crl.verisign.com is ok?

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
I get a IP transmission from my computer at start and occasionaly thereafter
to crl.verisign.com.

Is that OK.  Is is for Window update or something?

any thoughts?\\


crl.verisign.com is ok?





Re: crl.verisign.com is ok?


dontb wrote:
Quoted text here. Click to load it

I would guess at some kind of X.509 -aware application trying to update
certificate revocation lists.

Thor

--
http://www.anta.net /


Re: crl.verisign.com is ok?

Quoted text here. Click to load it

 CRL stands for Certificate Revocation List.  Any standards-compliant,
certificate-signed program will check the CRL to see if the program's signature
has been revoked by the issuer.  Contrary from being a security concern, this
check makes sure your program is authentic.

 You can prevent its access by either adding "crl.microsoft.com" and/or
"crl.verisign.com" to your blocking file (HOSTS, PAC, DNSKong, etc), or by
UNCHECKING "check for publishers certificate revocation" in your IE browser
(TOOLS/INTERNET OPTIONS/ADVANCED tab/SECURITY section).  [I am not sure if the
last method will prevent access to Verisign's CRL.]
 More information available in this Microsoft Knowledge Base article (so you can
make up your own mind whether to disable it):

Update Available to Revoke Fraudulent Microsoft Certificates Issued by VeriSign
<http://support.microsoft.com/default.aspx?scid=KB ;en-us;293811&>

--
 dak


Re: crl.verisign.com is ok?
Quoted text here. Click to load it

CRL = Certificate Revocation List

The simile that I've seen mention is:

- You present a check and ID to the sales clerk at the cash register to
buy something.  You profess to be person X.
- The sales clerk calls the bank to get a refreshed list of known bad
checks (that they currently know about).
- They scan the list of bad check accounts to see if you are on the
list.
- If you are on the list, they refuse the sale (i.e., revocation).
- If you are not on the list, you are presumed to be the person
presenting the check.

If you get a digital signed or digtally encrypted e-mail using x.509
certificate, your e-mail client phones the CRL Authority (CA) listed in
the certificate to verify the identity of that certificate (actually it
just verifies whether the certificate is still good or not).  Some
software is also digitally signed.  Norton AntiVirus will periodically
require a check on its certificate (I'll get a prompt from the firewall
from NAV to connect to crl.verisign.com).

Which firewall are you using?  Doesn't its prompt telling you about the
CRL connection doesn't also list the program that is requesting that
connection?  Maybe its logs will expose the program trying to make the
connection.  Perhaps it has an option to popup a window showing that an
unauthorized-as-yet program is trying to use an already authorized
program to make a connection (i.e., an option to show if a program is
calling another program to make the connection).  Norton Internet
Security has that option.  For example, I'll be in a help file and click
on a web link and NIS will tell me the help program is asking IE to make
a connection.



Site Timeline