gwion
wild colonial boy
Premium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
| Note on firewalling... parenthetical...
Verisign appears to have brought up the same two servers some people were blocking because of the DNS-redirection issue of a few months back as revocation list servers. If you're blocking any Verisign servers as an artifact of those discussions, I strongly suggest you check the IP's you're blocking, by simply making a browser connection to them. If you retreive a list of certificates, then you're blocking a server that's been redelegated to act as a revocation list server. If you have those servers blocked, and you don't have the block set to prompt you when it's triggered, you might be getting messages that IE is unable to verify that the certificate hasn't expired/been revoked when you visit a secure site. I ran into this issue yesterday, while playing with some old rulesets I have archived for Kerio...
This might be more of a sidelong issue, but I thought it was worth mentioning, since some people may have certain Verisign servers blocked without a log or prompt, and have all but forgotten doing it. The two servers I traced are:
12.158.80.10 -- crl.verisign.com
and
64.94.110.11 -- crl.verisign.com
If either of these two servers is blocked, you stand a very good chance of being unable to verify certificates for revocation and expiry status, slowing down SSL connections, and creating error messages and a potential security vulnerability for yourself at a "phished" or fraudulant site... just an FYI... 
--
I read Shakespeare and the Bible, and I can shoot dice. That's what I call a liberal education. |
