Slashdot Mirror

← Back to Stories (view on slashdot.org)

Verisign Certificate Expiration Causes Multiple Problems

Posted by michael on from the rot-at-the-root dept.

We had to do a little sleuthing today. Many readers wrote in with problems that turned out to be related. A certificate which Verisign used for signing SSL certificates has expired. When applications which depend on that certificate try to make an SSL connection, they fail and try to access crl.verisign.com, the certificate revocation list server. This has effectively DOS'ed that site, and Verisign has now updated the DNS record for that address to include several non-routable addresses, reducing the load on their servers. Some applications affected include older Internet Explorer browsers, Java, and Norton Antivirus (which may manifest itself as Microsoft Word being very slow to start). Hope this helps a few people, and if you have other apps with problems, please post about them below.

16 of 360 comments (clear)

  1. Saw this last night by gazuga · · Score: 2, Interesting

    I noticed the problem last night while paying my credit card bill online. Got a warning from IE that the site's certificate had expired. I was a little confused because the date for my CC company's cert was indeed valid. I thought it was just IE being stupid, but it makes sense now.

    --
    "I turn away with fright and horror from the lamentable evil of functions which do not have derivatives."
    1. Re:Saw this last night by Necrobruiser · · Score: 2, Interesting

      I had the same problem. When I called the cutomer support line to pay over the phone instead, I told the lady on the other end of the line that she may want to have someone let their IT guys know there was a problem with the certificate. She told me there was nothing wrong with the website, and that it must be my computer because she had "paid her bill online earlier in the day." I assured her that it was not my computer.
      By sheer coincidence, I had called to pay off and close my account (about $3000.) I think she thought she had really pissed me off when I closed the account!

      --
      "I planned within my means and got a fixed rate mortgage, so where's MY bailout?" -cafepress
  2. Unroutable, schmunroutable by marnanel · · Score: 4, Interesting

    Unroutable addresses? Anyone on private corporate networks which are large enough to use 10.0.0.0/8, who are unfortunate enough to have been allocated the IP addresses 10.0.0.{1,2,3}, may be experiencing a little more network load than usual today as every machine in the place tries to query them.

    --
    GROGGS: alive and well and living in
  3. Re:Who needs them? by wasabii · · Score: 2, Interesting

    Really the problem isn't just hte message. It's the Chain Of Trust. It works as follows: Verisign only (in theory! hah!) issues certificates signed by their CA to organizations that can fax in appropiate identificaton. A browser "trusts" VeriSign to make proper decisions. A browser can be extended to trust other CA's, the real world problem is you can't extend every consumers browsers. Or can you? Hmm. :0 For an office, you can create your own CA, to sign other certificates. You can use this one CA, to sign all your services, web, email, etc. Then install the public key of the CA in every workstation during the installation procedure. Proper trust hierarchy... no annoying messages. That would be the point of the entire thing. It makes me wonder if you can attempt to install a self signed certificate in IE, will the user care? Is this a valid way to avoid VeriSign? You can do that by directing the user to a .crt file in IE... it will download it, and open it, and prompt the user to install it. I wonder if there is a way to make this more friendly for the user, through JavaScript for instance. "Dear Customer: you will be prompted on weither or not you trust Shopping.com's Certificate Authority to establish secure connections to our server. Accepting this is required in order to establish a secure connection to our server." I wonder if that would go over well....... seems like a easy way to escape VeriSign.

  4. Why should expired cert => CRL traffic spike?? by Y2 · · Score: 4, Interesting
    I'll take the risk of looking stupid and ask the musical question: Why should the expiration of a certificate cause an increase in traffic to a CRL server? Once a certificate has expired its revocation status is irrelevant. Revocation lists exist solely to cancel a key before its certificate expires.

    Or is it merely that some software automatically calls the mothership for new information on expiration, and the hostname of the mothership happens to start with "crl"?

    (Antidisclaimer: I operate five private CAs and delude myself that I basically understand this stuff.)

    --
    "But all your emitter and collector are belong to me!"
  5. Or.... by ccarter · · Score: 2, Interesting

    "Although VeriSign has been providing instructions on how to manually install
    the new Global Server Intermediate Root CA to all GSID customers since
    December, 2001, it is possible that some customers may not have noticed the
    reminder and are unaware of this issue."

    Or like me, it's a case of it was fixed (I know it was because I was the one that did it in early 2002) and now they are trying to figure how (and when) it got broken again....

  6. Re:Duke Nukem by jez9999 · · Score: 2, Interesting

    DOSbox link :-)

    --
    == Jez ==
    Do you miss Firefox? Try Pale Moon.
  7. Re:Who needs them? by GreyPoopon · · Score: 2, Interesting
    well that's like trusting the goverment to make sure you get all your tax deductions whether you knew they were owed you or not ;)

    You AREN'T going to believe it, but when I lived in the state of Delaware, they actually did this. Granted, they didn't notify me just so they could send me more money. They sent me a letter because one of my pieces of documentation somehow never got to them. When I called to find out exactly what they were missing, they told me that I had also missed one of my deductions that I could have taken. In the end, it only amounted to about $50, so it wasn't worth it to file an ammendment and chance the audit flags in the future, but I was completely shocked that they pointed my mistake out.

