 
lakino
Premium
join:2003-04-03
Campbell, CA | painfully slow.... I feel the pain! Now I understand where it's coming from...
Grrrrrrrrr....
--
Why do people like .sig files so much? Baffling to me... | |
|  | RafS
join:2003-03-06
Miami, FL | Re: painfully slow.... Well, too late, wish I'd read it before i defraged, ran ad-aware, spybot, disk cleanup...lol | |
| | cagr
join:2004-01-08
San Diego, CA
| Like others I think I'm having this problem today but I'm not that technical savvy when it comes to troubleshooting problem so maybe if I explain what's going on you can tell me if this is related.
When I went to use my computer today, programs such as word, excel, norton were taking forever to open. I'd just get the nice hourglass icon and then 30 seconds later the program would open. Also when I right click on any file or folder, the same thing happens.
I've defragged, run spypot and ad-aware, used the online scan at mcafee.com, and also run a full system scan using norton and everything shows up clean.
Am I way out in left field with this or are my problems related to what is going on with these certs? | |
| | | 
larryhay
Premium
join:2003-05-15
Saint Louis, MO
clubs: | Re: painfully slow.... It is EXACTLY having to do with the Norton and the cert's | |
| 
Mellow
Premium
join:2001-11-16
Salisbury, MD | ahh I just figured it was time to defrag | |
| 
BigCreek
God Is Good.
Premium
join:2002-06-25
Heber Springs, AR | I haven't noticed anything ... Course I run Linux. | |
| | 
Smitedogg
Uzbekikitty
Premium
join:2000-11-11
Pueblo, CO
| Re: I haven't noticed anything ... I run Linux, and have had a few problems. One example is how Evolution doesn't like connecting to my mail-server with its now-expired certificate. It hangs for a good minute before printing out the problem. Another is using Mozilla at certain sites.
Dogg
--
Lexing is...well, I don't know. It's driving me nuts! | |
| | 
JAAulde
yum yum yum yum yum
Premium,MVM
join:2001-05-09
Hagerstown, MD
| said by BigCreek  :
Course I run Linux.
Course that has nothing to do with it. | |
| | 
mod bait
Premium
join:2001-06-11
Rochester, NY | Haven't noticed anything, because... You're too busy thinking up anti-Microsoft taglines and witty forum posts like that one?
--
If I start giving a damn what your political or religious views are, I'll ask. Really. | |
| | | 
hurleyp
join:2000-06-20
Ottawa, ON
 ·Rogers Hi-Speed
| Certs! I noticed that my machine was really crawling this morning. I checked for the usual suspects, ran Ad-Aware, Spybot, disk clean up, etc. I have a nice clean system, but I guess the problem was not between the chair and the keyboard this time! 
I hope this is cleaned up PDQ! | |
| 
outspoken72
An Irish Jayhawk
Premium
join:2000-10-03 | ...sending...reports.... must....defrag....oh....wait...it's due....to...expired....certs....great...will ...get done...when....I can.
--
"The grass may be greener on the other side, but you sill have to mow it." | |
| | | 
StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Austin, TX | Now I know why ... I got invalid certificate messages from some financial institution sites this morning. Seems they didn't update their servers as Verisign instructed.
--
Don't feed the trolls--it only makes them grow! | |
| 
Jason Levine
Premium
join:2001-07-13
Albany, NY | I don't use Verisign Luckily, I don't use Verisign for SSL certs for my company's sites so users shouldn't experience any of the problems while browsing with us. We use GeoTrust instead. They are much less expensive. | |
| | | | |
Jason Levine
Premium
join:2001-07-13
Albany, NY
| Re: I don't use Verisign said by nixen :
If you use any kind of certificates that make use of intermediate certificate authorities, you will potentially be effected some day. Using different company's certs won't insulate you from that. Eventually, all certificate authority certificates expire - even GeoTrust's.
Ah, thanks for the clarification. I just checked and it seems that GeoTrust's cert expires in 2018. So I'll have to worry about this in 14 years (if I'm using the same server and haven't updated the cert).
--
-Jason Levine
http://www.jasons-toolbox.com/
http://www.PCQandA.com/
http://www.urateit.com/ | |
| 
catseyenu
Ack Pfft
Premium
join:2001-11-17
Fix East
| Verisign Strikes Again... »slashdot.org/article.pl?sid=04/0···2&tid=95
"by Anonymous Coward on Thursday January 08, @03:47PM (#7919934)
In an effort to have us forget about SiteFinder, they're going for an even bigger f-_k-up.
Nice try, guys... now turn the CRL server back on."
LMAO! | |
| 
viperpa33s
Why Me?
