Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror
×
Security Bug The Internet

Verisign Certificate Expiration Causes Multiple Problems 360

Posted by michael from the rot-at-the-root dept.
We had to do a little sleuthing today. Many readers wrote in with problems that turned out to be related. A certificate which Verisign used for signing SSL certificates has expired. When applications which depend on that certificate try to make an SSL connection, they fail and try to access crl.verisign.com, the certificate revocation list server. This has effectively DOS'ed that site, and Verisign has now updated the DNS record for that address to include several non-routable addresses, reducing the load on their servers. Some applications affected include older Internet Explorer browsers, Java, and Norton Antivirus (which may manifest itself as Microsoft Word being very slow to start). Hope this helps a few people, and if you have other apps with problems, please post about them below.
This discussion has been archived. No new comments can be posted.

Verisign Certificate Expiration Causes Multiple Problems More

Verisign Certificate Expiration Causes Multiple Problems

Comments Filter:

  • Now I'm confused. (Score:5, Funny)

    by grub ( 11606 ) <slashdot@grub.net> on Thursday January 08, 2004 @04:46PM (#7919915) Homepage Journal

    (which may manifest itself as Microsoft Word being very slow to start)

    But.. I thought this SSL certificate expired just today..

  • The reason is obvious (Score:5, Funny)

    by Anonymous Coward on Thursday January 08, 2004 @04:47PM (#7919934)
    In an effort to have us forget about SiteFinder, they're going for an even bigger fuck-up.

    Nice try, guys... now turn the CRL server back on.
  • There's software out there so anyone can sign a certificate. Who needs the suits at Verisign?

    • Re:Who needs them? (Score:5, Informative)

      by grub ( 11606 ) <slashdot@grub.net> on Thursday January 08, 2004 @04:48PM (#7919965) Homepage Journal

      Self-signed certificates are fine for Joe-Hobby website, but when you're about to enter a credit card number online it's assuring to see that the SSL cert is signed by a real organization and not "l33t_d00d@hotmail.com"

      • Re:Who needs them? (Score:5, Insightful)

        by winse ( 39597 ) on Thursday January 08, 2004 @04:53PM (#7920040) Homepage Journal
        unless your an average user who doesn't read certificates anyway, and will just click yes on pretty much everything

      • Re:Who needs them? (Score:5, Funny)

        by John Hasler ( 414242 ) on Thursday January 08, 2004 @04:59PM (#7920151) Homepage
        > ...when you're about to enter a credit card number
        > online it's assuring to see that the SSL cert is
        > signed by a real organization...

        Unfortunately, we usually have to settle for Verisign instead.

      • Verisign isn't the only game in town (Score:5, Informative)

        by justMichael ( 606509 ) on Thursday January 08, 2004 @05:06PM (#7920261) Homepage
        I use Instant SSL [instantssl.com] cheap, good service and I haven't seen any compatibility issues.

        • Re:Verisign isn't the only game in town (Score:4, Insightful)

          by OrangeTide ( 124937 ) on Thursday January 08, 2004 @05:58PM (#7921012) Homepage Journal
          "Trusted by 99.3% of current Internet users"

          now is it just me or is that a funny statistic?

          "...conducting sub $50 transactions (for sites conducting higher value transactions please see InstantSSL Pro or PremiumSSL certificate types)."

          I really don't think I should disclose how big my transactions are to this company. It's really none of their business.

          What if I'm selling bumper stickers for $5. and some users wants to buy all 12 of the kinds I have? Or is it only per item? If so. I could sell ICs for $1.75 each and just sell them in lots of 50,000 to OEMs.

          • Re:Verisign isn't the only game in town (Score:4, Informative)

            by justMichael ( 606509 ) on Thursday January 08, 2004 @06:26PM (#7921434) Homepage
            "Trusted by 99.3% of current Internet users"

            Nope, it's a funny number, but it seems to be some kind if industry norm [whichssl.com].

            I really don't think I should disclose how big my transactions are to this company. It's really none of their business.

            Actually you don't. What this does is provides a sort of insurance to the consumer. See here [instantssl.com].

            It's just peace of mind for the consumer, that says that if I/you rip them off as an InstantSSL customer, InstantSSL will guarantee any fraudulant transaction up to the amount of your cert.

