Slashdot Mirror

← Back to Stories (view on slashdot.org)

Verisign Certificate Expiration Causes Multiple Problems

Posted by michael on from the rot-at-the-root dept.

We had to do a little sleuthing today. Many readers wrote in with problems that turned out to be related. A certificate which Verisign used for signing SSL certificates has expired. When applications which depend on that certificate try to make an SSL connection, they fail and try to access crl.verisign.com, the certificate revocation list server. This has effectively DOS'ed that site, and Verisign has now updated the DNS record for that address to include several non-routable addresses, reducing the load on their servers. Some applications affected include older Internet Explorer browsers, Java, and Norton Antivirus (which may manifest itself as Microsoft Word being very slow to start). Hope this helps a few people, and if you have other apps with problems, please post about them below.

27 of 360 comments (clear)

  1. Now I'm confused. by grub · · Score: 5, Funny


    (which may manifest itself as Microsoft Word being very slow to start)

    But.. I thought this SSL certificate expired just today..

    --
    Trolling is a art,
  2. The reason is obvious by Anonymous Coward · · Score: 5, Funny

    In an effort to have us forget about SiteFinder, they're going for an even bigger fuck-up.

    Nice try, guys... now turn the CRL server back on.

  3. Uhm... by metrazol · · Score: 0, Funny

    ... ... ...
    HUH!?!

    And I thought I was a geek...

    What the hell does that mean, what does it do, and who do we sue for the class action lawsuit?

    --
    "Life's funny sometimes." "And sometimes it isn't." --Cat's Cradle
    1. Re:Uhm... by Valdrax · · Score: 3, Funny

      What the hell does that mean, what does it do, and who do we sue[...]?

      With that kind of reaction, I think you've more than proved you've got the mettle to be in management.

      --
      If it's for-profit but free, you're not the customer -- you're the product (e.g., the Slashdot Beta's "audience").
  4. Hmmmm... by TWX · · Score: 5, Funny

    Well, it's good to know that not only crackers or script kiddies are good at taking down Verisign's services, that their own staff is good at it too.

    --
    Do not look into laser with remaining eye.
  5. A little testy... by tcopeland · · Score: 5, Funny
    ...from the article:


    Although VeriSign has been providing instructions on how to manually install
    the new Global Server Intermediate Root CA to all GSID customers since
    December, 2001, it is possible that some customers may not have noticed the
    reminder and are unaware of this issue.


    Heh.
    --
    The Army reading list
    1. Re:A little testy... by schon · · Score: 5, Funny

      Although VeriSign has been providing instructions on how to manually install the new Global Server Intermediate Root CA to all GSID customers since December, 2001, it is possible that some customers may not have noticed the reminder and are unaware of this issue.

      Of course they neglected to include that the notice was on display on the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying 'Beware of the Leopard.'

  6. Use Openoffice by majorluser · · Score: 1, Funny

    Well thank answers a lot of questions.. My M$ Word has been working terribly, however I thought that was status quo..

  7. Progress by Patrik_AKA_RedX · · Score: 5, Funny
    they fail and try to access crl.verisign.com, the certificate revocation list server. This has effectively DOS'ed that site
    They DOSed their own site? Damn, they've made script kiddies obsolete.
  8. Duke Nukem by pantycrickets · · Score: 5, Funny

    and if you have other apps with problems, please post about them below.

    I can't get the DOS version of Duke Nukem to run in Windows XP. Is this at all somehow related? Is there a fix??

  9. Heh. by American+AC+in+Paris · · Score: 4, Funny
    We had to do a little sleuthing today.

    In other news, Microsoft, Red Hat, Oracle, Sun, and Apple had to do a little coding today.

    Rumors abound that Arnold Schwarzenegger had to do a little governing today, but these allegations remain unconfirmed at this time. More at eleven.

    --

    Obliteracy: Words with explosions

  10. Fee was too high by sphealey · · Score: 4, Funny
    I bet their CFO wouldn't approve payment of Verisign's tremendously high fee to renew the certificate. "'Highway robbery,' he fumed. 'We aren't paying that fee!'".

    sPh

  11. You mean they didn't... by ricochet81 · · Score: 3, Funny

    route the traffic to some "SiteFinder service"?

