[Dshield] Norton Antivirus slowness explained

Brian Dessent brian at dessent.net
Fri Jan 9 04:33:29 GMT 2004

John Hardin wrote:
> Looks like Verisign is to blame:
>         http://slashdot.org/articles/04/01/08/1849245.shtml

I was wondering WTF it was taking forever to open https links recently. 
In my proxy logs I kept seeing those crl URLs repeated 3, 4, or more
times, so I figured the site was temporarily flaky.  Uugggh.  From the
nanog list:

> Date: Thu, 8 Jan 2004 18:54:46 -0500 (EST)
> From: Sean Donelan <sean AT donelan DOT com>
> Subject: Verisign CRL single point of failure
> Verisign's Certificate Revocation structure apparently was not
> designed to handle the load of large numbers of systems using
> crl.verisign.net.  Verisign has introduced a 50% failure
> mechanism to gap the load on their servers.  This is a side
> effect of the expiration of one of Verisign's Intermediate
> Root Certificates.
> Verisign has redirecting traffic to several RFC1918 addresses,
> which are not routable on the Internet but are frequently used
> in enterprise networks.  It is possible Verisign has created
> a Denial of Service on Enterprise services using the same
> RFC1918 addresses as internal systems checking for crl.versign.net
> are redirected to other RFC1918 addresses.
> The consolidation of network power in a single company creates
> its own threat to the critical infrastructure when a single
> certificate expires instead of being randomly distributed among
> several different organizations.

More information about the list mailing list