      • Re:Who needs them? (Score:3, Interesting)

        by wasabii ( 693236 )
        Really the problem isn't just hte message. It's the Chain Of Trust. It works as follows: Verisign only (in theory! hah!) issues certificates signed by their CA to organizations that can fax in appropiate identificaton. A browser "trusts" VeriSign to make proper decisions. A browser can be extended to trust other CA's, the real world problem is you can't extend every consumers browsers. Or can you? Hmm. :0 For an office, you can create your own CA, to sign other certificates. You can use this one CA, to si

      • Re:Who needs them? (Score:5, Informative)

        by Ben Hutchings ( 4651 ) on Thursday January 08, 2004 @06:27PM (#7921460) Homepage
        Self-certificates are worthless except when distributed through an existing secure channel. Without a proper certificate, all I know is I'm encrypting the session key with someone's public key, but I don't know whose it is. I might as well send the contents in the clear.

        • Re:Who needs them? (Score:3, Informative)

          by Anonymous Coward
          It is easier and less detectable to sniff a connection than it is to intercept and modify all data flowing over the connection. Thus a self signed cert is better than nothing, but it does indeed have obvious security failings.

    • Re:Who needs them? (Score:5, Insightful)

      by djh101010 ( 656795 ) on Thursday January 08, 2004 @04:52PM (#7920032) Homepage Journal
      Unfortunately, unless you buy a cert from one of the officially blessed cert authorities, your users get this ugly-looking "security warning" popup from their browser. While this is fine for clued individuals, or internal sites and so on, things that are public-facing are more sensitive to that sort of thing.

      It galls me every time I have to give someone on the officially "blessed CA" list money to do something I can do for myself in less time, but I don't know of an alternative that allows the public users of a secure website to not get alarming messages on their browser when they try to give us money.

      • Re:Who needs them? (Score:5, Insightful)

        by Roogna ( 9643 ) on Thursday January 08, 2004 @05:02PM (#7920205)
        The most unfortunate thing about this. Is that with VeriSign especially, I find them to be one of the _most_ untrustworthy companies on the planet (How many times have they mis-issued certificates now? And lets not forget all the screwups related to their DNS scams). So the question is, who do you go to for certificates? Can't sign your own because users may feel you're insecure (justifiable or not) and can't trust certificates from the "official" CA's, because... well that's like trusting the goverment to make sure you get all your tax deductions whether you knew they were owed you or not ;)

        I just really wish I could find an affordable CA that I felt was trustworthy enough themselves as to feel safe making my customers trust their certificates.

        • Re:Who needs them? (Score:2, Informative)

          by Anonymous Coward
          Thawte [thawte.com] - cheaper than Verisign, much easier to work with them, and will work fine in any 4.0+ browser.

          • Re:Who needs them? (Score:5, Informative)

            by KlomDark ( 6370 ) on Thursday January 08, 2004 @05:12PM (#7920364) Homepage Journal
            Uh, Thawte is owned [thawte.com] by Verisign, smart guy...

            But they are a lot cheaper for some reason... Go figure...

            • Re:Who needs them? (Score:3, Insightful)

              by Fnkmaster ( 89084 ) *
              True, but there are far cheaper options still that are effectively as good for 98%+ of the web surfing population. Go to www.ev1servers.net and get a GeoTrust certificate (GeoTrust acquired the old Equifax cert business, and the Equifax root cert is in browsers going back to IE 5.0 and Netscape 4.something I believe). And ev1servers.net will sell you a $150 retail price GeoTrust cert for 49 bucks. You'd have to really want to capture the "wicked old web browsers and Windows 95" market to justify the marg
          • Thawte [thawte.com] is also a wholy-owned subsidary of Verisign. So if you buy from Thawte you're buying form Verisign.

        • Re:Who needs them? (Score:3, Interesting)

          by GreyPoopon ( 411036 )
          well that's like trusting the goverment to make sure you get all your tax deductions whether you knew they were owed you or not ;)

          You AREN'T going to believe it, but when I lived in the state of Delaware, they actually did this. Granted, they didn't notify me just so they could send me more money. They sent me a letter because one of my pieces of documentation somehow never got to them. When I called to find out exactly what they were missing, they told me that I had also missed one of my deductions t

      • Well the question should be: Is there a community effort to provide the essentially same service for free combined with adding their basic certs to open source browsers like Moz and Konqueror?

