An unusual chain of events in the complex security plumbing of the Internet, set in motion by the millions of Windows users who had installed security patches in the last two years, caused unexpected problems for VeriSign Inc and many PC users last week.
VeriSign is the dominant provider of digital certificates on the Internet. On January 7, a VeriSign Certificate Revocation List, a list of digital certificates that have expired or been revoked, expired as scheduled.
Many applications are designed to download updated CRLs from VeriSign periodically, and they did so last week. But this time an unexpectedly large number descended on VeriSign’s server to retrieve a new list, according to spokesperson Brendan Lewis.
This had the same effect as a denial-of-service attack on VeriSign’s server, crl.verisign.com. This in turn caused certain desktop applications to stall while trying unsuccessfully to access the new CRL, causing a good amount of end-user frustration.
Users of some applications, notably Symantec Corp’s popular Norton AntiVirus, found their PCs performing sluggishly when trying to perform tasks. With Norton, it was during virus scans, when opening an Office document for example.
Symantec products routinely verify the integrity of system components and at times were unable to achieve the authentication they were seeking, Symantec said in a statement, therefore, customers experienced delays and instabilities.
But it was not Norton users causing the flood of traffic to VeriSign. According to Lewis, Windows security patches since March 2001 have used the expired CRL, and it was this vast number of patched Windows machines that caused the denial of service effect.
It seems in this case, people quite rightly keeping current on their Windows patches was the unexpected cause of VeriSign’s traffic problem and the subsequent slowdown of Windows desktops across the globe.
VeriSign’s Lewis said VeriSign increased its capacity tenfold to deal with last week’s events. It was a pure bandwidth issue, he said. We’ve taken steps to ensure this bandwidth problem does not happen again.
In a separate incident at the same time last week, but apparently unrelated to the expired CRL, one of VeriSign’s Intermediate Certificate Authorities expired, causing different problems. This CA was involved in authenticating SSL certificates used in eCommerce.
The expiration was also a scheduled event, planned for and publicized for two years. However, some customers of older VeriSign certs had not taken heed of the warning to upgrade, and the certs continued to seek out the expired CA.
According to Lewis, this meant that even though the encryption and decryption will still work, web users visiting the affected sites would receive security warnings unnecessarily from their browser. No user would have been put at risk from a security point of view.
This article is based on material originally produced by ComputerWire.