PunkBuster service try to connnect to verisign.com? in Security

PunkBuster service try to connnect to verisign.com? in Security http://www.dslreports.com/forum/r19760368 en Wed, 11 Nov 2009 00:31:39 EDT Wed, 11 Nov 2009 00:31:39 EDT Re: PunkBuster service try to connnect to verisign.com? http://www.dslreports.com/forum/remark,19808206 MAT777 : I know you guys appear to dislike old thread bump but I think it is good for everybody to know the end of this story. If I shouldn't have bump it, please tell so I won't do it again in the future.

I received the answer from evenbalance:

"Note #2: PnkBstrA shouldn't even be contacting the internet, so something is definitely not right.

Please start pbsvc.exe and run through the uninstall process. After that, run it again and run through the install process. Make sure it uninstalls/installs correctly. Reboot the computer and then try playing again. Vista users need to start it explicitly with admin rights.

Please make sure you allow the service files in security software like virus scanners and/or firewalls. You will need to allow/unblock the services PnkBstrA.exe and PnkBstrB.exe from your "C:\Windows\system32\" folder. In case of doubt, manually add both to your firewall's allow list. After the installation process you will only find PnkBstrA, so just make sure this process file is not blocked. Then try playing on a PB enabled server, in case of a kick, check if PnkBstrB was created and unblock it too."

So my firewall is bugged or a virus has infected the pb service. ]]> http://www.dslreports.com/forum/remark,19808206 Tue, 15 Jan 2008 18:25:27 EDT Re: PunkBuster service try to connnect to verisign.com? http://www.dslreports.com/forum/remark,19762599 MAT777 : https, ok, I got it now. Thanks for all this information. ]]> http://www.dslreports.com/forum/remark,19762599 Tue, 08 Jan 2008 16:01:02 EDT Re: PunkBuster service try to connnect to verisign.com? http://www.dslreports.com/forum/remark,19762545 Steve :

said by MAT777

:

But for example, when I visit my bank site, what check the ssl certificate? Firefox?

Your web browser checks the cert: it insures that the Common Name on the certificate matches the URL in the address line, that the cert has a chain of signing from the trusted root certs, that the cert has not expired, and that the cert has not been added to a revocation list (there are other housekeeping checks too).

All online banking uses SSL: if you see https in the URL, it's using an SSL certificate.

Steve
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Tustin, California USA | my web site]]> http://www.dslreports.com/forum/remark,19762545 Tue, 08 Jan 2008 15:52:51 EDT Re: PunkBuster service try to connnect to verisign.com? http://www.dslreports.com/forum/remark,19762474 MAT777 : But for example, when I visit my bank site, what check the ssl certificate? Firefox?

Maybe my bank don't use this, do you have an example of a site that use a ssl certificate?]]> http://www.dslreports.com/forum/remark,19762474 Tue, 08 Jan 2008 15:44:10 EDT Re: PunkBuster service try to connnect to verisign.com? http://www.dslreports.com/forum/remark,19762274 Steve :

said by MAT777

:

What the SSL cert is useful for? Why you'd get a cert?

An SSL cert is an attestation of identity: if I have an SSL cert for my my website, then if the cert passes validity you can be sure that it really is my website.

You care about this when you visit your bank, insuring that they are who the URL claims them to be (I personally can't get an SSL certificate for wellsfargo.com).

Additionally, an application such as punkbuster may well need to phone home to get updates and the like: it needs to be sure that when it thinks it's hitting the made-up URL update.punkbuster.com, that it really is connecting to that site.

It's not out of the question to imagine somebody trying to subvert Punkbuster by setting up a fake update site and messing with local DNS, in an attempt to get the software to get a bogus update. But when the fake site is unable to produces a root-CA-signed update.punkbuster.com certificate, then the application knows it's not talking to the real deal.

But please note that an attestation to identity is not the same as an attestation to safety - I could set up www.FreeSpywareWithPorn.com, get a valid cert, and offer exactly what I claim. Just because the site is what it claims to be doesn't mean that it's safe.

Steve
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Tustin, California USA | my web site]]> http://www.dslreports.com/forum/remark,19762274 Tue, 08 Jan 2008 15:11:26 EDT Re: PunkBuster service try to connnect to verisign.com? http://www.dslreports.com/forum/remark,19761638 MAT777 :

said by Steve

:

Let's say that I get an SSL cert for www.unixwiz.net from Verisign,

If I want to understand the whole thing, I need to understand:
What the SSL cert is useful for? Why you'd get a cert?]]> http://www.dslreports.com/forum/remark,19761638 Tue, 08 Jan 2008 13:34:39 EDT Re: PunkBuster service try to connnect to verisign.com? http://www.dslreports.com/forum/remark,19761136 Steve :

said by MAT777

:

Do you know why pb has to check for a ssl certificate validity?

This is almost certainly automatic behavior by the Windows libraries, not volitional activity by punkbuster.

A CRL — Certificate Revocation List — is used to insure that certificates are still valid and have not been revoked.

When a client (which could be a browser or an application) connects to an SSL-protected resource, it verifies that the cert is valid by following the signing chain down from the roots. The result of this process is a yes/no that the cert is in fact valid.

But there is also a list of revoked certs; ones that were in fact signed (and will pass signing verification), but should nevertheless be considered invalid.

Let's say that I get an SSL cert for www.unixwiz.net from Verisign, but I foolishly allow a bad guy to get my private key and passphrase. That means he can use that cert on a fake www.unixwiz.net website. Oh snap!

So I'll revoke my certificate, which gets it put on the list maintained by crl.verisign.com. So when the Win32 secure-socket libraries verify a cert, it checks the root signing chain and to see if that cert is on the revocation list.