        Because certs don't have to cost money, and the opensource community would be able to pull this off, wouldn't it?
        • Because certs don't have to cost money, and the opensource community would be able to pull this off, wouldn't it?

          The certificates issued by VeriSign are (in principle, assuming you can trust VeriSign, which you can't) based on validated identification using real-world documents. This is done manually, and requires time, hence staff, hence money.

          Further, VeriSign has the advantage that their certificates are in Internet Explorer, which is still the dominant browser. In fact *only* VeriSign (and its turncoa

      • Unfortunately, unless you buy a cert from one of the officially blessed cert authorities, your users get this ugly-looking "security warning" popup from their browser.

        Damnit, I thought this new-fangled Mozilla stopped all popups?





        P.S. That was a joke....

      • I would love to see the Federal Trade Commission start granting digital certificates for little or no cost. Governments are already responsible for public security, and for granting identification documents such as social security cards and drivers' licenses, and for communications services such as running the postal service and opperating the Do Not Call Registry... why don't they do these things in the digital realm as well?

        Mind you, I'm not calling for government regulation of the Internet... and certai

    • Re:Who needs them? (Score:5, Informative)

      by LostCluster ( 625375 ) * on Thursday January 08, 2004 @05:08PM (#7920291)
      There's software out there so anyone can sign a certificate. Who needs the suits at Verisign?

      Because a cert signed by you is useful for nothing more than "This conversation is encrypted, and I say I'm me." A cert signed by a Verisign translates to "This conversation is encrypted, and Verisign says I'm me."

      What good is that? Well, not much among geeks, we don't trust Verisign further than we can throw them, but we're depending on them to keep this silly DNS thing going. However, web browsers are set with a default list of trusted "Certificate Authorites" who are allowed to sign certificates. Companies who are on those lists can sign a certificate that'll work without errors, anybody else's certificate will prompt a message indicating that the name's right, the time's valid, but the issuing authority isn't on the list of authorities you trust. (You can manually add a new authority if you want... but try convincing users to do that!)

      The problem is, so many cheapskates have now signed their own certificate that the bogus authority error isn't stopping users since it's so common when nothing's really wrong. As a result, we're seeing a lot of look alike sites use SSL to get the padlock to come up, and users not being phased by the red-flag alerts that this doesn't seem to be the site they think it is.

  • Hmmmm... (Score:5, Funny)

    by TWX ( 665546 ) on Thursday January 08, 2004 @04:48PM (#7919945)
    Well, it's good to know that not only crackers or script kiddies are good at taking down Verisign's services, that their own staff is good at it too.

  • A little testy... (Score:5, Funny)

    by tcopeland ( 32225 ) * <tom AT thomasleecopeland DOT com> on Thursday January 08, 2004 @04:48PM (#7919947) Homepage
    ...from the article:


    Although VeriSign has been providing instructions on how to manually install
    the new Global Server Intermediate Root CA to all GSID customers since
    December, 2001, it is possible that some customers may not have noticed the
    reminder and are unaware of this issue.


    Heh.

    • Re:A little testy... (Score:5, Funny)

      by schon ( 31600 ) on Thursday January 08, 2004 @05:20PM (#7920457)
      Although VeriSign has been providing instructions on how to manually install the new Global Server Intermediate Root CA to all GSID customers since December, 2001, it is possible that some customers may not have noticed the reminder and are unaware of this issue.

      Of course they neglected to include that the notice was on display on the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying 'Beware of the Leopard.'

  • If people are getting errors coming to your site.. (Score:5, Informative)

    by nharmon ( 97591 ) on Thursday January 08, 2004 @04:49PM (#7919976)
    saying that your certificate is expired or not yet valid...except that it is...you need to go here [verisign.com].

  • Progress (Score:5, Funny)

    by Patrik_AKA_RedX ( 624423 ) on Thursday January 08, 2004 @04:49PM (#7919990) Journal
    they fail and try to access crl.verisign.com, the certificate revocation list server. This has effectively DOS'ed that site
    They DOSed their own site? Damn, they've made script kiddies obsolete.
    • they fail and try to access crl.verisign.com, the certificate revocation list server. This has effectively DOS'ed that site


      They DOSed their own site? Damn, they've made script kiddies obsolete.

      Nah, they're just lifting plays from the SCO playbook. They'll be blaming Linux users for the DOS soon.

  • Duke Nukem (Score:5, Funny)

    by pantycrickets ( 694774 ) on Thursday January 08, 2004 @04:50PM (#7920006)
    and if you have other apps with problems, please post about them below.

    I can't get the DOS version of Duke Nukem to run in Windows XP. Is this at all somehow related? Is there a fix??

    • Re:Duke Nukem (Score:2, Informative)

      by Valegor ( 693552 ) *
      I have installed and still occasionally play the dos version of Duke Nukem(and of course doom) on an XP machine. I just had to change the compatibility mode on the executable. Compatibility mode is the only reason I upgraded to XP from 2000.
      • Compatibility mode exists in Windows 2000, unless you meant to imply that compatibility mode works better in XP. I have not used it in XP and cannot comment on that, but have had a low rate of success using it in win2k.
    • I hear that to get it to work with XP you need to upgrade to Duke Nukem Forever.


      *ducks*

    • Re:Duke Nukem (Score:3, Interesting)

      by jez9999 ( 618189 )
      DOSbox link [sourceforge.net] :-)

  • Fixed this today... (Score:5, Informative)

    by heironymouscoward ( 683461 ) <heironymouscowar ... .com minus punct> on Thursday January 08, 2004 @04:51PM (#7920013) Journal
    On one of our customers' systems (IIS). Turns out they had already installed the new Verisign intermediate certificate but had not removed the old one. IIS happily used the old one...

    Lesson: if the certificate expired yesterday, remove it from IIS and then reboot the thing.
  • Does nobody use DNS Round Robin?

  • Heh. (Score:5, Funny)

    by American AC in Paris ( 230456 ) on Thursday January 08, 2004 @04:54PM (#7920052) Homepage
    We had to do a little sleuthing today.

    In other news, Microsoft, Red Hat, Oracle, Sun, and Apple had to do a little coding today.

    Rumors abound that Arnold Schwarzenegger had to do a little governing today, but these allegations remain unconfirmed at this time. More at eleven.

  • null routing Certificate Revocation List Server. (Score:5, Insightful)

    by Dengue ( 10077 ) on Thursday January 08, 2004 @04:55PM (#7920080) Homepage
    I find it particularly disturbing that their solution to too much traffic to their CRL server is to use non-routable addresses in DNS. As a result of this action, they have reduced the integrity of their certificates (yes, that means diluting TRUST, which is the foundation of PKI) by making the revocation lists unavailable. Without CRL checking, Verisign certificates have no inherit integrity advantage over self-signed certificates. This is what we pay for?

    Non-authoritative answer:
    Name: crl.verisign.net
    Addresses: 10.0.0.1, 10.0.0.2, 10.0.0.3, 64.94.110.11
    198.49.161.200, 198.49.161.205, 198.49.161.206
    Aliases: crl.verisign.com

  • Saw this last night (Score:2, Interesting)

    by gazuga ( 128955 )
    I noticed the problem last night while paying my credit card bill online. Got a warning from IE that the site's certificate had expired. I was a little confused because the date for my CC company's cert was indeed valid. I thought it was just IE being stupid, but it makes sense now.
    • I had the same problem. When I called the cutomer support line to pay over the phone instead, I told the lady on the other end of the line that she may want to have someone let their IT guys know there was a problem with the certificate. She told me there was nothing wrong with the website, and that it must be my computer because she had "paid her bill online earlier in the day." I assured her that it was not my computer.
      By sheer coincidence, I had called to pay off and close my account (about $3000.)

  • Windows Explorer (Score:5, Informative)

    by thedillybar ( 677116 ) on Thursday January 08, 2004 @04:55PM (#7920090)
    I noticed this happening yesterday on my WinXP machine. After clicking Start->Programs and right-clicking on any icon, c:\windows\explorer.exe attempts to connect to crl.verisign.com [198.49.161.200], port 80.
    As the article states, this also resolves to some unroutable IPs:

    198.49.161.205
    198.49.161.206
    10.0.0.1
    10.0.0.2
    10.0.0.3
    64.94.110.11
    198.49.161.200
    Windows Explorer also appears to freeze (at least temporarily) if a firewall (or presumably a lack of Internet connection) prevents this from being made. It's possible, however, that if crl.verisign.com will not resolve, it will not freeze as it will if it resolves but cannot connect. Unfortunately, this is still a problem even if you have an Internet connection because of the stability (or lack thereof) of the Verisign site.

