June 30th, 2002, 05:43 PM
Server Certificate Verification
I have IE6 and Win98SE. When in IE, if I go to Tools, Internet Options, Advanced and scroll down, there's the option to Check for server certificate revocation (requires restart)
Now, if I check this and restart, when I try to sign in to hotmail, IE then connects to crl.verisign.net port 80 (iirc, I've not got it checked now).
The thing is, this connection runs at up to 8kbps on my 56k, and as you might know, the average rate is about 4kbps!
This keeps going for at least a minute, and after testing it a few times I stopped, as the data transfer is getting large, and I'm wondering just wtf M$ is getting from my pc at such an unusual rate...
This effect seems only to be with hotmail, with that option enabled. I've run Ad-Aware, kept NAV up to date, and my Tiny Personal Firewall (which is detecting this).
Everything seems to run fine with the option disabled, and it would seem to be a system for making certain of a server's certificate validity, but is it needed for non-M$ servers (can you get non-M$ certificates, I don't know much about them in general) and is it safe to have this setting unchecked?
I'm guessing it's just another M$ 'feature' (bug/spyware/something I've blocked ) but if anyone has any more info, I'd be grateful
June 30th, 2002, 06:13 PM
Well, I wish I could help you on this one but I can't. However, just in case you didn't know, it's happening with HoTMaiL because HoTMaiL and MSN (owned by MS) are now "one," basically. They're both MS'.
June 30th, 2002, 06:19 PM
June 30th, 2002, 06:47 PM
WTF? I got negs saying "gotta be balanced" and they knocked off 5 points. That's not crap, but it's the principal... f'ing idiots, I find out who you are I'll "balance" mine every single day on your a$$, hoe.
June 30th, 2002, 07:12 PM
A server certificate is a piece of crypto "key" that proves that the server says that it is who it says it is. Certificates are used in ssl (https) connections to authentify the server (and/or the client but that's not used often..). Now the certificate is closely guarded. If the certificate had been compromised for a reason or an other, the organsiation that owns the certificate needs to have that certificate invalidated before it's normal expiration date. That process is called revocation. To verifiy if the certificate has been revoked, the browser has to check a CRL (Certificate Revocation List) to see if that particular certificate is listed. In this case the CRL is
hosted by crl.verising.com on the RSASecureServer.crl (check the attached screenshot of the certificate details). And if you check at http://crl.verisign.com, you will see that RSASercureServer.crl as a sign of 795K.
So, as you can see, checking for certificate revocation has nothing to do with sypware or trojans or anything of that sort. It is purely a security issue. Now the reason this isn't on by default is that it is relatively rare for a web server to have it certificate compromised, and the cost of downloading/checking the crl each time you do a ssl connection isn't really worth it.
Hope this helps.
Credit travels up, blame travels down -- The Boss
June 30th, 2002, 08:20 PM