    --
    Error: Id10t detected
  12. Re:Who needs them? by John+Hasler · · Score: 5, Funny

    > ...when you're about to enter a credit card number
    > online it's assuring to see that the SSL cert is
    > signed by a real organization...

    Unfortunately, we usually have to settle for Verisign instead.

    --
    Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
  13. problems by chunkwhite86 · · Score: 4, Funny

    ...if you have other apps with problems, please post about them below.

    Well, now that you mention it, my mother hasn't been able to print for a week, my uncle's PC keeps running checkdisk on startup, and I'm having trouble compiling kernel 2.6.0.

    Oh yeah, and Unreal 2k3 has crappy frame rates on the 'Antalus' level, but maybe thats just my old ti4200 card.

    Um. I think that's it for now. So when are you going to help me with these?

    --
    I'd rather be a conservative nutjob than a liberal with no nuts and no job.
    1. Re:problems by tx_kanuck · · Score: 2, Funny

      1)Install the print driver...

      2)Remove Windows

      3)Post your error messages, and you might get help (but not likely)

      4)And last but not least, buy a better video card.

      --
      Now, if that makes sense to anyone, could you please explain it to me? I think I've confused myself.
  14. Re:Who needs them? by Anonymous Coward · · Score: 1, Funny

    There's actually a good reason for that -- self-signed certs don't protect you from DNS spoofing, which is ridiclously easy to do.

    There is a way to install your home-brew cert into IE and Netscape/Mozilla. This works well for internal users.

  15. What are you talking about? by Pieroxy · · Score: 5, Funny

    Unless you have a P75, I don't see what you are talking about. MSWord has always started in less that 3 seconds on my system (PIII 700) and I can tell you that sometimes it is terribly bloated (My system, not Word).

    Wait, did I just admit running Windows on slashdot? Bye bye Karma.

    --
    Write boring code, not shiny code!
  16. Re:Fixed this today... by Soko · · Score: 4, Funny

    One fix up to this:

    Lesson: if the certificate expired yesterday, remove IIS and then reboot the thing.

    HTH. HAND.

    Soko

    --
    "Depression is merely anger without enthusiasm." - Anonymous
  17. Re:Duke Nukem (Forever!) by paulthomas · · Score: 2, Funny

    I hear that to get it to work with XP you need to upgrade to Duke Nukem Forever.


    *ducks*

  18. Re:null routing Certificate Revocation List Server by davidstrauss · · Score: 3, Funny
    I find it particularly disturbing that their solution to too much traffic to their CRL server is to use non-routable addresses in DNS.

    I think it beats another new "helpful" feature like "CRL Finder."

  19. Re:Fixed this today... by nettdata · · Score: 5, Funny

    Or, in the case of MS:

    Lesson: If __________________, reboot the thing.

    --



    $0.02 (CDN)
  20. Re:Who needs them? by Anonymous Coward · · Score: 1, Funny

    Hey, What did I do????

    signed,
    l33t_d00d@hotmail.com

  21. The one thing I could never stand about Santa Cruz by Thud457 · · Score: 3, Funny
    Personally, I trust you more that Verisign to :

    1. Not fuck up,
    2. Not fuck me over
    But don't let it go to your head, l33t_d00d, that says more about them than you.
    --

    the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff

  22. non-routable addresses ? by eguaj · · Score: 2, Funny
    ... and Verisign has now updated the DNS record for that address to include several non-routable addresses, reducing the load on their servers.
    They are inserting non-routable addresses in DNS answers ?
    Well, after all, I should not be surprised to hear that, after the wildcard affair. They are definitely the masters for messing their DNS...
  23. Explorer, IE, Excel, Word, IIS - XP, 2K by Sean+Clifford · · Score: 2, Funny
    Man did this cause some serious headaches at work today; my phone rang all damned day with people insisting that their boxen were dragging and that it was somehow all my fault because I wrote a web app that generates spreadsheets. And no, they weren't using that application, but they had used it in the past, so...

    Wouldn't have been so bad if it was just my company, but folks from other companies, friends of friends, political buddies of friends of friends...

  24. Re:Who needs them? by RajivSLK · · Score: 2, Funny

    P.S. That was a joke....

    Ummm, no it wasn't. You may *think* it was a joke, but trust me it wasn't.