM when we're not using it.
If you think I have ANY KIND of office startup, you are really silly. Would I post a comment about Word startup time if I had Office preloaded? I guess you can find anything on slashdot.... so that wouldn't be so surprising after all.

But no, I don't have Office preloaded on any of my computers.

Re:What are you talking about?

Try again. Search through your registry. You'll be surprised what gets loaded into memory without your knowledge.

Re:What are you talking about?

[hardcode]

Word? Oh I get you, one of those vi clones...

Re:What are you talking about?

[Pieroxy]

And what should I look for exactly?

Verisign isn't the only game in town

[justMichael]

I use Instant SSL cheap, good service and I haven't seen any compatibility issues.

Re:Verisign isn't the only game in town

[OrangeTide]

"Trusted by 99.3% of current Internet users"

now is it just me or is that a funny statistic?

"...conducting sub $50 transactions (for sites conducting higher value transactions please see InstantSSL Pro or PremiumSSL certificate types)."

I really don't think I should disclose how big my transactions are to this company. It's really none of their business.

What if I'm selling bumper stickers for $5. and some users wants to buy all 12 of the kinds I have? Or is it only per item? If so. I could sell ICs for $1.75 each and just sell them in lots of 50,000 to OEMs.

Re:Verisign isn't the only game in town

[justMichael]

"Trusted by 99.3% of current Internet users"

Nope, it's a funny number, but it seems to be some kind if industry norm.

I really don't think I should disclose how big my transactions are to this company. It's really none of their business.

Actually you don't. What this does is provides a sort of insurance to the consumer. See here.

It's just peace of mind for the consumer, that says that if I/you rip them off as an InstantSSL customer, InstantSSL will guarantee any fraudulant transaction up to the amount of your cert.

Re:Verisign isn't the only game in town

[Tet]

"...conducting sub $50 transactions (for sites conducting higher value transactions please see InstantSSL Pro or PremiumSSL certificate types)."

I really don't think I should disclose how big my transactions are to this company. It's really none of their business.

So don't. Their "sub $50 transactions" is mostly marketing blurb, in the hopes of persuading companies to buy one of their premium certificates instead. There's nothing to say you can't use it for higher value transactions, and in fact we use several of them, and yes, our transactions are typically a couple of orders of magnitude higher than $50. The only difference is the level of insurance they offer to the customer in the event of a fraudulent site using one of their certificates.

Re:Verisign isn't the only game in town

[OrangeTide]

Ah! That's very interesting! I could advertise the warranty to persuade customers to use my site. (at least up to the amount I insured it for.

I think you were right. InstantSSL is a good deal:) Thanks

Re:Verisign isn't the only game in town

[justMichael]

Glad to help, I initially learned about them on /. about a year and a half ago.

Also if you get the Pro or Premium you get the TrustLogo, just hover your pointer over the logo and it tells you who you are dealing with.

It also has stats so you can see if anybody bothers to look that close. (now I need to go check out my stats), the percentage is pretty low, but it's cheap enough that if it saves one sale it's covered itself.

Re:Verisign isn't the only game in town

Keep in mind that most(all?) credit card transactions are already covered so that the customer is only liable for $50 anyways.

Re:Verisign isn't the only game in town

[harlows_monkeys]

It's just peace of mind for the consumer, that says that if I/you rip them off as an InstantSSL customer, InstantSSL will guarantee any fraudulant transaction up to the amount of your cert.

Hmmm...so if I'm going to try to get a fraudulent certificate out of InstantSSL, I can be nice and pay more to get a warranty to help the people I'm going to rip off with it?

I wonder how many scammers are nice and go for the more expensive certificate?

Re:If people are getting errors coming to your sit

[hawkbug]

I did go there.... I don't have the line SSLCACertificateFile in my httpd.conf file... So, I'm afraid this page hasn't helped me much today. Should I have that directive in my conf file?

Workaround to Explorer problems

[BigJavaGeek]

Because of the crl problems, Explorer has been acting slowly doing some seemingly unrelated activities. Copying or right-clicking on folders often is followed by a several second hang. To workaround, deselect "Check for publisher's certificate revocation" under the Advanced setting for IE (even though it is not IE running, that's where the setting should be changed). After this, no more Explorer hangs. Hope this helps someone. If you know why Explorer is checking crls for anything when doing a copy operation on files, please post.

Re:Workaround to Explorer problems

[BigJavaGeek]

I noticed problems first doing some packet captures (as some of my usual work) with requests going to verisign for CRLs. I knew IE had settings for checking cert. revocation, so I gave it a try. Got lucky on this on...

Re:Workaround to Explorer problems

[Politburo]

I have this option set to on, but cannot reproduce your results. This may be due to the firewall here, but based on what I've been reading, that shouldn't be affecting things.

Re:Workaround to Explorer problems

[Jeff+DeMaagd]

I guess Microsoft's tight browser / OS integration attempts backfired on them again.

That is pretty retarded.

Re:Workaround to Explorer problems

[JoeShmoe]

I think you missed something in the blurb about this problem. The problem is Norton Antivirus, not Explorer. Norton is probably doing some kind of check on its virus signature files by validating their signature. This function is probably being handled by IE as the default browser function, which is getting hung up on the unroutable revocation site.

So, to clarify, when you try to do a file operation, like copy, Norton intercepts the operation so it can check the file for a virus, then gets itself held up while waiting for IE to tell it if the signature is valid so it can check for that virus. End result is that Explorer never gets an answer from Norton and the operation hangs. Ditto for Word and other applications Norton watches closely.

I too had this same problem on one of two Dell laptops. One used the default McAfee ScanShield that came with it, the other had been reloaded with Norton Anti-Virus. That machine had all sorts of crazy errors, such as Word hanging during opening, hanging when you right-clicked a file, hanging when you tried copying files.

The system also had ooodles of pending updates from Microsoft that had been downloaded but not installed. I'm willing to bet one of them was a root server update or similar. Of course, the problem could be on Norton's end, meaning they need to update the security cert on their server? I'm not sure exactly how it works.

- JoeShmoe
.

Re:Workaround to Explorer problems

[netsharc]

It's a speculation, but because of the "server-client" mode of (Windows) Explorer, could it be that even the local machine is a server, and Explorer checks its certificate as well?

With server-client I mean, we can see Windows Explorer is flexible enough to do file exploring, ftp, www and samba. It says at the bottom right of the status bar, what sort of "web content zone" we are in. ftp and www are usually "Internet Zone", but it can also be, like Samba, "Local Intranet". The local computer is "My Computer". Maybe it just does certificate checking for all of them? Although for the local computer it should just do a local check, maybe your certificate is broken, so that it connects to the net and tries to look it up there?

I have Windows 2000, and a week ago everything did slow down in a way that I've never before seen, but a reboot fixed it.

Re:Workaround to Explorer problems

[RobertB-DC]

To workaround, deselect "Check for publisher's certificate revocation" under the Advanced setting for IE

I've done it... I'd noticed some short hangs, too.

But I wonder, what was this option intended to accomplish? How often does company X register a certificate, then revoke it at some future date?

I can't see any danger I'll be causing myself -- I rely on a site's reputation more than the security certificate details, anyway. Any "gotcha!s" I should watch for?

Re:Workaround to Explorer problems

[ciroknight]

But on the contrar, Internet Explorer IS running. Just take a look one day at the similarities between the Explorer, and the Internet Explorer. I think you will find that they are one in the same. This is Microsoft's reason for not being able to remove Internet Explorer from Windows. Now the question remains of why they weren't forced to remove the desktop icon for IE. The DOJ really dropped the ball for us here..

Re:Workaround to Explorer problems

[kbk7173]

The whole reason for the revocation is to handle the problems where an unauthorized party gets a certificate. For instance, if I get one for amazon, I can set up my server and then re-direct their traffic to it. (This is more possible if you are attempting to take over a small section of the world, like a corporate lan with its own dns server.) However, when verisign discovers their mistake, they will revoke my certificate, effectively ruining all of my hard work.

Re:Workaround to Explorer problems

[ceswiedler]

That slowdown has been causing me to pull out my hair for many months on my laptop. I use right-click all of the time, and for quite a while I had five-second delays before the popup menu would appear. Many thanks!