    • Unroutable, schmunroutable (Score:5, Interesting)

      by marnanel ( 98063 ) <slashdot&marnanel,org> on Thursday January 08, 2004 @05:16PM (#7920407) Homepage Journal
      Unroutable addresses? Anyone on private corporate networks which are large enough to use 10.0.0.0/8, who are unfortunate enough to have been allocated the IP addresses 10.0.0.{1,2,3}, may be experiencing a little more network load than usual today as every machine in the place tries to query them.
    • I noticed this happening yesterday on my WinXP machine. After clicking Start->Programs and right-clicking on any icon, c:\windows\explorer.exe attempts to connect to crl.verisign.com [198.49.161.200], port 80.

      Now let me get this straight, even if you are not using a web browser, or doing anything related to the Internet, this still happens ?

      Who in the heck does Microsoft have coding their products ? And what else does Windows XP do without your knowledge ?

  • Fee was too high (Score:5, Funny)

    by sphealey ( 2855 ) on Thursday January 08, 2004 @04:56PM (#7920102)
    I bet their CFO wouldn't approve payment of Verisign's tremendously high fee to renew the certificate. "'Highway robbery,' he fumed. 'We aren't paying that fee!'".

    sPh

  • You mean they didn't... (Score:3, Funny)

    by ricochet81 ( 707864 ) on Thursday January 08, 2004 @04:58PM (#7920124)
    route the traffic to some "SiteFinder service"?

  • VeriSign is lame (Score:5, Insightful)

    by Anonymous Coward on Thursday January 08, 2004 @04:58PM (#7920127)
    It is stupid for VeriSign not to have taken the steps necessary to keep their CRL available under these conditions seeing that they get paid a lot of money to do only 2 things:

    1) Be trustworthy
    2) Be competent
    • [Verisign] get paid a lot of money to do only 2 things: 1) Be trustworthy; 2) Be competent

      It's a shame they have never been able to do either one of these then isn't it?

  • Also problems with Oracle (Score:3, Informative)

    by jgerry ( 14280 ) * <jason...gerry@@@gmail...com> on Thursday January 08, 2004 @05:01PM (#7920187) Homepage
    Well, not the Oracle database directly... But Oracle sent out a memo that certain Oracle products (Oracle Wallet Manager, in particular) would simply cease to function properly until the user upgraded their Verisign certificate(s).

    I can't find ANY info on Oracle's website about this, though. The memo was sent to Oracle Premium Support customers but I don't know if the info has been generally distributed.

    Woops!

  • Oracle notified me of this yesterday... (Score:3, Informative)

    by Perrin7 ( 671365 ) on Thursday January 08, 2004 @05:02PM (#7920209)
    I received the following email yesterday: Oracle Corporation has been notified by Sun that the set of VeriSign Class 2 and Class 3 Certificates used in Oracle products will be expiring on January 7, 2004. Please review MetaLink Doc 260332.1: Expiration of VeriSign Class 2/Class 3 Certificates on Jan 7,2004 for detail information.

  • problems (Score:5, Funny)

    by chunkwhite86 ( 593696 ) on Thursday January 08, 2004 @05:03PM (#7920228)
    ...if you have other apps with problems, please post about them below.

    Well, now that you mention it, my mother hasn't been able to print for a week, my uncle's PC keeps running checkdisk on startup, and I'm having trouble compiling kernel 2.6.0.

    Oh yeah, and Unreal 2k3 has crappy frame rates on the 'Antalus' level, but maybe thats just my old ti4200 card.

    Um. I think that's it for now. So when are you going to help me with these?

    • Re:problems (Score:3, Funny)

      by tx_kanuck ( 667833 )
      1)Install the print driver...

      2)Remove Windows

      3)Post your error messages, and you might get help (but not likely)

      4)And last but not least, buy a better video card.
  • If you have to upgrade and you're running Java on a Linux system that also runs RPM, why not head over to JPackage [jpackage.org] and download the spec for the 1.4.2_03 SDK? It would be a great opportunity to run an LSB compliant Java installation and support a fantastic open source project.

