Have a question or want to start a discussion? Post it! No Registration Necessary. Now with pictures!
- Posted on
- crl.verisign.com is ok?
July 15, 2004, 11:00 pm
rate this thread
Re: crl.verisign.com is ok?
CRL stands for Certificate Revocation List. Any standards-compliant,
certificate-signed program will check the CRL to see if the program's signature
has been revoked by the issuer. Contrary from being a security concern, this
check makes sure your program is authentic.
You can prevent its access by either adding "crl.microsoft.com" and/or
"crl.verisign.com" to your blocking file (HOSTS, PAC, DNSKong, etc), or by
UNCHECKING "check for publishers certificate revocation" in your IE browser
(TOOLS/INTERNET OPTIONS/ADVANCED tab/SECURITY section). [I am not sure if the
last method will prevent access to Verisign's CRL.]
More information available in this Microsoft Knowledge Base article (so you can
make up your own mind whether to disable it):
Update Available to Revoke Fraudulent Microsoft Certificates Issued by VeriSign
Re: crl.verisign.com is ok?
CRL = Certificate Revocation List
The simile that I've seen mention is:
- You present a check and ID to the sales clerk at the cash register to
buy something. You profess to be person X.
- The sales clerk calls the bank to get a refreshed list of known bad
checks (that they currently know about).
- They scan the list of bad check accounts to see if you are on the
- If you are on the list, they refuse the sale (i.e., revocation).
- If you are not on the list, you are presumed to be the person
presenting the check.
If you get a digital signed or digtally encrypted e-mail using x.509
certificate, your e-mail client phones the CRL Authority (CA) listed in
the certificate to verify the identity of that certificate (actually it
just verifies whether the certificate is still good or not). Some
software is also digitally signed. Norton AntiVirus will periodically
require a check on its certificate (I'll get a prompt from the firewall
from NAV to connect to crl.verisign.com).
Which firewall are you using? Doesn't its prompt telling you about the
CRL connection doesn't also list the program that is requesting that
connection? Maybe its logs will expose the program trying to make the
connection. Perhaps it has an option to popup a window showing that an
unauthorized-as-yet program is trying to use an already authorized
program to make a connection (i.e., an option to show if a program is
calling another program to make the connection). Norton Internet
Security has that option. For example, I'll be in a help file and click
on a web link and NIS will tell me the help program is asking IE to make
- » Fight the coronavirus 100% and save LOTS of CASH -- Combattez le coronavirus 1...
- — Newest thread in » Networking Firewalls
- » Chemerinsky: SCOTUS Comcast case is a serious loss for civil rights [telecom]
- — The site's Newest Thread. Posted in » General Telecommunications Forum