To anyone else: if you don't use IE, but do use right-click menus in Explorer, I would recommend disabling the crl option.

In a related note: does anyone know why deleting a single file sometimes takes thirty to sixty seconds? It's obviously not disk-io time. Does it have to do with the Recycle Bin, or is NTFS updating weird indexes?

Re:Workaround to Explorer problems

[cmgnp]

I did the same thing, then found this and have since rechecked it ... https://getca.verisign.com/update.html this is the new certificate so you don't have to run IE in an unsecure manner....

Customer Service?

[WndrBr3d]

We've purchased our SSL Certs from VeriSign for the last four years. We didn't recieve a single email from them EVER saying that our clients users (over 10,000 a day) might see this because of their cert expiring.

What a crock.

Re:Customer Service?

[TekPolitik]

We've purchased our SSL Certs from VeriSign for the last four years. We didn't recieve a single email from them EVER saying that our clients users (over 10,000 a day) might see this because of their cert expiring.

Neither did we. Then again, we block email from VeriSign to avoid their spam, so that's hardly surprising.

Re:Customer Service?

[grendelkhan]

We just renewed a batch last month and they didn't mention squat to us.

The worst part was a box that started spitting this out last night that I inherited with no documentation, and no idea how the thing was configured. I've spent all day with the vendor having them fill in the holes in their documentation and get the damn thing back up and running.

Re:Duke Nukem (Forever!)

[paulthomas]

I hear that to get it to work with XP you need to upgrade to Duke Nukem Forever.


*ducks*

Re:null routing Certificate Revocation List Server

[MCZapf]

Not only that, but doesn't this open up a security whole? Someone could setup a fake server at one of those internal addresses.

so my revoked certificates will still work?

[Jonny+Royale]

If the CRL is no longer working, does this mean that my revoked certificates are still going to work?

Re:null routing Certificate Revocation List Server

[davidstrauss]

I find it particularly disturbing that their solution to too much traffic to their CRL server is to use non-routable addresses in DNS.

I think it beats another new "helpful" feature like "CRL Finder."

Re:null routing Certificate Revocation List Server

[FattMattP]

As a result of this action, they have reduced the integrity of their certificates (yes, that means diluting TRUST, which is the foundation of PKI) by making the revocation lists unavailable.

I didn't realize there was any trust left in Verisign after the stunt they pulled with Sitefinder.

Hmm, explains problem with MMORPG

[Deaden]

I was helping a friend get setup last night to play Final Fantasy XI and he kept getting SSL failures when setting up an account. I couldn't figure out what the hell was wrong but this would explain it. You would think they would have dealt with this earlier. Seems alot of companies are getting caught unaware. Luckily we updated our webservers already last month when we got the letter.

Re:Hmm, explains problem with MMORPG

[shadowcabbit]

I noticed this last night, too, but I believe SE fixed it with the latest PlayOnline update. I haven't been conscious long enough to check, but we'll see.

Unroutable, schmunroutable

[marnanel]

Unroutable addresses? Anyone on private corporate networks which are large enough to use 10.0.0.0/8, who are unfortunate enough to have been allocated the IP addresses 10.0.0.{1,2,3}, may be experiencing a little more network load than usual today as every machine in the place tries to query them.

Re:Unroutable, schmunroutable

[afidel]

Fortunatly those addresses will usually be used for core routers that can take and brush off the extra traffic =)

Re:Unroutable, schmunroutable

[/dev/trash]

I use 10.0.0.x and I only have 4 nodes.

Re:Unroutable, schmunroutable

[ciroknight]

Actually.. the whole education department of the state of Kentucky runs under a 10.0.0.0/8 network, and we don't seem to have that big of a problem with any load at all.. of course, we have a lot of dns servers (one in every district) and domain controllers (AD network *rolls eyes*), so if they woulda put any thought behind it, probably shouldnt have been a problem... *besides, they probably use 10.0.0.0/8 to break down via department (for example, all of the school districts in kentucky have their own 10.x.x.x block usually... and in fact, I believe our district alone is allocated 10.16.x.x through 10.18.x.x, and we barely have 600 machines....)*

Re:Unroutable, schmunroutable

[REBloomfield]

erm... I hope you're not being serious... these addresses aren't actually routable to by the rest of the public IP range. Someone sat on 66.121.53.2 cannot connect to 10.0.0.1 unless it happens to be part of their internal network and the routing tables are set thus...

Re:Unroutable, schmunroutable

[marnanel]

Yes, I'm serious. Suppose someone's on a large private network which uses 10.0.0.0/8. Even though their address isn't routable by the public Internet, there could be tens of thousands of hosts on the private network which can route to it just fine-- some private networks are *huge*.

Its happening on most servers.

[Steepe]

Very nice of them to.. I don't know.. let someone know before today. We spent a ton of staff time this morning trying to figure out why we could connect to our servers but not the payment engines via ssl. 4 hours later we figured it out.

Couple of nice links.

http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc= fs alert%2F57436
http://www.verisign.com/support/ven dors/exp-gsid-s sl.html

Re:Its happening on most servers.

[netsharc]

So... I wonder how many e-shops lost business because of this fiasco? Indeed, why is a very important infrastructure of the net that businesses rely upon so they earn their customers trust and money, being handled by those idiots?

Interesting side effect...

If you have enabled "Make this directory available off-line" in W2K or later, Windows will try to access the crl server whenever you delete a file... thus adding to the self-DDOS.

My question...

[MisanthropicProggram]

how the fuck did you figure this out? What made you go into that dialog and un-check it to make things go faster?

I tried it and things really sped up for me. This is one the reasons why I hang out here on /. - it's not for the abuse ... well, sometimes it is.

Re:null routing Certificate Revocation List Server

[KlomDark]

Depending on how you have your server configured, it either means you are accepting revoked certificates, or are UNABLE to accept ANY certificates.

The default for some web servers is that if the CRL is unavailable, it will reject ALL presented certs.

The whole office suite

[mr_tommy]

This problem manifests itself through out the office suite; it definitly affects Excel 2003. It has also caused on my PC's problems with explorer.exe; i've also had a few issues with zone alarm.

lets hope they fix it swiftly; this is a _rather_ annoying problem.

That's a relief!

[goingincirclez]

I'm glad I read this. I was wondering why the hell I couldn't get thru to my student loan account & forms online last night. I mean, surely they didn't forget about what I owe? Oh well.

Verisign, Inc: slashdotting the rest of the internet since 2003..."

If you kept your email address up to date...

Verisign has been sending their customers' notices for at least month telling them what was going to happen. I've personally helped four or five different people update their intermediate CAs over the past month. All of them had been notified by Verisign. Keep your info updated and before you file everything from Verisign as spam, at least look over it.

Hell,if the certs never expired, you people would complain about the security risk from the certs being valid too long. I call it the "Slashdot Effect".

------
"Don't like my answers? Then stop asking me questions."

You're my hero.

[Deideldorfer]

I've been trying to figure out the cause of these weird problems all day.

No use for Verisign, complete waste of money

We generate our own certs and provide a link on the opening web page for easy importation of the SSL certificate into the users web browser so future visits will be seemless.

Verisign is a complete waste of moeny, in 6 years of generating our own certs we never have had a problem, and users enjoy the benefit of SSL connections.

We saved thousands of dollars by "NOT" using Verisign and our customers have no complaints about importing a SSL certificate one time.

word

[Jainith]

Norton Antivirus (which may manifest itself as Microsoft Word being very slow to start).

I noticed this earlier this morning, thanks for the information on the cause. Is there any word on a fix? Other than the obviouse dont use word/norton?

Jainith

Re:word

In NAV, go to Options -> Miscellaneous, and disable "Enable Office Plug-in"

Re:word

Just turn off the office plug-in in NAV 2003 -- Options-> Misc. uncheck office plug-in.

Why should expired cert => CRL traffic spike??

[Y2]

I'll take the risk of looking stupid and ask the musical question: Why should the expiration of a certificate cause an increase in traffic to a CRL server? Once a certificate has expired its revocation status is irrelevant. Revocation lists exist solely to cancel a key before its certificate expires.

Or is it merely that some software automatically calls the mothership for new information on expiration, and the hostname of the mothership happens to start with "crl"?

(Antidisclaimer: I operate five private CAs and delude myself that I basically understand this stuff.)

