Verisign's Certificate Revocation structure apparently was not
designed to handle the load of large numbers of systems using
crl.verisign.net. Verisign has introduced a 50% failure
mechanism to gap the load on their servers. This is a side
effect of the expiration of one of Verisign's Intermediate
Root Certificates.
Verisign has redirecting traffic to several RFC1918 addresses,
which are not routable on the Internet but are frequently used
in enterprise networks. It is possible Verisign has created
a Denial of Service on Enterprise services using the same
RFC1918 addresses as internal systems checking for crl.versign.net
are redirected to other RFC1918 addresses.
The consolidation of network power in a single company creates
its own threat to the critical infrastructure when a single
certificate expires instead of being randomly distributed among
several different organizations.
: The consolidation of network power in a single company creates
: its own threat to the critical infrastructure when a single
: certificate expires instead of being randomly distributed among
: several different organizations.
Boy-o-boy that's fundamental wrt to the internet...
scott
The consolidation of network power in a single company creates its own threat
to the critical infrastructure when a single certificate expires instead of
being randomly distributed among several different organizations.
I'm not sure whats involved in getting your own root certs added to browser/OS
distributions but theres nothing afaik that says Verisign is the sole company
providing this, presumably anyone else can agree with MS/whoever to have their
root certs added.. ?
On the idea of gapping to RFC1918 space, this is imho not a good solution,
either thay need to upgrade their platform to take the load eg multicast or if
they do want to blackhole traffic do it to their own IP space [worst case, do it
to an ip block that they dont route]
Steve
** Reply to message from "Stephen J. Wilcox" <steve@telecomplete.co.uk>
on Fri, 9 Jan 2004 13:20:18 +0000 (GMT)
> The consolidation of network power in a single company creates its own threat
> to the critical infrastructure when a single certificate expires instead of
> being randomly distributed among several different organizations.
I'm not sure whats involved in getting your own root certs added to browser/OS
distributions but theres nothing afaik that says Verisign is the sole company
providing this, presumably anyone else can agree with MS/whoever to have their
root certs added.. ?
I'm looking at the Certificate Authorities in my copy of Mozilla 1.5. I
don't think I've added any, but these are the ones that are there:
ABA.ECOM, Inc
AOL Time Warner Inc.
AddTrust AB
America Online Inc.
Baltimore
Digital Signature Trust Co.
Entrust.net
Equifax
Equifax Secure
Equifax Secure Inc.
GTE Corporation
GeoTrust Inc.
GlobalSign nv-sa
RSA Data Security, Inc.
RSA Security Inc
TC TrustCenter for Security in Data Networking
Thawte
Thawte Consulting
Thawte Consulting cc
The USERTRUST Network
VISA
ValiCert, Inc.
VeriSign, Inc.
beTrusted
And in IE 6.0 there seem to be about an equal number, many of them the
same.
So there appear to be alternatives to VeriSign (why is it that most of
these companies have two capitals in their names?). I do remember
seeing someone elsewhere complaining that he'd been trying to get his
root cert added to Mozilla for two years now, so it may not be all that
simple.
There is nothing that says everyone must use BIND software either.
Verisign frequently points out the risks of having critical infrastructure
distributed among several independent organzations, and how it would be
much better if a single company (i.e. Versign) controlled it. But when
95% of the market depends on a single organization, even normal problems
are magnified. Certificates normally expire, software normally has bugs,
operators normally make mistakes. When those normal things happen, if
the organization controls almost all of the market, mistakes impact almost
all of the market.
Yep, and several Universities have their own root certificates their
campus users can add to their local browsers independent of other CA's.
Nevertheless, several SSL surveys say Verisign (and Verisign controlled
companies) control a super-majority of the certificates actively in use
on the Internet. So if you are a critical infrastructure planner, you
need to balance whether you use the domainant market player or several
different CA's, or try to be your own CA.
You may even want to obtain certificates from two different CA's in
case one of them fails.