Premium
join:2002-12-20
Bradenton, FL
·Bright House
| They should be called Veristink The company that I work for, the Verisign certificate for there website expired last night at around 7pm. After contacting the web hosting site IBM, and tracing the problem back to Verisign, was able to get the website up and running about 3 hours later.
The question is, who is responsible for this snafu? First we had the problem with Verisign rerouting people to there website if a person misspells a name. Now we have Verisign SSL certificates expiring causing many websites to go down and applications not working correctly. Seems to me that Verisign needs more oversight or there position over the internet taken away from them. | |
| | colton2
join:2002-10-26 | Re: They should be called Veristink LoL I too ran disk cleanup, defrag, adaware, spybot, and made sure settings were ok. Doh! | |
| | | | | 
Logwind
join:2003-06-20
2 edits | Verisign? 
Can someone explain what a certificate actually does and how its expiration can induce slow downs in multiple pieces of software?
From the thread in the Security forum, I'm surmising that NAV users comprise the majority that's being affected. I'm using AVG and am experiencing nothing out of the ordinary.
Thanks.
--
PIPE. | |
| | 
nixen
Rockin' the Boxen
Premium
join:2002-10-04
Alexandria, VA
·Cox HSI
 ·Speakeasy
| Re: Verisign? NAV (and other programs) have routines that regularly and automatically keep them updated. They typically do this via HTTP operations. Due to the sensitivity of the data and wanting to prevent session hijacks, they typically set up the update servers with SSL certificates that verify the update servers' identities to the clients. If the certificates have expired, the clients may sit there, aborting and retrying the connection over and over. This kind of fibrillation will eat your CPU (and memory, since each SSL negotiation attempt requires a non-trivial amount of resources to compute).
-tom
--
"There are 10 types of people in the world... those who understand binary and those who don't."
"That's only 2 types of people, moron" | |
| 
MEDIAN2k3
Where Ya Goin?
Premium
join:2002-12-04
Bronx, NY
clubs: | ool country no slow down here in ool country.
--
I Shall Call Him Mini Me!!! | |
| 
Maggs
Premium
join:2002-11-29
Woodside, NY
·RCN CABLE
2 edits | Certs Debunked
cert with MD5 checksums | 
128 bit encryption |
When these site certs expire, the programs automatically check to make sure everything is on the up and up by going to Verisign Certification Revocation List (CRL) server, to make sure the program hasn't missed a notice and the program you use updates its cert records on the spot. Even Internet Explorer uses certs to verify data and the identity of a remote computer, such as the ones used by your bank in Online Banking Transactions.
One way to check the validity of a site is to double click the lock icon when you see it on a site. This will open the SSL properties for the cert.
The certificate will give you a couple of pieces of info these include:
Try »https://www.bankone.com
You will see the closed lock icon. If you double click you can see its properties.
Shown are two examples of SSL cert pages in Mozilla, the alternative to Internet Explorer with a built in popup blocker.
My college has a secure site that is 1024 bit encrypted. Bank One is only 128 bit encrypted. 128 bit is the most common encryption method, it took a team of people on BBR 5 years to "brute force" a 72 bit key, check out the RC5 project here on BBR for more details.
NOTICE: the https:, this means Bank One is a secure site always look for that in your address bar, and also double click the icon since A LOCK CAN BE FAKED, if you know what to do.
Verisign messed with my credit card company Capital One for 6 months on a domain name charge that I cancelled and they kept billing, so I wouldn't trust them as far as I could throw the CEO. | |
| rid0617
join:2003-07-20
Greer, SC | Hmmmm Well, at least I now know there are to spyware programs and my computer is nicely defragged. | |
| 
rolande
Certifiable
Premium,Mod
join:2002-05-24
Powell, OH
clubs:
Host:
Linksys
AT&T Midwest
|  Application impact
Personally, I don't feel that Verisign did enough to warn their customers and make a big enough deal about it. Because of that most customers missed the warnings or weren't sure how they would be affected. Even as of yesterday you still had to find the link buried on Verisign's support page and there was no flashing bold red notice on their main page anywhere. In our case, our certificates are managed by a central internal security team. They would have received any notices in their group mailbox, since all of our certificates have their contact information listed. They did not forward this information on to any of the internal groups that handle the various applications and webservers. Communication breakdown. I don't think they understood the potential impact and so they didn't think we would have any problems.
Beyond not providing sufficient warning, Verisign did not fully explain that if you were running with the old intermediate certificate that you could just update it and not affect existing certificates signed after a certain date. This information again was buried deep. I was under the impression that if a site certificate was running with the old intermediate certificate that you could not use the new intermediate cert until the existing site certificate was renewed.
