[Dshield] Norton Antivirus slowness explained
brian at dessent.net
Fri Jan 9 04:33:29 GMT 2004
John Hardin wrote:
> Looks like Verisign is to blame:
I was wondering WTF it was taking forever to open https links recently.
In my proxy logs I kept seeing those crl URLs repeated 3, 4, or more
times, so I figured the site was temporarily flaky. Uugggh. From the
> Date: Thu, 8 Jan 2004 18:54:46 -0500 (EST)
> From: Sean Donelan <sean AT donelan DOT com>
> Subject: Verisign CRL single point of failure
> Verisign's Certificate Revocation structure apparently was not
> designed to handle the load of large numbers of systems using
> crl.verisign.net. Verisign has introduced a 50% failure
> mechanism to gap the load on their servers. This is a side
> effect of the expiration of one of Verisign's Intermediate
> Root Certificates.
> Verisign has redirecting traffic to several RFC1918 addresses,
> which are not routable on the Internet but are frequently used
> in enterprise networks. It is possible Verisign has created
> a Denial of Service on Enterprise services using the same
> RFC1918 addresses as internal systems checking for crl.versign.net
> are redirected to other RFC1918 addresses.
> The consolidation of network power in a single company creates
> its own threat to the critical infrastructure when a single
> certificate expires instead of being randomly distributed among
> several different organizations.
More information about the list