So it's unlikely that Punkbuster is doing anything but calling a Win32-provided library to set up a secure connection, and the library is doing all the heavy lifting.

Steve
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Tustin, California USA | my web site]]> http://www.dslreports.com/forum/remark,19761136 Tue, 08 Jan 2008 12:18:42 EDT Re: PunkBuster service try to connnect to verisign.com? http://www.dslreports.com/forum/remark,19760873 MAT777 : So if I understand well, maybe pb is checking if the exe has not been hacked(forged?) on that site? That's how pb detect cheating? Looking at the amount of cheaters, this doesn't appear to work well :D

Is this the same certificate windowsxp ask you sometimes when you install driver?

Nice information btw, when I read this: "A few years ago they implemented a change to their service such that if a mis-typed address could not be found in their database, you would be redirected to their own search engine."
I think they prove they it could be a spyware. I'm waiting for evenbalance to know if it is a normal activity or if my pb exe was infected by a virus.]]> http://www.dslreports.com/forum/remark,19760873 Tue, 08 Jan 2008 11:35:19 EDT Re: PunkBuster service try to connnect to verisign.com? http://www.dslreports.com/forum/remark,19760793 jimkyle : Verisign was originally known as Network Solutions Inc., and was the original issuer of almost all URL names. It's still the registrar for *.com domains; if you have a dot-com domain registered anywhere else, your registrar is simply acting as Verisign's agent.

However the company's hat is not pure white. A few years ago they implemented a change to their service such that if a mis-typed address could not be found in their database, you would be redirected to their own search engine. This caused a firestorm of controversy and they undid their change. However many of us still do not trust the firm completely; the feeling was (and is) that any violation of the standards indicates that future violations may occur.

The reason any program would contact them to verify that a certificate is valid is that the program is "signed" by its maker to assure that it has not been forged. Some operating systems refuse to allow an unsigned program to install or run, but the only way to verify a program signature is to check it out with the original provider -- in this case Verisign.
--
Jim Kyle]]> http://www.dslreports.com/forum/remark,19760793 Tue, 08 Jan 2008 11:22:00 EDT Re: PunkBuster service try to connnect to verisign.com? http://www.dslreports.com/forum/remark,19760543 Mats : No they arent..

I could never give you an explanation that you would understand.. Hopefully someone will come in soon who can..]]> http://www.dslreports.com/forum/remark,19760543 Tue, 08 Jan 2008 10:40:14 EDT Re: PunkBuster service try to connnect to verisign.com? http://www.dslreports.com/forum/remark,19760518 MAT777 :

said by Mats

said by MAT777

:

Ok, and what is verisign

»en.wikipedia.org/wiki/VeriSign

Yes I have read this before coming here.

"VeriSign also provides a variety of security and telecom services"

This is kind of vast to know what they do. Are they a ad/spyware compagny under the cover of ssl certificate?]]> http://www.dslreports.com/forum/remark,19760518 Tue, 08 Jan 2008 10:35:45 EDT Re: PunkBuster service try to connnect to verisign.com? http://www.dslreports.com/forum/remark,19760496 MAT777 :

said by NetFixer

:

Th IP address you posted is one of several crl.verisign.com addresses which are used to check SSL certificate validity.

Do you know why pb has to check for a ssl certificate validity?]]> http://www.dslreports.com/forum/remark,19760496 Tue, 08 Jan 2008 10:33:29 EDT Re: PunkBuster service try to connnect to verisign.com? http://www.dslreports.com/forum/remark,19760497 Mats :

said by MAT777

:

Ok, and what is verisign

»en.wikipedia.org/wiki/VeriSign]]> http://www.dslreports.com/forum/remark,19760497 Tue, 08 Jan 2008 10:33:29 EDT Re: PunkBuster service try to connnect to verisign.com? http://www.dslreports.com/forum/remark,19760487 NetFixer : Th IP address you posted is one of several crl.verisign.com addresses which are used to check SSL certificate validity.]]> http://www.dslreports.com/forum/remark,19760487 Tue, 08 Jan 2008 10:31:06 EDT Re: PunkBuster service try to connnect to verisign.com? http://www.dslreports.com/forum/remark,19760458 MAT777 :

said by Mats

said by MAT777

:

Maybe pb always connected to verisign in the past and I didn't notice it because I allowed pb to accces the net. And when it got updated, my firewall detected it.

This is correct..

Your firewall detected the change to punkbuster program..

Ok, and what is verisign and what pb has to do with it? You have an idear?

btw, I sent a ticket to evenbalance to know if this is a normal activity for pb or not. ]]> http://www.dslreports.com/forum/remark,19760458 Tue, 08 Jan 2008 10:27:00 EDT Re: PunkBuster service try to connnect to verisign.com? http://www.dslreports.com/forum/remark,19760395 Mats :

said by MAT777

:

Maybe pb always connected to verisign in the past and I didn't notice it because I allowed pb to accces the net. And when it got updated, my firewall detected it.

This is correct..

Your firewall detected the change to punkbuster program..]]> http://www.dslreports.com/forum/remark,19760395 Tue, 08 Jan 2008 10:18:45 EDT PunkBuster service try to connnect to verisign.com? http://www.dslreports.com/forum/remark,19760368 MAT777 : My firewall has detected a change in PnkBstA.exe. And now, It try to connect to this ip: 199.7.54.190. The domain of this IP is »www.verisign.com/.

Is verisign a spyware/ads site?

Maybe pb always connected to verisign in the past and I didn't notice it because I allowed pb to accces the net. And when it got updated, my firewall detected it.]]> http://www.dslreports.com/forum/remark,19760368 Tue, 08 Jan 2008 10:14:54 EDT