Or....

[ccarter]

"Although VeriSign has been providing instructions on how to manually install
the new Global Server Intermediate Root CA to all GSID customers since
December, 2001, it is possible that some customers may not have noticed the
reminder and are unaware of this issue."

Or like me, it's a case of it was fixed (I know it was because I was the one that did it in early 2002) and now they are trying to figure how (and when) it got broken again....

OMFG

[Rainier+Wolfecastle]

That almost read like a real news story!

Re:null routing Certificate Revocation List Server

Non-authoritative answer:
Name: crl.verisign.net
Addresses: 10.0.0.1, 10.0.0.2, 10.0.0.3, ...
Aliases: crl.verisign.com

Damn! They're now trying to DoS my PC!

Re:VeriSign^W Microsoft is lame

It is stupid for Microsoft not to have taken the steps necessary to keep thier OS from crashing seeing that they get paid a lot of money to do only 2 things:

1) Write good code

Technical Help Forum?

[Matrix272]

I can't get the DOS version of Duke Nukem to run in Windows XP. Is this at all somehow related? Is there a fix??

Actually, not a bad point... in a roundabout kind of way. Where does everyone go for help if they can't find a webpage discussing the problem they're having? Is there a very popular site, similar to Slashdot for helping people, particularly in a forum-like setting where people can post problems? Obviously, I know there are newsgroups and websites all over the place for this kind of thing, but is there one that's extremely popular? If not, I think Slashdot should start one...

For instance, I'm having a problem with Samba 3... I have pam_mount mounting user's home directories to a drive on a Windows server, but that doesn't let X Windows start because apparently certain files create hard-links, with SMB can't handle. So, what's a good way to work around it? I'm not sure what to search for, but nothing I've tried brings up anything really helpful.

Re:Technical Help Forum?

[johnnyb]

They're called mailing lists. I'd try the samba one, or one for your dist.

Re:Technical Help Forum?

[pantycrickets]

Where does everyone go for help if they can't find a webpage discussing the problem they're having? Is there a very popular site, similar to Slashdot for helping people, particularly in a forum-like setting where people can post problems? Obviously, I know there are newsgroups and websites all over the place for this kind of thing, but is there one that's extremely popular? If not, I think Slashdot should start one...

I was thinking that same thing yesterday. A slashdot for technical questions. Maybe divided up into some logical categories.. maybe not. But if you had the amount of people posting as you do here, you could probably get any question answered in an hour. That would be useful for so many people.

Re:Technical Help Forum?

[cloudmaster]

I'm not aware of other useful sites giving random "500 internal server error" codes - so none like Slashdot. ;)

"grep -r 'ln ' /path/to/x/startup/files" to see if your hardlinks are being created from a shell script...

http://lists.samba.org/archive/samba/2000-July/0 19 824.html

try searching for "smbfs" and "hardlink" in quotes, since the problem is with the smbfs. ;)

Re:Technical Help Forum?

[Matrix272]

I've tried them both... didn't help. It seems more like a general linux issue than one specific to either Samba or Red Hat. Maybe X Windows? Maybe some general tip forum / mailing list?

if we're doing lame certificate related questions.

how does one programatically add a CA cert to a browser?

Re:null routing Certificate Revocation List Server

No, but maybe a security half.

Re:If people are getting errors coming to your sit

[rob_from_ca]

Probably. I would probably use SSLCertificateChain instead, but the difference is very slight.

Your SSL directives might be included in ssl.conf; that's the way apache 2.x works.

Checkout the variety of resources available (www.modssl.org, http://httpd.apache.org/docs-2.0/ssl/ssl_howto.htm l ) for more info.

The one thing I could never stand about Santa Cruz

[Thud457]

Personally, I trust you more that Verisign to :

1. Not fuck up,
2. Not fuck me over

But don't let it go to your head, l33t_d00d, that says more about them than you.

corepirate nazi disempowerment proceeding on time

no problem at all. slow? perhaps compared to the bullinding 'speed' of unprecedented evile et AL?

Re:null routing Certificate Revocation List Server

[TekPolitik]

As a result of this action, they have reduced the integrity of their certificates (yes, that means diluting TRUST, which is the foundation of PKI

You still trust VeriSign? Where the hell have you been for the past five years?

Nerd.

[ProtonMotiveForce]

Does _everything_ have to be some pathetic jab at Microsoft? I mean, I can just hear the nerdlinger guffawing over this idiocy now.

Re:Nerd.

Nerd.

This is after all, News for Nerds.

there is

its called ask.slashdot

Microsoft products

[Griffon4]

Problems I've had with two w2k machines include; Explorer running slowly (right click and Cntl-X), Outlook running slowly, Word running slowly.

The Advanced Internet Explorer settings fix mentioned earlier fit the bill and both are running normally now. Thanks /.!! :)

Re:Microsoft products

Problems I've had with two w2k machines include; Explorer running slowly (right click and Cntl-X), Outlook running slowly, Word running slowly.

They aren't problems, they're FEATURES!

CRL scalability

[d_engberg]

I'm guessing that this Denial of Service effect is largely due to the known scalability problems with X.509 CRLs. In a mature Public Key Infrastructure (PKI), about 1 in 6 certificates is revoked. A CRL is around 20-30 bytes in length for every revoked certificate.

That means that if you've issued 250,000 certificates, you can expect to have a CRL of about 1MB.

This aggregate information isn't bad for some back-end processing, but when a lot of clients try to grab the CRL, you can quickly saturate even a high-end 100Mbps hosted server farm.

Virtually every serious large-scale PKI (including VeriSign and Microsoft) is moving to OCSP to replace CRLs since each client will retrieve ~1kB per status request rather than a full 1MB CRL.

gnu online dating service causing problems?

not for the won-eyed girl, or robbIE, but the plight of the lonely hobbyist has not been addressed/worsens with each failed request for personal .coNTact?

they do this to get even more phonIE monIE? is too much never enough for these corepirate nazi bootlickers/pr0n puppets?

Re:If people are getting errors coming to your sit

[hawkbug]

It turns out I had to add that intermediate.crt file and that config directive into Apache 1.3.27 and it works now that I put that stuff in with the virtual host information.

Re:VeriSign^W Microsoft is lame

[Trejkaz]

You honestly think M$ get paid to write good code?

Warning: broken apps you might not think about

[Delirium+Tremens]

if you have other apps with problems, please post about them below.

Interestingly enough, apps that use the old Verisign certificate and that didn't have visible problems today are also to be considered broken. Those apps have a much bigger problems that the apps that broke today. Those apps should have failed today. The fact that they didn't proves that their certificate checking logic is buggy and shows that they are actually prone to attack. Those applications are much less secure than the ones that broke today. Actually, the apps that broke today didn't actually break. They were the only ones to behave correctly.

Re:Warning: broken apps you might not think about

That seems to be well and good for unmodified JVMs but the patch process the Sun provided doesn't work on the version of the 1.3.0 JVM that comes with AIX 4.3. What does work is to get the latest patched JVM from Sun, install it on Windows (I know, Ack!) and copy the cacerts file to your AIX box and restart anything using the JVM. I know it's an egregious hack but it works better than the "official" instructions from Sun.

Re:Warning: broken apps you might not think about

Mod this up it really helped me out! Sun's fix doesn't work at all on AIX 4.3 and IBM won't repond to their open tickets. I tried this and it worked like a charm!

Re:Warning: broken apps you might not think about

[asdfghjklqwertyuiop]

I dealt with a few user complaints about their IE complaining about not being able to contact the CRL server.

If the certificate is expired, why is IE trying to look it up in the CRL? If it is expired, it is expired... how is the revocation list relevant?

And if you have IIS 4.0...

[JMZero]

You call the Verisign guy, and he tells you what to do. I'm not sure why the instructions aren't on the page - just call.

CA certs in Java

[VC]

There is a file in the JDK called cacerts.
(find . -name cacerts is your friend), this contains the certificates Java uses when initiating ssl connections.
As of yesterday Sun was still shipping java with the expired 3a certificate.
The way to include the new 3a certificate is to use the keytool command.
The format is somthing like: keytool -v -keystore cacerts -import newcert.pem
The default password for java's cacerts file is "changeit"
VC
ps how many geek points do i get for fixing this last week?

Re:CA certs in Java

[tizen]

12... no... 7!

And here's a girlfriend for your troubles.

Nah, who am I kidding. Think you could remember her birthday?
-tiz

Re:CA certs in Java

Java 1.2.2_03 fixes the problem according to the release notes

Re:CA certs in Java

Errm, 1.4.2_03. Why doesn't one notice one's typos when previewing but only after posting?

Re:CA certs in Java

[VC]

Yeah, but they havn't replaced the cacerts in the previous versions. So if you download the latest 141 or even 131 version you'll still get the old version.

This is especially relevant to people using app servers like weblogic because the app server ships with a version of the JDK and your only supposed to use that version.

Re:CA certs in Java

[jrumney]

1.3.1 didn't ship with CA certs. But they probably haven't updated JSSE either.

Re:CA certs in Java

I failed :( Our jrun app servers were toast.

Re:null routing Certificate Revocation List Server

[Anonym0us+Cow+Herd]

I think it beats another new "helpful" feature like "CRL Finder."

Shite Finder.

Not the first Verisign CRL certificate problem

[securitas]

This vaguely reminds me of the fraudulent Verisign / Microsoft code-signing digital certificates that Verisign issued a few years back.

While not an identical problem, an essential element of why those certificates were potentially harmful was also because of a problem with the CRL checking. Verisign didn't support CRL distribution points in their certificates and you all remember the problems that ensued.

I found security researcher Gene Spafford's comments on the PKI / Verisign issue interesting, which were picked up in Bruce Schneier's Crypto-Gram. Schneier's comments on the incident as well as the Microsoft response are also worth reading.

It's unbelievable that Verisign which claims to be in the business of Internet security and SSL/TLS digital certificates - the dominant company with 95%+ market share - could let their Root Certificate Authority expire, then force its users to effectively patch their systems by importing the new certificate for the root CA after the fact. That's just bad engineering.

Yes, end-users need to take some responsibility for their systems, but PKI and related technologies are complex and not for novices. It's no better than the keep-your patches-updated-and-use-a-firewall comment that Bill Gates made a couple of months ago. That's a bandage, not a solution.

Re:Not the first Verisign CRL certificate problem

OK, so fair enough about the MS code signing certs, although it's worth pointing out that they were issued because a single particular person failed to follow established protocol in verifying the identity of the cert requester. If they had, the certs wouldn't have been issued.

But as far as today is concerned, umm, excuse me, but VeriSign *has* done their due diligence.

EVERY SINGLE CUSTOMER who renewed their Global/Secure Site Pro SSL certs within the last thirteen months were told, when they received their certs that they also had to update their intermediates. They were given an address to get the intermediate, and instructions. They were told this would happen. VeriSign can't update their shit for them; if they can't fucking read, that's their problem.

And VeriSign can hardly help it if a certain OS manufacturer decides to have its browser do a whole bunch of unnecessary CRL checks which cause every single copy of Explorer to pick *today* to dowload an updated CRL...

Re:Not the first Verisign CRL certificate problem

[Dudio]

It's unbelievable that Verisign...could let their Root Certificate Authority expire, then force its users to [import] the new certificate.

Well, Verisign didn't have much choice in the matter, since all certificates are required to have an expiration date. Every other trusted CA certificate, including Verisign's replacement, is going to expire at some point, potentially causing similar problems (most likely not on the same scale though, as Verisign has become the defacto standard root CA).

I really don't see the relation to the bogus Microsoft code signing certs, as that was a failure by Verisign to confirm the identity of the requestor, whereas the current issue is a matter of the inevitable expiration of a signing certificate. This is not a problem with Verisign's practices or implementation; it's a problem with PKI itself.

Re:Not the first Verisign CRL certificate problem

[securitas]

Every other trusted CA certificate, including Verisign's replacement, is going to expire at some point, potentially causing similar problems (most likely not on the same scale though, as Verisign has become the defacto standard root CA).

Certificate expiry is not the issue. As you have correctly stated, every certificate will expire. It's how the expiry is handled that is the issue. In this case it was handled poorly. The average end-user doesn't know anything about online security more than, "Is the lock on my browser open or closed?"

You've really hit on the core of my comment with the section I've bolded above. Verisign knows its status and the role it plays in Internet trust and secure transactions. Thousands of users were probably affected by this as some of the stories in this thread allude to. How much did that cost? I suppose that Verisign can be unrepentant when it has a de facto monopoly. It doesn't absolve the IT admins who should have done their jobs better, but Verisign is hardly blameless in this.

As mentioned above, the CRL issue is what keyed me (no pun intended) to the code-signing incident. That was in fact a failure of Verisign's operational policies, procedures, and practices. A single point of failure derailed Verisign's certificates. That's a design flaw. PKI has its fair share of issues, but you can't chalk that one up exclusively to PKI.

Re:Not the first Verisign CRL certificate problem

[meat.curtains]

EVERY SINGLE CUSTOMER who renewed their Global/Secure Site Pro SSL certs within the last thirteen months were told, when they received their certs that they also had to update their intermediates. They were given an address to get the intermediate, and instructions. They were told this would happen.

This is not true, at least for Verisign resellers, like Trustwise in the UK. I renewed two global certs 5 months ago and was not told.

Re:Not the first Verisign CRL certificate problem

[Stephen+Samuel]

It's unbelievable that Verisign which claims to be in the business of Internet security and SSL/TLS digital certificates - the dominant company with 95%+ market share - could let their Root Certificate Authority expire, then force its users to effectively patch their systems by importing the new certificate for the root CA after the fact. That's just bad engineering.

That's not such a big shock... As somebody else pointed out, root certs NEED an expirey date. What throws me is that Verisign seems to be acting like this broadsided them. How many million people using their certs, and crl.verisign.com resolves to two IP addresses??? I figure that they've got enough money coming in off of this business that they should have been able to afford to put a machine on a good number of major networks out there. I mean, aren't things like this why people are supposedly paying them $150+ a pop for certs?

The other thing to do to aleviate this problem would have been in software design. If software is designed to go automagically looking for replacement certs, it should be designed to go on a random date before the cert expires.. That way the network hit would have been distributed over the few months instead of over the last few hours.

Re:Not the first Verisign CRL certificate problem

And that isn't fucking Verisign's problem, is it? If the reseller can't be bothered to relay some info, why not blame them?

Citrix NFUSE also affected

[MojoReisen]

Just FYI

Re:Citrix NFUSE also affected

Agggh- how is it effected? like clients just hanging after a successful logon? I've been pulling my hair out over nfuse failing with PNAgent or the web ICA- it works like 1/4th or 1/5th of the time for me and if this is all true, maybe our server farm has one box with valid certs but the rest not.. sigh :)

Re:Citrix NFUSE also affected

Thanks! This gives me hope for tomorrow :). Any idea if it generates a client side error of "can't find route to subnet" ? Seems to me it would make sense, had that as part of a "never before seen" NFuse error code that, like the other AC who replied to you, only seems to pop up sporadically for the client at login, as of today. Joy.

Re:null routing Certificate Revocation List Server

[Ben+Hutchings]

Yeah, that's what I thought. I tried sending mail to hostmaster@verisign.net because I thought the non-routability was itself a problem. It bounced - as did mail to hostmaster@verisign.com.

Re:null routing Certificate Revocation List Server

[Nimey]

Without CRL checking, Verisign certificates have no inherit integrity advantage over self-signed certificates. This is what we pay for?

You should use one of Verisign's competitors. Thawte, for example. They couldn't be any more incompetently run than Verisign, surely.

non-routable addresses ?

[eguaj]

... and Verisign has now updated the DNS record for that address to include several non-routable addresses, reducing the load on their servers.

They are inserting non-routable addresses in DNS answers ?
Well, after all, I should not be surprised to hear that, after the wildcard affair. They are definitely the masters for messing their DNS...

IBM HTTP Server

[sphynxdra]

This completely kills IBM's Apache variant we've been down for most of the day working on this problem.

Re:IBM HTTP Server

[lgbarker]

Down 3 hrs last night with same problem. Followed instructions at http://www-1.ibm.com/support/docview.wss?uid=swg21 156795 (watch the wrap on the URL) Cycled HTTP server and came back up

Re:null routing Certificate Revocation List Server

[bertboerland]

updated to reflect real world:
[root@kjell root]# host crl.verisign.net
crl.verisign.net has address 198.49.161.206
crl.verisign.net has address 198.49.161.200
crl.verisign.net has address 198.49.161.201
crl.verisign.net has address 198.49.161.202
crl.verisign.net has address 198.49.161.205

as of
serial = 2004010701
Thu Jan 8 23:17:57 CET 2004

note the 01 in 2004010701

Re:null routing Certificate Revocation List Server

[benwb]

Except for the fact that Verisign owns Thawte.

Office suite affected?

[Neurotoxic666]

Can this problem also affect Word, Excell and Outlook? One of our client called this morning to report slower-than-normal applications. And their problems had nothing to do with the server, which was apparently running fine...

Is it somehow related to Verisign's expired certificate?

Brokerage problems too

[Lawrence_Bird]

my broker uses a java based platform, and it was quite
they mystery this morning why those using SSL couldn't log in!

Re:Brokerage problems too

[frozenray]

Our internet banking/brokerage platform was partially down for several hours because of this screwup - fortunately, our customers weren't affected at all, only a good-sized portion of the intranet users (and a vocal bunch they are, I'm telling you).

After some headscratching we found 1) the failed crl requests in the firewall logs and 2) that IT security had enabled the "Check for server certificate revocation" option in IE, which is disabled by default (and fortunately left that way by all of our customers, apparently).

Thank you for ruining my day, Verisign. I'll return the favor when the time for renewing our certs comes around.

Apache 1.3.22 needs SSLCertificateChainFile

[maddmike]

We run Apache 1.3.22 and had to add the SSLCertificateChanFile directive in each virtual server. This was the only way to get Internet Explorer to update the Intermediate Cert the way it was supposed to.

Re:Apache 1.3.22 needs SSLCertificateChainFile

You run old, exploitable Apache version on an SSL site do you? I don't care what anybody says, I think it's great that you took the effort to provide end to end encryption between client and the guy who rooted your box ;-o

So this is the cause of it all?

[FortissimoWily]

I started up my box today, which has never given me any major trouble, only to find that it froze up for about five minutes or more after XP had started. I figured that maybe it was related to some system settings I altered last night after my usual weekly maintenance routine, so I changed the settings back, and rebooted. Again, I had the same problem - the system was just hanging for absolutely no reason.
I then tried to get online to see if there were any patches I needed for any software or whatever (it didn't seem beyond the realms of possibility), only to find that ZoneAlarm had been messed up completely, and had forgotten all my stored settings, etcetera (it completely freaked out when I tried to connect, and upon closer inspection, the allowed program list, and everything else, was empty and/or back to it's default settings). I cancelled my attempt to connect, and ended up having to uninstall and re-install ZoneAlarm. The hanging-at-startup remained after a reboot, and during the long, not-usually-there pause, the thought occurred to me that perhaps it was the other constantly-running app I use, Norton AV, that was the problem, though after investigating, I couldn't seem to fix it. Eventually I was able to get online again, and ran LiveUpdate. Of course, after downloading and installing the updates available, this required a reboot, but everything was fine after that (although admittedly, my system does seem to hang for a few moments after right-clicking folders and such at the moment, even whilst offline).

So, yeah, ZoneAlarm and Norton AV were both affected by this badly. Oh, and for some bizarre reason, WinAmp popped up that window that asks for your e-mail address just after installation, having apparently forgotten that it's been installed since September. O_o;;

It's good to know that it's not a problem on my end, though, and that it's just a VeriSign messup. :D

Go stick your head in a pig

[tjw]

Sure, it easy to compare VeriSign with the Vogons, but in all fairness, the Sirius Cybernetics Corporation fits them better.

Not to mention they're a bunch of mindless jerks who will be the first against the wall when the revolution comes.

Verisign problem

[rolande]

We had 2 applications blow up last night at 6PM when the certificate expired and we had 7 more that were down this morning when users tried logging in. The funny thing was that my group manages our reverse proxy environment and all but one of our production certificates had been updated with the proper certificate chain. Once we had determined the problem we were able to resolve it quickly on our end. But, many of the applications that appeared to be accessible from the login page would not function once a valid user logged in.

99% of our problems have been related to backend webservers with out of date certificates or applications that used SSL between components that were still using the old certificate.

Let's use a system based on TRUST!

[Trejkaz]

Let's be honest. Who here trusts Verisign? If you trusted them before, do you trust them now?

All this whole ordeal seems to have shown is that Verisign (or in general SSL's) method of verification and validation is completely unscaleable.

Why don't we use a loose-knit network of trust like GPG? We could still have root certificates which are ultimately trusted if the user wants, but would be able to set up little isolated trust networks which wouldn't be crippled by this sort of stupidity.

Re:Let's use a system based on TRUST!

[pclminion]

Why don't we use a loose-knit network of trust like GPG? We could still have root certificates which are ultimately trusted if the user wants, but would be able to set up little isolated trust networks which wouldn't be crippled by this sort of stupidity.

You would be insane to trust a "loose knit" network.

A certificate is so named, because the signer has CERTIFIED the holder to be trustworthy. If that certificate is later used to commit a felony, say, credit card fraud, then YOU could be held legally liable, because YOU CERTIFIED that this guy was trustworthy. You were negligent in failing to find out that he wasn't.

I'm damn well not going to expose myself to liability like that. Signing other people's certificates is NOT something I would EVER do.

Re:Let's use a system based on TRUST!

[Trejkaz]

Personally, I would trust Friend 1 to say Friend 2's site is legitimate, over a faceless company like Verisign saying Friend 2's site is legitimate.

As far as exposing yourself to liability, the point is to know they're who they claim they are. If you are so blindingly stupid as to sign someone's certificate when they're not who the certificate says they are, then you probably deserve to be sued.

Same problem here

[Dan+East]

I see the same problem with Windows Explorer, which began sometime yesterday. There is a 5-10 second delay when right-clicking on a file in File Explorer.

First, it's ridiculous that such a widely used certificate was allowed to expire.

Second, it's even more ridiculous that right clicking on a file in File Explorer requires a certificate.

So what is the fix for this (besides switching to linux)?

Dan East

MOD PARENT UP PLEASE

Thanks!

Re:MOD PARENT UP PLEASE

Agreed! Very informative, thanks :)

Who says reading Slashdot at work is wasting time?

[malloc]

Once again, if my boss ever inquires about the excessive HTTP requests to slashdot.org I've got a perfect justification.

This little tidbit solves a QA issue we've been scratching our heads on all day. Surf for 1 hour, save 1 day. Hey, does that mean I should read Slashdot full-time? :)

-Malloc

There are alternatives to Verisign...

[rufey]

I used to work for one of VeriSign's competitors in the PKI world, and there are other options other than going to VeriSign. However, there were only two that I could find today on the net. Some of the others I knew about apparently don't exist anymore.

beTRUSTed, which recently purchased Baltimore's CyberTrust and OmniRoot businesses. I used Baltimore's certs all the time to avoid VeriSign.

Digital Signature Trust, a subsidiary of Identrus. I've used their TrustID certs to avoid giving money to VeriSign as well.

Both of the above certificate authorities have their roots in the most current IE and Netscape/Mozilla browsers. Digital Signature Trust does a lot of stuff with banks (being owned by Identrus, which was created by a bunch of banks).

Impact at work

[Trinition]

At work, we had two impacts from this problem.

1. First, we noticed a couple of months ago that another, lesser-used intermediate certificate expired for a test server, and this led us to check all of them, including the one everyone else is hating today. We had ours fixed months ago by updating the keystore out Java applications use.

2. We had people we connect to complaining OUR intermediate certificate had expired, when in fact, the intermediate certificates on their server used to verify ours had actually expired. If I recall, one of the other products impacted today was the IBM HTTPD server -- based on Apache, right?

Cause

CRLs are an example of a system that does not scale well. It's only recently become a problem because Windows is now actually checking the CRL to see if the certificate is expired. Verisign is at the mercy of the Internet because of a poorly designed system and flawed pricing model left over from good old days on the tech boom.

Sorry that I've posted anonymously but I want to keep my job.

Good old Douglas Adams

[Hecatonchires]

He knew how to turn a phrase didn't he.