  • Workaround to Explorer problems (Score:5, Informative)

    by BigJavaGeek ( 649952 ) on Thursday January 08, 2004 @05:07PM (#7920280)
    Because of the crl problems, Explorer has been acting slowly doing some seemingly unrelated activities. Copying or right-clicking on folders often is followed by a several second hang. To workaround, deselect "Check for publisher's certificate revocation" under the Advanced setting for IE (even though it is not IE running, that's where the setting should be changed). After this, no more Explorer hangs. Hope this helps someone. If you know why Explorer is checking crls for anything when doing a copy operation on files, please post.
    • I have this option set to on, but cannot reproduce your results. This may be due to the firewall here, but based on what I've been reading, that shouldn't be affecting things.
    • I guess Microsoft's tight browser / OS integration attempts backfired on them again.

      That is pretty retarded.

    • Re:Workaround to Explorer problems (Score:5, Informative)

      by JoeShmoe ( 90109 ) <askjoeshmoe@hotmail.com> on Thursday January 08, 2004 @05:45PM (#7920799)
      I think you missed something in the blurb about this problem. The problem is Norton Antivirus, not Explorer. Norton is probably doing some kind of check on its virus signature files by validating their signature. This function is probably being handled by IE as the default browser function, which is getting hung up on the unroutable revocation site.

      So, to clarify, when you try to do a file operation, like copy, Norton intercepts the operation so it can check the file for a virus, then gets itself held up while waiting for IE to tell it if the signature is valid so it can check for that virus. End result is that Explorer never gets an answer from Norton and the operation hangs. Ditto for Word and other applications Norton watches closely.

      I too had this same problem on one of two Dell laptops. One used the default McAfee ScanShield that came with it, the other had been reloaded with Norton Anti-Virus. That machine had all sorts of crazy errors, such as Word hanging during opening, hanging when you right-clicked a file, hanging when you tried copying files.

      The system also had ooodles of pending updates from Microsoft that had been downloaded but not installed. I'm willing to bet one of them was a root server update or similar. Of course, the problem could be on Norton's end, meaning they need to update the security cert on their server? I'm not sure exactly how it works.

      - JoeShmoe
      .
  • We've purchased our SSL Certs from VeriSign for the last four years. We didn't recieve a single email from them EVER saying that our clients users (over 10,000 a day) might see this because of their cert expiring.

    What a crock.

  • Its happening on most servers. (Score:5, Informative)

    by Steepe ( 114037 ) on Thursday January 08, 2004 @05:17PM (#7920418) Homepage
    Very nice of them to.. I don't know.. let someone know before today. We spent a ton of staff time this morning trying to figure out why we could connect to our servers but not the payment engines via ssl. 4 hours later we figured it out.

    Couple of nice links.

    http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc= fs alert%2F57436
    http://www.verisign.com/support/ven dors/exp-gsid-s sl.html

  • Why should expired cert => CRL traffic spike?? (Score:4, Interesting)

    by Y2 ( 733949 ) on Thursday January 08, 2004 @05:29PM (#7920584)
    I'll take the risk of looking stupid and ask the musical question: Why should the expiration of a certificate cause an increase in traffic to a CRL server? Once a certificate has expired its revocation status is irrelevant. Revocation lists exist solely to cancel a key before its certificate expires.

    Or is it merely that some software automatically calls the mothership for new information on expiration, and the hostname of the mothership happens to start with "crl"?

    (Antidisclaimer: I operate five private CAs and delude myself that I basically understand this stuff.)

  • Or.... (Score:2, Interesting)

    by ccarter ( 15555 )
    "Although VeriSign has been providing instructions on how to manually install
    the new Global Server Intermediate Root CA to all GSID customers since
    December, 2001, it is possible that some customers may not have noticed the
    reminder and are unaware of this issue."

    Or like me, it's a case of it was fixed (I know it was because I was the one that did it in early 2002) and now they are trying to figure how (and when) it got broken again....
  • That almost read like a real news story!

