Slashdot Mirror
Verisign Certificate Expiration Causes Multiple Problems
We had to do a little sleuthing today. Many readers wrote in with problems that turned out to be related. A certificate which Verisign used for signing SSL certificates has expired. When applications which depend on that certificate try to make an SSL connection, they fail and try to access crl.verisign.com, the certificate revocation list server. This has effectively DOS'ed that site, and Verisign has now updated the DNS record for that address to include several non-routable addresses, reducing the load on their servers. Some applications affected include older Internet Explorer browsers, Java, and Norton Antivirus (which may manifest itself as Microsoft Word being very slow to start). Hope this helps a few people, and if you have other apps with problems, please post about them below.
Unfortunately, unless you buy a cert from one of the officially blessed cert authorities, your users get this ugly-looking "security warning" popup from their browser. While this is fine for clued individuals, or internal sites and so on, things that are public-facing are more sensitive to that sort of thing.
It galls me every time I have to give someone on the officially "blessed CA" list money to do something I can do for myself in less time, but I don't know of an alternative that allows the public users of a secure website to not get alarming messages on their browser when they try to give us money.
unless your an average user who doesn't read certificates anyway, and will just click yes on pretty much everything
this sig is deprecated
I find it particularly disturbing that their solution to too much traffic to their CRL server is to use non-routable addresses in DNS. As a result of this action, they have reduced the integrity of their certificates (yes, that means diluting TRUST, which is the foundation of PKI) by making the revocation lists unavailable. Without CRL checking, Verisign certificates have no inherit integrity advantage over self-signed certificates. This is what we pay for?
Non-authoritative answer:
Name: crl.verisign.net
Addresses: 10.0.0.1, 10.0.0.2, 10.0.0.3, 64.94.110.11
198.49.161.200, 198.49.161.205, 198.49.161.206
Aliases: crl.verisign.com
Go figure.
It is stupid for VeriSign not to have taken the steps necessary to keep their CRL available under these conditions seeing that they get paid a lot of money to do only 2 things:
1) Be trustworthy
2) Be competent
The most unfortunate thing about this. Is that with VeriSign especially, I find them to be one of the _most_ untrustworthy companies on the planet (How many times have they mis-issued certificates now? And lets not forget all the screwups related to their DNS scams). So the question is, who do you go to for certificates? Can't sign your own because users may feel you're insecure (justifiable or not) and can't trust certificates from the "official" CA's, because... well that's like trusting the goverment to make sure you get all your tax deductions whether you knew they were owed you or not ;)
I just really wish I could find an affordable CA that I felt was trustworthy enough themselves as to feel safe making my customers trust their certificates.
I would have to say more users click on "yes" for everything. I have to reinstall several family members computer because of spy/ad ware and a ton of other crap because the click yes to everything.
I didn't use the preview button, so get over it!!!!
Mike
"Trusted by 99.3% of current Internet users"
now is it just me or is that a funny statistic?
"...conducting sub $50 transactions (for sites conducting higher value transactions please see InstantSSL Pro or PremiumSSL certificate types)."
I really don't think I should disclose how big my transactions are to this company. It's really none of their business.
What if I'm selling bumper stickers for $5. and some users wants to buy all 12 of the kinds I have? Or is it only per item? If so. I could sell ICs for $1.75 each and just sell them in lots of 50,000 to OEMs.
“Common sense is not so common.” — Voltaire