Auto renewal of SSL certificates

You need something that will auto-renew your certificates. IMCentric has a good solution.

www.imcentric.com

own CA

Isn't that implemented in W2000: CA, enrollment, and everything ?

Verisign not International?

I thought Verisign thought of themselves as an International company? Based on the '1/7/2004' date their page mentioned several times, this date here in Britain reads "first of the seventh month, 2004" which is no problem to us :)

If you're an International company, please stick to international conventions, such as 'YYYY-MM-DD HH:MM:SS GMT' even if only to say to the world, "hey I'm not one of those Americans who cannot recognise anyone else in the world!"

Update...

[falcontx]

Updating your copy of Norton AntiVirus using the first link on this page fixes all associated problems: http://securityresponse.symantec.com/avcenter/down load/pages/US-N95.html falcontx

Re:Update...

[falcontx]

I suppose I should have linked. Here is a link:

http://securityresponse.symantec.com/avcenter/down load/pages/US-N95.html

falcontx

Same problem here

[NAHIMAKALI]

I'm having a hard time with Norton Antivirus for the very same problem. Anyone knows a fix for this? Thanks

My company was affected...

[retro128]

I work at a CNC machine shop and the app that sends programs to the machine broke today because of that. I would have never heard about it if it wasn't for my brother in law, who works for a company running the same application.

The fix was as follows: Open Internet Options, click Advanced tab. Under Security turn off both Check for Server Certificate Revocation and Check for Publisher Certificate Revocation. I think this fix should work for other apps that are affected by the same problem...Thought I'd pass it along.

On a side note, it's pretty scary that this has happened to begin with. What I had to go though was pretty minor since the problem was on one machine, but what about an entire enterprise with an app installed on 1000's of computers that were broken because of this? Because of all this ridiculous "signed app" nonsense, not only are you down, but through proxy Microsoft made you dependant on one of the biggest bastardized companies I know...Verisign. Don't expect this problem to fix itself in a timely manner.

If this is a sign of things to come, Palladium will bring Hell on earth.

Re:My company was affected...

[retro128]

The app, by the way, is Predator MDC.

You have a choice

[tcgwebs]

I know of many companies that offer signed SSL certs for much, much cheaper than VeriSign. In my mind, VeriSign isn't any more "trusted" than anyone else. This is similar to how before 1999, you had no choice but to get your domain registrations at Network Solutions (a VeriSign company, I think). But yet, people still pay 35 bucks a year for them for no good reason. Same with SSL certs. I think I found a signed cert for $25 a year at one time. (I hate VeriSign)

Another Victim

[Bruha]

Yeah our HR applicatons would fail on logins every once and awhile.. Course our IT support people are idgits and I only figured out the issue when I came home to get some messages from friends about their website SSL certs failing and then looked at my RSS bar and Slashdot gave me the answer!

*(#$ Verisign.. Nuff said.

Re:Duke Nukem (Forever!)

[wo1verin3]

>> I hear that to get it to work with XP you need
>> to upgrade to Duke Nukem Forever.

It's just called Duke Nukem now. It was a misquote from a developer Q&A session, the 'Forever' was referring to the ETA until release.

Re:null routing Certificate Revocation List Server

[geoffspear]

Sure, but if the machine you're attacking is on your local network, it would be easier and more efficient to hijack DNS altogether instead of relying on Verisign to provide one of the 10.0.0.* addresses for themselves. Direct all local traffic meant to go to Verisign to your own box and do whatever it was you were going to do without hoping for the 3 in 7 chance any given machine will hit your box when trying to update.

I'm no socialist, but....

[spike2131]

I would love to see the Federal Trade Commission start granting digital certificates for little or no cost. Governments are already responsible for public security, and for granting identification documents such as social security cards and drivers' licenses, and for communications services such as running the postal service and opperating the Do Not Call Registry... why don't they do these things in the digital realm as well?

Mind you, I'm not calling for government regulation of the Internet... and certainly there is no way that government certificates should be in any way a requirement for opperating a secure website. There must still be commercial options available - and I'm sure they would become a lot more reasonably priced in the face of public competition. But if govenments are going to start taxing the Net (which they will), then certifying SSL certificates is the kind of service that they should be giving people in return.

Re:null routing Certificate Revocation List Server

[anthony_dipierro]

Without CRL checking, Verisign certificates have no inherit integrity advantage over self-signed certificates.

Nonsense. This would only affect the integrity of certificates which were stolen.

Screwed our company's distribution software

[silicon+not+in+the+v]

I didn't realize how far this went until I read this article. This morning about quarter til 8AM (Mountain Time) my wife and I were arriving at work, and she got a page saying that our global distribution software program (price quotes, placing orders, etc.) was inaccesible because some certificate had expired. None of our distributors could log in to our system through https. I thought it was some kind of security thing related to us, rather than "web-wide".

This sounds like the MS failure to renew DNS registration thing.

Explorer, IE, Excel, Word, IIS - XP, 2K

[Sean+Clifford]

Man did this cause some serious headaches at work today; my phone rang all damned day with people insisting that their boxen were dragging and that it was somehow all my fault because I wrote a web app that generates spreadsheets. And no, they weren't using that application, but they had used it in the past, so...

Wouldn't have been so bad if it was just my company, but folks from other companies, friends of friends, political buddies of friends of friends...

Re:null routing Certificate Revocation List Server

[djmitche]

No,

crl.verisign.net has address 198.49.161.200
crl.verisign.net has address 198.49.161.201
crl.verisign.net has address 198.49.161.202
crl.verisign.net has address 198.49.161.205
crl.verisign.net has address 198.49.161.206
crl.verisign.net has address 64.94.110.11

serial 2004010808

I should add that the oddball, 64.94.110.11, is the SiteFinder server. I guess they had some spare bandwidth kicking around there.

What a bunch of clowns.

OK, I'm not sure what slashdot means by junk characters, but hopefully these will balance them out.

Re:Duke Nukem (Forever!)

[silicon+not+in+the+v]

I think they changed that to MS Bob Nukem (and his sidekick Kid Klippy!)

Why only some software?

[jrumney]

I discovered this today, as a SOAP application I was working on stopped connecting. The strange thing was, both Mozilla and IE 6 could connect fine. So why did this only affect older versions of IE, and not newer ones? Why not Mozilla? Were these "fixed" to ignore expiry dates on CA certificates? It doesn't seem like a sensible thing to fix to me.

spybot search and destroy

[magical22]

If you find yourself constantly reinstalling due to spyware and them clicking "yes" just install spybot search and destroy, update it, and use the Immunize feature, its great and will save you on a lot of the re-loads!

Re:spybot search and destroy

If you find yourself constantly suffering from thirst, just try the refreshing taste of an ice cold Sprite. Crack it open, and drink. It's great!

JonoF's Duke Nukem 3D port--with OpenGL!!@

http://jonof.edgenetwork.org/buildport/duke3d/

-Native Windows port using my Build engine port.

-OpenGL rendering support.

-MIDI playback and authentic sound mixing using ported Apogee Sound System code.
Experimental UDP-based multiplayer.

-much more!

You've misunderstood "certificate" (easy to do).

[smcv]

A certificate is so named, because the signer has CERTIFIED the holder to be trustworthy.

You'd think so, wouldn't you? Unfortunately for the sanity of anyone using a certificate architecture, you're wrong.

The certificates issued by Verisign and other Certifying Authorities are more "proof of ID" than anything else; the CA makes no assertions about the trustworthiness of the owner, they just assert that the public encryption key you've just been sent belongs to the same people who own the server you're connecting to.

A typical CA certificate as used in SSL, translated into English:

"We hereby certify that the following RSA key [...] belongs to the owner of shopping.example.com. Signed, Verisign."

When your browser connects to https://shopping.example.com, the server sends you its certificate, and the browser checks Verisign's signature on that certificate. If the server proceeds to steal your credit card number, subscribe you to undesirable mailing lists, etc., that's between you and example.com; it's only Verisign's fault if it turns out they issued a wrong certificate.

PGP uses the same principle: when you sign someone else's key, the statement you're "signing" is something like this:

"The following public encryption key [...] belongs to Joe Bloggs ; I have met Joe and verified the photo on his passport. Signed, pclminion."

GnuPG (and probably PGP) never talks about certificates, only about signatures.