  • Warning: broken apps you might not think about (Score:5, Insightful)

    by Delirium Tremens ( 214596 ) on Thursday January 08, 2004 @06:00PM (#7921038) Journal
    if you have other apps with problems, please post about them below.
    Interestingly enough, apps that use the old Verisign certificate and that didn't have visible problems today are also to be considered broken. Those apps have a much bigger problems that the apps that broke today. Those apps should have failed today. The fact that they didn't proves that their certificate checking logic is buggy and shows that they are actually prone to attack. Those applications are much less secure than the ones that broke today. Actually, the apps that broke today didn't actually break. They were the only ones to behave correctly.

  • CA certs in Java (Score:4, Informative)

    by VC ( 89143 ) * on Thursday January 08, 2004 @06:01PM (#7921069)
    There is a file in the JDK called cacerts.
    (find . -name cacerts is your friend), this contains the certificates Java uses when initiating ssl connections.
    As of yesterday Sun was still shipping java with the expired 3a certificate.
    The way to include the new 3a certificate is to use the keytool command.
    The format is somthing like: keytool -v -keystore cacerts -import newcert.pem
    The default password for java's cacerts file is "changeit"
    VC
    ps how many geek points do i get for fixing this last week?

  • There are alternatives to Verisign... (Score:3, Informative)

    by rufey ( 683902 ) on Thursday January 08, 2004 @06:46PM (#7921684)
    I used to work for one of VeriSign's competitors in the PKI world, and there are other options other than going to VeriSign. However, there were only two that I could find today on the net. Some of the others I knew about apparently don't exist anymore.

    beTRUSTed [betrusted.com], which recently purchased [baltimore.com] Baltimore's CyberTrust and OmniRoot businesses. I used Baltimore's certs all the time to avoid VeriSign.

    Digital Signature Trust [digsigtrust.com], a subsidiary of Identrus [identrus.com]. I've used their TrustID certs to avoid giving money to VeriSign as well.

    Both of the above certificate authorities have their roots in the most current IE and Netscape/Mozilla browsers. Digital Signature Trust does a lot of stuff with banks (being owned by Identrus, which was created by a bunch of banks).

  • My company was affected... (Score:3, Informative)

    by retro128 ( 318602 ) on Thursday January 08, 2004 @07:37PM (#7922234)
    I work at a CNC machine shop and the app that sends programs to the machine broke today because of that. I would have never heard about it if it wasn't for my brother in law, who works for a company running the same application.

    The fix was as follows: Open Internet Options, click Advanced tab. Under Security turn off both Check for Server Certificate Revocation and Check for Publisher Certificate Revocation. I think this fix should work for other apps that are affected by the same problem...Thought I'd pass it along.

    On a side note, it's pretty scary that this has happened to begin with. What I had to go though was pretty minor since the problem was on one machine, but what about an entire enterprise with an app installed on 1000's of computers that were broken because of this? Because of all this ridiculous "signed app" nonsense, not only are you down, but through proxy Microsoft made you dependant on one of the biggest bastardized companies I know...Verisign. Don't expect this problem to fix itself in a timely manner.

    If this is a sign of things to come, Palladium will bring Hell on earth.

  • Explorer, IE, Excel, Word, IIS - XP, 2K (Score:3, Funny)

    by Sean Clifford ( 322444 ) on Thursday January 08, 2004 @08:31PM (#7922756) Journal
    Man did this cause some serious headaches at work today; my phone rang all damned day with people insisting that their boxen were dragging and that it was somehow all my fault because I wrote a web app that generates spreadsheets. And no, they weren't using that application, but they had used it in the past, so...

    Wouldn't have been so bad if it was just my company, but folks from other companies, friends of friends, political buddies of friends of friends...

  • see also Windows Update (Score:4, Interesting)

    by Siva ( 6132 ) on Thursday January 08, 2004 @10:48PM (#7923860) Homepage Journal
    I have walked a user through performing the following procedure, and she has reported success with her two machines. She is running Windows 2000 Pro with Office 2000 and NAV 2003 (only 99% sure about the last one).

    - goto http://windowsupdate.microsoft.com/ [microsoft.com]
    - click Scan for Updates link (may be prompted to accept the ActiveX thing)
    - Navigate to the page of non-critical updates (ironic, no?)
    - Find the update named something like "Root Certificate Update" or "Root Certificate Authority" (can't remember which)
    - Install it
    - rejoice at the ability to use MS Word again :P

Slashdot Top Deals

One man's constant is another man's variable. -- A.J. Perlis

Close