So, I got to work until 1AM that night supporting our various application teams even though this issue was not under my area. You know the network is always to blame, so the network guys always have to be there to solve the problems... So the next intermediate certificate expires on 10/24/2011 and the Root CA expires on 8/1/2028. I am putting a note in my calendar to plan a good week of vacation around the first date and at least 2 weeks around the second date. 
--
Remember what they say: "There are 10 types of people in the world.. those who understand binary, and those who don't." | |
|
nixen
Rockin' the Boxen
Premium
join:2002-10-04
Alexandria, VA
·Cox HSI
·Speakeasy
| Grr... I just spent the last couple hours installing new intermediate certificates to fix this problem on over 60 systems. Unfortunately, each system is running different SSL enabled software, each with their own, unique location and methods for installing certificate files.
Man, what a pain in the freaking azz.
-tom
--
"There are 10 types of people in the world... those who understand binary and those who don't."
"That's only 2 types of people, moron" | |
| 
FLECOM
Bay Networks Freak
Premium
join:2003-03-03
Miami, FL | DIY Ca's? i know its a little OT but this dosent affect certificates that i made correct?
you know like in NT4 when you could make your own CA and SSL certificates?
--
BellSouth sucks | |
| 
gwion
wild colonial boy
Premium,ExMod 2001-08
join:2000-12-28
Pittsburgh, PA
| Note on firewalling... parenthetical... Verisign appears to have brought up the same two servers some people were blocking because of the DNS-redirection issue of a few months back as revocation list servers. If you're blocking any Verisign servers as an artifact of those discussions, I strongly suggest you check the IP's you're blocking, by simply making a browser connection to them. If you retreive a list of certificates, then you're blocking a server that's been redelegated to act as a revocation list server. If you have those servers blocked, and you don't have the block set to prompt you when it's triggered, you might be getting messages that IE is unable to verify that the certificate hasn't expired/been revoked when you visit a secure site. I ran into this issue yesterday, while playing with some old rulesets I have archived for Kerio...
This might be more of a sidelong issue, but I thought it was worth mentioning, since some people may have certain Verisign servers blocked without a log or prompt, and have all but forgotten doing it. The two servers I traced are:
12.158.80.10 -- crl.verisign.com
and
64.94.110.11 -- crl.verisign.com
If either of these two servers is blocked, you stand a very good chance of being unable to verify certificates for revocation and expiry status, slowing down SSL connections, and creating error messages and a potential security vulnerability for yourself at a "phished" or fraudulant site... just an FYI... 
--
I read Shakespeare and the Bible, and I can shoot dice. That's what I call a liberal education. | |
| 
bhhurd
Premium
join:2003-02-13
Korea
| Pull the plug on Verisign Just think about this:
What if Verisign had used their resources in fixing this problem, instead of spending their time developing, deploying, evading criticism, and then removing their last collasal blunder?
I, for one, believe that it is high time to put Verisign out of our misery.
I am worried that if Verisign continues making such stupid mistakes, that we will end up with the UN running the internet. | |
| |
rolande
Certifiable
Premium,Mod
join:2002-05-24
Powell, OH
clubs:
Host:
Linksys
AT&T Midwest
| Re: Pull the plug on Verisign Aside from the fact that Verisign wasn't more vocal about this intermediate cert expiring and making a big deal on their website about it, they didn't do anything wrong. The certificate expired right on time, exactly like had been designated when it was created back in 1997. It wasn't like Verisign proactively pushed some magic button to expire this certificate all over the world at the same time. It was built into the certificate when it was originally generated.
It is the customer's job to track the expiration of their own certificates they are using on SSL or signed applications. This would include Microsoft and every other company who signs software with these certs, anyone who hosts an SSL site with a Global Server ID, and not to mention all the backend components that use SSL over their transport mechanism which had a much more fatal reaction to the expiration than client's web browsers did.
Verisign had been signing all new certificates since early in 2001 with the new intermediate certificate. But, you weren't forced in software to update the intermediate certificate when these new certs were installed and everything worked business as usual. If the customer didn't update the intermediate certificate when they renewed the related certificate, then that was their oversight.
Yes, Verisign should have made a bigger deal out of it than they did. Certificates can't be valid forever. Unfortunately, many customers only track their own purchased certificates for expiration.
So the lesson that everyone will forget between now and 10/24/2011 is that they have to keep watch over the root and intermediate CA's on their servers and applications as well.
--
Remember what they say: "There are 10 types of people in the world.. those who understand binary, and those who don't." | |
| | | |
|
|
·