If that certificate is later used to commit a felony, say, credit card fraud, then YOU could be held legally liable, because YOU CERTIFIED that this guy was trustworthy. You were negligent in failing to find out that he wasn't.

The only way you could be held responsible is if it turns out that you were so sloppy about checking Joe Bloggs' ID that you were actually negligent; (i.e. didn't check it at all, or accepted an obviously fake form of ID, or something); in most jurisdictions digital signatures aren't legally binding anyway.

Anyway, this is what the trust mechanism in PGP is for.

[Digression: You can build up a "web of trust" by saying things like:

- I trust [... some people ...] so if one of them says he's confirmed Joe Bloggs' identity, that's good enough for me; (full trust)

- these other people: [...] I don't trust so much, but if three different people all say they've confirmed Joe's identity, I'll believe that they're not all conspiring against me, so that's OK too; (partial trust)

- everyone else either I don't know, or I know but don't trust, so I'll ignore what they say when I make my decisions.

(These trust values are a private decision, there's no reason to reveal them to the world.)

end digression]

If you incorrectly sign someone's key, and a third party gets hurt as a result, you could easily argue that it's that third party's fault for trusting your opinion.

Incidentally, you can emulate the "certifying authority" model in PGP by giving full trust to Verisign, Thawte et al, and no trust to anyone else. This is a painfully limiting model compared with the full web of trust, though; to me it looks as though the whole mechanism was designed to make money for certifying authorities.

SMTP w/ TLS

[bobbozzo]

if you have other apps with problems...

I'm seeing some mail stuck in queue on our SMTP server due to remote "TLS handshake failed".

We've been using TLS with sendmail for 1.5 years, and this is the first time I've ever seen this error.

Remote server seems to be using some MS mail server (Exchange?):

Connecting to mail.alvord.k12.ca.us. via esmtp...
220 ausd-gate.alvord.k12.ca.us Microsoft ESMTP MAIL Service, Version: 5.0.2195.6713 ready at Thu, 8 Jan 2004 17:32:35 -0800
...
250 OK
>>> STARTTLS
220 2.0.0 SMTP server ready
xxxx@alvord.k12.ca.us... Deferred: 403 4.7.0 TLS handshake failed.
Closing connection to mail.alvord.k12.ca.us.

I experienced this yesterday

[Jondo]

One of the main tools I use is CSG's ACSR, which I run over a Citrix session.

I was unable to log in initally yesterday because the SSL certificate had expired, it seemed.

Setting the date back on my station seemed to fix the problem though!

SSL bullshit

[Minkey+Brines]

Oh Jesus, where do I start?

Hmm.. Let's complain about scary popups. I mean... They're SCARY! Nothing like a scary popup to crap all over a nicely sanitized Internet experience.

Ok then, let's talk about these pre-installed SSL certs. How many of you have taken the time to realize that an installed certificate is supposed to mean that YOU have PERSONALLY VERIFIED at least the cert's thumbprint. Did you install those certs in your browser? No. What does that tell you? Someone else (Microsoft) declared the keys to be valid. Was the installer for the browser digitally signed by a key verified by you? No. Should I go on?

Well then, let's talk about the expiration dates on those certs. I know I feel safer with certs that don't expire until 2020. I mean, what if those darned scary popups started poppin up all over the place. What would we do? Nevermind the fact that this SSL crap uses RSA encryption. Any PGP-heads want to weigh in on how long keys of any kind should be allowed to live? There's the strength of the key in numbers of bits to consider because it determines how "strong" it is to resist being broken. Then there's the simple fact that the length of time that key exists in valid form is the lenght of time someone can use to steal it.

Look, if you have cajones you will de-install ALL your root certs from your browser and re-install them, actually reading the scary popup that comes up showing the thumbprint of the cert asking you ARE YOU SURE THIS IS A VALID CERT? At least then you can't say you didn't know. To help with this, a few years ago someone created a printed book with a copy of all the root certs available at the time. I suggest getting a copy.

Re:null routing Certificate Revocation List Server

[thogard]

Or your accepting a a cert from 10.0.0.1 which I would assume is on your internal network.

see also Windows Update

[Siva]

I have walked a user through performing the following procedure, and she has reported success with her two machines. She is running Windows 2000 Pro with Office 2000 and NAV 2003 (only 99% sure about the last one).

- goto http://windowsupdate.microsoft.com/
- click Scan for Updates link (may be prompted to accept the ActiveX thing)
- Navigate to the page of non-critical updates (ironic, no?)
- Find the update named something like "Root Certificate Update" or "Root Certificate Authority" (can't remember which)
- Install it
- rejoice at the ability to use MS Word again :P

Re:see also Windows Update

This is for something completely different and will have made no difference.

Re:see also Windows Update

[Siva]

This is for something completely different and will have made no difference.

I didn't say it was a fix-all. The user in question was experiencing the aforementioned problem with MS Word starting up very slowly, and peforming these steps has fixed the problem.

This is why PKI is a failure

[anti-NAT]

Unfortunately, unless you buy a cert from one of the officially blessed cert authorities, your users get this ugly-looking "security warning" popup from their browser. While this is fine for clued individuals, or internal sites and so on, things that are public-facing are more sensitive to that sort of thing.

It galls me every time I have to give someone on the officially "blessed CA" list money to do something I can do for myself in less time, but I don't know of an alternative that allows the public users of a secure website to not get alarming messages on their browser when they try to give us money.

The public at large don't understand seriousness of the dialog box security alert, so they don't want to see it. How do you get rid of it ? You get your Certs signed by Verisign or some other CA your browser automatically trusts. So you aren't paying Verisign or another CA because you trust them, you are paying them to get rid of an annoying dialog box, and that is all.

I call that money for jam.

Re:Citrix NFUSE also affected UPDATE

[MojoReisen]

The specific errors you are getting probably depend upon your architecture, but this is the first place I'd look. Our errors were obvious "cert expired" ones. The "non-routable" message is likely realted to the Verisign dumbasses using some non-routable addresses as described in other posts and if you FTFA.
Here's the link from Citrix : http://support.citrix.com/forums/thread.jspa?forum ID=17&threadID=46299&tstart=0

To summarize:

Any ICA connections that use Secure Gateway or SSL Relay will be affected. The solution is to replace your outdated intermediate certificate on all Secure Gateway servers, web servers and any MetaFrame servers running the SSL Relay service.

The error you get when trying to connect might look something like this:

The connection was rejected. The SSL certificate is no longer valid. Please contact your Citrix Administrator (SSL error 70)

Or this:

The server sent an expired security certificate. The certificate "O=Verisign Trust Network, OU=VeriSign, Inc., OU=VeriSign International Server CA - Class 3, OU=www.verisign.com/CPS Incorb.by Ref. LIABILITY LTD.(c)97 VeriSign" is valid from Thursday, April 17, 1997 to Wednesday, January 7, 2004.

Good luck

Steam Down

[Aka_Hook]

Steam is down (for counter-strike)

Re:A little testy... yup

Hell, probably like us, there were piles of customers who assumed that their software vendors would have resolved any such problems regarding such old Verisign certs ages ago - or at least notified us in advance how to fix the issue. Naw - let the users deal with crapped out servers on their own (Howdy SYBASE ...!).

Verisign did indeed provide some instructions on their web site for a limited number of server applications and old web browsers. However, it was hardly a universal or comprehensive solution.

Causes Windows / MSN Messenger Issues as well

[AquaGill]

Fixed the messenger problem on my own system after reading about this. Turning off the revoc check lets messenger log in again.

If are helping some other lame Windows user like me that is having problems with Messenger, try turning off the revoc check in IE.

happened here

[hype]

we did, luckily i caught it early enough, found the solution (updating to java 1.4.2_03 in our case), and updated live servers before too many transactions got fucked.

would have been nice if Sun and/or Verisign has told anyone about this in advance.

sure they put out the java release a couple of weeks ago, but only with a miniscule release note:

bug #4924896
Ship currently published CA certificates in cacerts file."

it should have had a big fat warning like "UPGRADE NOW OR YOUR SITE WILL BREAK ON JAN 7th!"

bastards.

The truth

[phorm]

This is the real truth. Those that are technically inclined will be OK with self-signed certs, knowing that verislime is evil anyhow. Those that aren't in the know will eventually click OK just to get where they want.

