Slashdot Mirror

← Back to Stories (view on slashdot.org)

Verisign Certificate Expiration Causes Multiple Problems

Posted by michael on from the rot-at-the-root dept.

We had to do a little sleuthing today. Many readers wrote in with problems that turned out to be related. A certificate which Verisign used for signing SSL certificates has expired. When applications which depend on that certificate try to make an SSL connection, they fail and try to access crl.verisign.com, the certificate revocation list server. This has effectively DOS'ed that site, and Verisign has now updated the DNS record for that address to include several non-routable addresses, reducing the load on their servers. Some applications affected include older Internet Explorer browsers, Java, and Norton Antivirus (which may manifest itself as Microsoft Word being very slow to start). Hope this helps a few people, and if you have other apps with problems, please post about them below.

5 of 360 comments (clear)

  1. Re:Who needs them? by djh101010 · · Score: 5, Insightful

    Unfortunately, unless you buy a cert from one of the officially blessed cert authorities, your users get this ugly-looking "security warning" popup from their browser. While this is fine for clued individuals, or internal sites and so on, things that are public-facing are more sensitive to that sort of thing.

    It galls me every time I have to give someone on the officially "blessed CA" list money to do something I can do for myself in less time, but I don't know of an alternative that allows the public users of a secure website to not get alarming messages on their browser when they try to give us money.

  2. Re:Who needs them? by winse · · Score: 5, Insightful

    unless your an average user who doesn't read certificates anyway, and will just click yes on pretty much everything

    --
    this sig is deprecated
  3. null routing Certificate Revocation List Server. by Dengue · · Score: 5, Insightful

    I find it particularly disturbing that their solution to too much traffic to their CRL server is to use non-routable addresses in DNS. As a result of this action, they have reduced the integrity of their certificates (yes, that means diluting TRUST, which is the foundation of PKI) by making the revocation lists unavailable. Without CRL checking, Verisign certificates have no inherit integrity advantage over self-signed certificates. This is what we pay for?

    Non-authoritative answer:
    Name: crl.verisign.net
    Addresses: 10.0.0.1, 10.0.0.2, 10.0.0.3, 64.94.110.11
    198.49.161.200, 198.49.161.205, 198.49.161.206
    Aliases: crl.verisign.com

    --
    Go figure.
  4. VeriSign is lame by Anonymous Coward · · Score: 5, Insightful

    It is stupid for VeriSign not to have taken the steps necessary to keep their CRL available under these conditions seeing that they get paid a lot of money to do only 2 things:

    1) Be trustworthy
    2) Be competent

  5. Re:Who needs them? by Roogna · · Score: 5, Insightful

    The most unfortunate thing about this. Is that with VeriSign especially, I find them to be one of the _most_ untrustworthy companies on the planet (How many times have they mis-issued certificates now? And lets not forget all the screwups related to their DNS scams). So the question is, who do you go to for certificates? Can't sign your own because users may feel you're insecure (justifiable or not) and can't trust certificates from the "official" CA's, because... well that's like trusting the goverment to make sure you get all your tax deductions whether you knew they were owed you or not ;)

    I just really wish I could find an affordable CA that I felt was trustworthy enough themselves as to feel safe making my customers trust their certificates.