Search:  

 
theme to white backgroundlet page decide theme
HomeFind ServiceReviewsISP NewsFAQsForumsToolsDatabaseAbout 
 
   All ForumsHot TopicsGallery






how-to block ads


 
Forums » Up and Running » Security » Security » PunkBuster service try to connnect to verisign.com?
Share Topic:
RSS topic:
toggle:
flat / full
normal / watch
Posting:
Post a:
Post a:
Links: ·Hijack This logs? ·Panda Free Tools ·Vundo Removal
kernelfaultcheck - urgent please help »
« Secure Email  

NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
Murfreesboro, TN

Re: PunkBuster service try to connnect to verisign.com?

Th IP address you posted is one of several crl.verisign.com addresses which are used to check SSL certificate validity.
permalink · 2008-01-08 10:31:06 · Reply to this

MAT777

join:2002-02-02
Montreal
·TekSavvy Solutions..
·Videotron

Re: PunkBuster service try to connnect to verisign.com?

said by NetFixer See Profile :

Th IP address you posted is one of several crl.verisign.com addresses which are used to check SSL certificate validity.
Do you know why pb has to check for a ssl certificate validity?
permalink · 2008-01-08 10:33:29 · Reply to this

Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA

Re: PunkBuster service try to connnect to verisign.com?

said by MAT777 See Profile :

Do you know why pb has to check for a ssl certificate validity?
This is almost certainly automatic behavior by the Windows libraries, not volitional activity by punkbuster.

A CRL — Certificate Revocation List — is used to insure that certificates are still valid and have not been revoked.

When a client (which could be a browser or an application) connects to an SSL-protected resource, it verifies that the cert is valid by following the signing chain down from the roots. The result of this process is a yes/no that the cert is in fact valid.

But there is also a list of revoked certs; ones that were in fact signed (and will pass signing verification), but should nevertheless be considered invalid.

Let's say that I get an SSL cert for www.unixwiz.net from Verisign, but I foolishly allow a bad guy to get my private key and passphrase. That means he can use that cert on a fake www.unixwiz.net website. Oh snap!

So I'll revoke my certificate, which gets it put on the list maintained by crl.verisign.com. So when the Win32 secure-socket libraries verify a cert, it checks the root signing chain and to see if that cert is on the revocation list.

So it's unlikely that Punkbuster is doing anything but calling a Win32-provided library to set up a secure connection, and the library is doing all the heavy lifting.

Steve
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Tustin, California USA | my web site
permalink · 2008-01-08 12:18:42 · Print · Reply to this

MAT777

join:2002-02-02
Montreal
·TekSavvy Solutions..
·Videotron

1 edit

Re: PunkBuster service try to connnect to verisign.com?

said by Steve See Profile :

Let's say that I get an SSL cert for www.unixwiz.net from Verisign,

If I want to understand the whole thing, I need to understand:
What the SSL cert is useful for? Why you'd get a cert?
permalink · 2008-01-08 13:34:39 · Reply to this

Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA

Re: PunkBuster service try to connnect to verisign.com?

said by MAT777 See Profile :

What the SSL cert is useful for? Why you'd get a cert?
An SSL cert is an attestation of identity: if I have an SSL cert for my my website, then if the cert passes validity you can be sure that it really is my website.

You care about this when you visit your bank, insuring that they are who the URL claims them to be (I personally can't get an SSL certificate for wellsfargo.com).

Additionally, an application such as punkbuster may well need to phone home to get updates and the like: it needs to be sure that when it thinks it's hitting the made-up URL update.punkbuster.com, that it really is connecting to that site.

It's not out of the question to imagine somebody trying to subvert Punkbuster by setting up a fake update site and messing with local DNS, in an attempt to get the software to get a bogus update. But when the fake site is unable to produces a root-CA-signed update.punkbuster.com certificate, then the application knows it's not talking to the real deal.

But please note that an attestation to identity is not the same as an attestation to safety - I could set up www.FreeSpywareWithPorn.com, get a valid cert, and offer exactly what I claim. Just because the site is what it claims to be doesn't mean that it's safe.

Steve
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Tustin, California USA | my web site
permalink · 2008-01-08 15:11:26 · Print · Reply to this

MAT777

join:2002-02-02
Montreal
1 edit

Re: PunkBuster service try to connnect to verisign.com?

But for example, when I visit my bank site, what check the ssl certificate? Firefox?

Maybe my bank don't use this, do you have an example of a site that use a ssl certificate?
permalink · 2008-01-08 15:44:10 · Reply to this

Steve
I'm a PC, so shut up
Consultant
join:2001-03-10
Yorba Linda, CA

Re: PunkBuster service try to connnect to verisign.com?

said by MAT777 See Profile :

But for example, when I visit my bank site, what check the ssl certificate? Firefox?
Your web browser checks the cert: it insures that the Common Name on the certificate matches the URL in the address line, that the cert has a chain of signing from the trusted root certs, that the cert has not expired, and that the cert has not been added to a revocation list (there are other housekeeping checks too).

All online banking uses SSL: if you see https in the URL, it's using an SSL certificate.

Steve
--
Stephen J. Friedl | Unix Wizard | Microsoft Security MVP | Tustin, California USA | my web site
permalink · 2008-01-08 15:52:51 · Print · Reply to this

MAT777

join:2002-02-02
Montreal

Re: PunkBuster service try to connnect to verisign.com?

https, ok, I got it now. Thanks for all this information.
permalink · 2008-01-08 16:01:02 · Reply to this
Forums » Up and Running » Security » Securitykernelfaultcheck - urgent please help »
« Secure Email  

Thursday, 03-Dec 06:14:24 Terms of Use | Privacy Policy | Hosting by www.nac.net - DSL,Hosting & Co-lo | feedback | contact
over 10 years online! © 1999-2009 dslreports.com.
page compression OFF
Most commented news this week
· [162] Comcast Releasing Promised Usage Meter
· [98] Graduate Student Unveils Sprint's GPS Sharing With Feds
· [80] Latest Consumer Reports Survey Not Kind To AT&T
· [76] Avast Antivirus Has Gone Mad
· [70] Baltimore To Ban Lazy Cable Installs
· [62] Broadband Killed The Game Console
· [55] Rogers Unveils The ISP Dream Model
· [46] ACTA: Global Three Strikes
· [41] Rural Carriers Quickly Embracing Fiber
· [40] AT&T, Verizon Drop 3G Ad Dispute
Most people now reading
· False positive in Avast! or is it real? [Security]
· ToC 4th boss - Preliminary Strategy for Twin Valkyr [World of Warcraft]
· Windows 7 boot manager editing questions [Microsoft Help]
· [Newsgroups] Newzleech down? [Filesharing Software]
· 3.x Feral Druid - Bear Tanking Guide [World of Warcraft]
· Working in a Stairwell and Surrounding High Walls [Home Repair & Improvement]
· Quality/longevity of 15A 120V receptacles [Home Repair & Improvement]
· Opening a file download dialog from a JavaScript function. [Webmasters and Developers]
· [Config] cisco asa 5505 with multiple outside IP addresses [Cisco]
· Connecting to Google Voice Via SIP [VOIP Tech Chat]