Seriously though, why do we need a central point for signing certs, at $100 a pop what dangers are there in self-signed ones? SSL isn't just for money transactions anymore, and even a company with a verislime signed cert could be less than legit.

There was an alert few weeks ago

Everybody who is using these certificates has time to update them to new ones. There were alerts few weeks ago about expiration.

slashdot guys are probably not in the bussiness not to know about it before and having troubles now.

Yeah, I understand, you hardly can help your Norton antivirus, but it's job for the company to make an update and inform customers. If they didn't do it, blame them, not Verisign.

Yeah, I understand for the 2nd time, you can blame Verisign for making crapy DNS records.

Damn, should have read /.

[robby2]

in stead of finding the solution myself...

and if you have other apps with problems, please post about them below.

Got one.

We've got a stand-alone java app using a client-side certificate for athentication to get some XML over https from an webserver. It's very unfortunate that our client certificate has been signed by a certificate that was itself signed before august 2002 (the moment verisign started to sign with a new cert). To be precise 1.5 month before august 2002.

Our app stopped working yesterday 45 minutes into the new day. (It runs every 15 minutes, so the first 2 or three times it still succeeded).
We have had some bad experiences with the party that owns the said webserver (changing XML specs without notice breaking our XSD's and such), so my first responce was calling them (again).
After a couple of hours they responded with the "solution" that I should reconnect with the internet explorer installed on the server that runs our application and all should be fine again. I knew it wouldn't help because our application knows nothing about IE, but tried it and every suggestion they gave after that.

In the end they send the Intermediate Root CA in a file to us witch I imported into the default java root-CA keystore (using keytool). This fixed the problem.
I really hessitated to import something into the default keystore but it seemed the last solution I could try.

Now I read slashdot and the sun alert accompanying the article, it turns out my solution was about the only right one to use.
The application was down for more than a day.

Now I think about it.... Verisign knows the email addresses of every customer they send a certificate to, signed by this expired certificate.
In fact they know which one's were signed to be used AFTER their's would expire!
Would it have been such a problem to send these persons a warning email in stead of relying on a warning on some page of their website?

I think I wouln't have disgarded a verisign email with the subject WARNING, your certificate is about to return expiration warnings! or something like that as beeing spam.

Offcourse sending people a warning email fails to address everyone, but it sure would have triggered more response than the method they used now.
Maybe it would even had made it onto /. BEFORE it expired...

Just a thought.

Robby2

So what do Windoze 98 users do?

[twitter]

Got a fix for 98? It's so easy to kill non-free.

Verisign Certificate Expiration Causes Multiple Pr

we encountered yesterday (Jan. 8) also SSL problems while trying up2date with RHN re. kernel 2.4.20-24.9

The "What is telnet?" company ...

This is the company with a network support engineer who asked me "What is telnet?" during a support call .... Needless to say, I fixed the problem myself without the benefit of their "professional assistance".

There will be much more idiocy coming from Verisign in the forthcoming years, I would bet. It's a company staffed with dumb (ie. probably just underpaid) semi-tech people and driven by clueless marketeers and accountants who lack the ability and commonsense to distinguish good ideas from extremely dumb ones.

Why did SAME *.crl needed to be dl'd MANY times?

[clokkevi]

First - thanks for letting me know what happened!

For me, the trouble was NAV intercepting all my right-clicks.

But the thing I don't understand, is:
I packet-monitored what happened, so I saw that my PC connected to http://64.94.110.11/

This was the "conversation":

My PC:
GET /Class3SoftwarePublishers.crl HTTP/1.1
Accept: */*
User-Agent: CryptRetrieveObjectByUrl::InetSchemeProvider
Host : crl.verisign.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: v1st=3E9B2224FB5AAB53

VeriSign CRL:
HTTP/1.1 200 OK
Date: Thu, 08 Jan 2004 23:23:05 GMT
Server: Apache
Last-Modified: Thu, 08 Jan 2004 16:18:40 GMT
ETag: "ac04-192-3ffd82e0"
Accept-Ranges: bytes
Content-Length: 402
Connection: close
Content-Type: text/plain

0Z0o0 *H/ 0E10U VeriSign, Inc.10UVeriSign Trust Network1F0DU=www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)981D0BU;VeriSign Class 3 CA - Commercial Content/Software Publisher 040106000000Z 040409235959Z0 *H/ eSY}u"Wfb`C($Vu;m-v9ufO)uOwZ'A'o?(UI/|

___________________________________________

I right-clicked once more, and checked also *that* "conversation" - and it was the same, apart from the timestamps.

So - apparently that CRL server was not *completly* DOS'ed - altough it tokk 5-10 seconds before the reply came.

Why did my PC need to download that SAME *.crl - Class3SoftwarePublishers.crl - so MANY times???

I also - for fun - downloaded all the 51 *.crl's on that server, *manually*, to look at them. (Until yesterday, I had no idea what a *.crl was)
And I did get all those 2.57MB downloaded, although it took some minutes. So, I'm 100% sure that CRL server was not *completly* DOS'ed.

Or have I misunderstood it all! Was the http://64.94.110.11/ site maybe the VeriSign "fix"? If so - then I apologize for being so stupid. But still, my 1st question remains:

Why the numerous downloads of the SAME file?

With regards,

Clokkevi.

VeriSign notices

Actually, VeriSign sent out an e-mail notice of the CA expiration in January 2002 (which addressed the Root CA expiration), added text in their certificate approval e-mails, and sent a reminder e-mail in December 2003 (which specifically addressed the Intermediate CA expiration.) It probably didn't reach every customer though due to changes in e-mail addresses, some people probably deleted it without reading it, and some of those that did read it may not have understood what issues they would see when the CAs expired.

Below is what was in the January 2002 e-mail (yes, I am a packrat.)

Global Server IDs with IE 4.0 browsers
Rev 3.0
January 21, 2002

Summary of Issue

Any organization with a newly issued Global Server ID can not enable customers using IE 4.0 to connect to that server under SSL. Those users will be prompted with an error message stating "Cannot connect to an expired server certificate."

Background

All VeriSign Server IDs are signed by a VeriSign CA root certificate ("root"). Roots are assigned finite validity periods to ensure the highest level of cryptographic protection, and hence, VeriSign must periodically create new roots.

These roots play a critical role in establishing Secure Sockets Layer (SSL) sessions. When a browser attempts to use SSL to connect to a server secured with a Server ID, the SSL protocol checks the browser's "root library" for the root that signed the specific Server ID. If the root is not present in the browser's root library, the SSL session can not be established.

As VeriSign creates new roots, it provides them to browser manufacturers for inclusion in the root libraries of their next browser versions. However, based upon the timing of VeriSign root creation relative to browser releases, different roots could be included in different browser versions. This can potentially create situations where an older browser may not have the latest VeriSign roots in its root library. If an older browser attempts to establish an SSL session with a Server ID that was signed by a root that isn't part of the browser's root library, the SSL session will fail.

Scenario

VeriSign previously signed Global Server IDs with a VeriSign Class 3 PCA Root that expires on 1/7/2004.
However, PKI standards are such that a CA can not sign a certificate that will expire after the CA itself expires. Hence, this VeriSign Class 3 PCA Root can not sign any certificates that would expire after 1/7/2004. Since VeriSign recently introduced the ability for Server IDs to be issued for 2-year periods, no 2-year Global Server IDs could be signed by the old root after 1/7/2002.

To alleviate this problem, VeriSign is now signing all Global Server IDs with a new VeriSign Class 3 PCA Root that expires in 2028. The new 2028 root is present in the latest browsers from Microsoft and Netscape, but is not present in IE 4.0.

Therefore, any organization with a newly issued Global Server ID can not enable customers using IE 4.0 to connect to that server under SSL. Those users will be prompted with an error message stating "Cannot connect to an expired server certificate."

Solution

Organizations hosting web sites with VeriSign Global Server IDs can resolve this problem with either of the following solutions:

1. Encourage all IE 4.0 visitors to upgrade to IE 5.0 or higher.
2. Direct IE 4.0 users to go to http://www.verisign.com/support/site/getCA.html to manually install the new VeriSign Class 3 PCA Root (expiring in 2028) into their browsers.