Server Certificate Verification
Results 1 to 6 of 6

Thread: Server Certificate Verification

  1. #1
    Banned
    Join Date
    Sep 2001
    Posts
    68

    Question Server Certificate Verification

    I have IE6 and Win98SE. When in IE, if I go to Tools, Internet Options, Advanced and scroll down, there's the option to Check for server certificate revocation (requires restart)

    Now, if I check this and restart, when I try to sign in to hotmail, IE then connects to crl.verisign.net port 80 (iirc, I've not got it checked now).
    The thing is, this connection runs at up to 8kbps on my 56k, and as you might know, the average rate is about 4kbps!

    This keeps going for at least a minute, and after testing it a few times I stopped, as the data transfer is getting large, and I'm wondering just wtf M$ is getting from my pc at such an unusual rate...
    This effect seems only to be with hotmail, with that option enabled. I've run Ad-Aware, kept NAV up to date, and my Tiny Personal Firewall (which is detecting this).

    Everything seems to run fine with the option disabled, and it would seem to be a system for making certain of a server's certificate validity, but is it needed for non-M$ servers (can you get non-M$ certificates, I don't know much about them in general) and is it safe to have this setting unchecked?

    I'm guessing it's just another M$ 'feature' (bug/spyware/something I've blocked ) but if anyone has any more info, I'd be grateful

  2. #2
    Senior Member
    Join Date
    Dec 2001
    Posts
    884
    Well, I wish I could help you on this one but I can't. However, just in case you didn't know, it's happening with HoTMaiL because HoTMaiL and MSN (owned by MS) are now "one," basically. They're both MS'.

  3. #3
    Banned
    Join Date
    Sep 2001
    Posts
    68
    I didn't know that, thanks

    Seriously, thanks, I guess this is just a M$ server (.Net) related feature, and so it's fine to have it unchecked (it seems to be everywhere else I go).

    If there is a vital reason why I should have it checked, feel free to say so, but I way just mainly passing comment on this odd security option

  4. #4
    Senior Member
    Join Date
    Dec 2001
    Posts
    884
    WTF? I got negs saying "gotta be balanced" and they knocked off 5 points. That's not crap, but it's the principal... f'ing idiots, I find out who you are I'll "balance" mine every single day on your a$$, hoe.

  5. #5
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    A server certificate is a piece of crypto "key" that proves that the server says that it is who it says it is. Certificates are used in ssl (https) connections to authentify the server (and/or the client but that's not used often..). Now the certificate is closely guarded. If the certificate had been compromised for a reason or an other, the organsiation that owns the certificate needs to have that certificate invalidated before it's normal expiration date. That process is called revocation. To verifiy if the certificate has been revoked, the browser has to check a CRL (Certificate Revocation List) to see if that particular certificate is listed. In this case the CRL is
    hosted by crl.verising.com on the RSASecureServer.crl (check the attached screenshot of the certificate details). And if you check at http://crl.verisign.com, you will see that RSASercureServer.crl as a sign of 795K.

    So, as you can see, checking for certificate revocation has nothing to do with sypware or trojans or anything of that sort. It is purely a security issue. Now the reason this isn't on by default is that it is relatively rare for a web server to have it certificate compromised, and the cost of downloading/checking the crl each time you do a ssl connection isn't really worth it.

    Hope this helps.

    Ammo
    Credit travels up, blame travels down -- The Boss

  6. #6
    Banned
    Join Date
    Sep 2001
    Posts
    68

    Thumbs up Thank you

    A nice bit of detail and examples

    jehnx, I feel kinda responsible as it's my thread, but it wasn't me, I don't pack that punch

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •