nanog mailing list archives
Verisign CRL single point of failure
From: Sean Donelan <sean () donelan com>
Date: Thu, 8 Jan 2004 18:54:46 -0500 (EST)
Verisign's Certificate Revocation structure apparently was not designed to handle the load of large numbers of systems using crl.verisign.net. Verisign has introduced a 50% failure mechanism to gap the load on their servers. This is a side effect of the expiration of one of Verisign's Intermediate Root Certificates. Verisign has redirecting traffic to several RFC1918 addresses, which are not routable on the Internet but are frequently used in enterprise networks. It is possible Verisign has created a Denial of Service on Enterprise services using the same RFC1918 addresses as internal systems checking for crl.versign.net are redirected to other RFC1918 addresses. The consolidation of network power in a single company creates its own threat to the critical infrastructure when a single certificate expires instead of being randomly distributed among several different organizations.
Current thread:
- Verisign CRL single point of failure Sean Donelan (Jan 08)
- Re: Verisign CRL single point of failure Scott Weeks (Jan 08)
- Re: Verisign CRL single point of failure Stephen J. Wilcox (Jan 09)
- Re: Verisign CRL single point of failure Jeff Shultz (Jan 09)
- Re: Verisign CRL single point of failure Sean Donelan (Jan 09)
- Re: Verisign CRL single point of failure Sean Donelan (Jan 09)
- Re: Verisign CRL single point of failure Jeff Shultz (Jan 09)