    --

    GreyPoopon
    --
    Why is it I can write insightful comments but can't come up with a clever signature?

  8. Not the first Verisign CRL certificate problem by securitas · · Score: 4, Interesting


    This vaguely reminds me of the fraudulent Verisign / Microsoft code-signing digital certificates that Verisign issued a few years back.

    While not an identical problem, an essential element of why those certificates were potentially harmful was also because of a problem with the CRL checking. Verisign didn't support CRL distribution points in their certificates and you all remember the problems that ensued.

    I found security researcher Gene Spafford's comments on the PKI / Verisign issue interesting, which were picked up in Bruce Schneier's Crypto-Gram. Schneier's comments on the incident as well as the Microsoft response are also worth reading.

    It's unbelievable that Verisign which claims to be in the business of Internet security and SSL/TLS digital certificates - the dominant company with 95%+ market share - could let their Root Certificate Authority expire, then force its users to effectively patch their systems by importing the new certificate for the root CA after the fact. That's just bad engineering.

    Yes, end-users need to take some responsibility for their systems, but PKI and related technologies are complex and not for novices. It's no better than the keep-your patches-updated-and-use-a-firewall comment that Bill Gates made a couple of months ago. That's a bandage, not a solution.

  9. Re:null routing Certificate Revocation List Server by bertboerland · · Score: 2, Interesting

    updated to reflect real world:
    [root@kjell root]# host crl.verisign.net
    crl.verisign.net has address 198.49.161.206
    crl.verisign.net has address 198.49.161.200
    crl.verisign.net has address 198.49.161.201
    crl.verisign.net has address 198.49.161.202
    crl.verisign.net has address 198.49.161.205

    as of
    serial = 2004010701
    Thu Jan 8 23:17:57 CET 2004

    note the 01 in 2004010701

    --
    -- for undocumented cisco commands, take a peek @ dotu
  10. Re:Who needs them? by Anonymous Coward · · Score: 2, Interesting

    Excuse me, but I work not 50 feet from VeriSign's Authentication and Verification department, and they do so much verification of businesses purchasing SSL certs that they regularly get bitched out by customers for all the information they have to provide before the cert gets issued.

    State DBs are checked, D&B is checked, and multiple phone calls are made. With the obvious exception (remember the MS code signing cert misissue? or do you even know about that, you fucking moron?) of an employee who failed to follow procedure (and was subsequently let go for it), those people work their asses off to verify identities, regularly working overtime to make sure certs are issued in a timely manner.

    In short, shut the fuck up asshole. You don't know what the fuck you're talking about.

  11. Re:Who needs them? by cyberformer · · Score: 2, Interesting

    Verisign once issued a certificate to a fraudster who claimed to be Microsoft, prompting MS to issue an emergency patch for even otherwise-unsupported OSs.

    If Verisign won't even bother to verify the identity of their own partner in monopoly, do you really trust them to check anyone else's?

  12. Auto renewal of SSL certificates by Anonymous Coward · · Score: 1, Interesting

    You need something that will auto-renew your certificates. IMCentric has a good solution.

    www.imcentric.com

  13. I'm no socialist, but.... by spike2131 · · Score: 3, Interesting

    I would love to see the Federal Trade Commission start granting digital certificates for little or no cost. Governments are already responsible for public security, and for granting identification documents such as social security cards and drivers' licenses, and for communications services such as running the postal service and opperating the Do Not Call Registry... why don't they do these things in the digital realm as well?

    Mind you, I'm not calling for government regulation of the Internet... and certainly there is no way that government certificates should be in any way a requirement for opperating a secure website. There must still be commercial options available - and I'm sure they would become a lot more reasonably priced in the face of public competition. But if govenments are going to start taxing the Net (which they will), then certifying SSL certificates is the kind of service that they should be giving people in return.

    --
    SpyDock: Scientific Python in a Docker container
  14. see also Windows Update by Siva · · Score: 3, Interesting

    I have walked a user through performing the following procedure, and she has reported success with her two machines. She is running Windows 2000 Pro with Office 2000 and NAV 2003 (only 99% sure about the last one).

    - goto http://windowsupdate.microsoft.com/
    - click Scan for Updates link (may be prompted to accept the ActiveX thing)
    - Navigate to the page of non-critical updates (ironic, no?)
    - Find the update named something like "Root Certificate Update" or "Root Certificate Authority" (can't remember which)
    - Install it
    - rejoice at the ability to use MS Word again :P

    --

    Keyboard not found.
    Press F1 to continue.
  15. The "What is telnet?" company ... by Anonymous Coward · · Score: 1, Interesting

    This is the company with a network support engineer who asked me "What is telnet?" during a support call .... Needless to say, I fixed the problem myself without the benefit of their "professional assistance".

    There will be much more idiocy coming from Verisign in the forthcoming years, I would bet. It's a company staffed with dumb (ie. probably just underpaid) semi-tech people and driven by clueless marketeers and accountants who lack the ability and commonsense to distinguish good ideas from extremely dumb ones.