PCA Forums

NAV (and other programs) have routines that regularly and automatically keep them updated. They typically do this via HTTP operations. Due to the sensitivity of the data and wanting to prevent session hijacks, they typically set up the update servers with SSL certificates that verify the update servers' identities to the clients. If the certificates have expired, the clients may sit there, aborting and retrying the connection over and over. This kind of fibrillation will eat your CPU (and memory, since each SSL negotiation attempt requires a non-trivial amount of resources to compute).

Symantec has laid the blame on VeriSign after Norton AntiVirus users complained that their computers became slow and unstable after they downloaded updates to the software.

The expiration of some of VeriSign's certificate-authority certificates this week appears to have caused problems beyond the harmless error messages generated when users tried to access secure areas of Web sites. Symantec on Friday blamed VeriSign for problems with its security software products that left users' PCs unresponsive and unstable.

The problems caused a flurry of angry posts to the Symantec area of support forums from users saying they would ditch Symantec's Norton AntiVirus. Some users of the Norton products reported that their PCs locked up or slowed down after downloading the latest virus definitions on Wednesday and Thursday. Symantec itself reported that "after January 7, 2004, your computer slows down and Microsoft Word and Excel will not start."

But the glitch is not down to Norton AntiVirus, according to Symantec. The Cupertino, Calif.-based company said in a statement on its Web site that the problem "appears to be related to VeriSign receiving an unusual number of requests by Windows-based clients to download a certificate revocation list (CRL) on January 7-8, 2004. This increase in traffic resulted in intermittent VeriSign CRL server availability."

A number of VeriSign's certificates that verified it as a certificate issuing authority expired on these dates. Norton AntiVirus products routinely verify the integrity of system components using certificates issued by the Mountain View, Calif.-based company. Neither VeriSign nor Symantec could immediately explain the exact sequence of events, but according to the statement on the security software maker's Web site, copies of Norton AntiVirus installed on PCs were unable to achieve the authentication they required because of the unavailability of VeriSign's server. "Therefore customers experienced delays and instabilities," Symantec said.

Hinting that it was not the only company whose products were affected, Symantec said it "and other vendors" were "cooperatively working with VeriSign to mitigate this situation."

Symantec issued a quick fix for the problem. The fix involves de-selecting the option to check for publisher's certificate revocation in the Internet Explorer browser.

Despite Symantec's protests that it is not to blame, the episode may have created bad publicity for its Norton AntiVirus product. "I am now strongly tempted to trash Norton AV in favour of something more user friendly and which doesn't slow down the opening of every damned thing in sight!" said one poster. "I have been having 16-plus second delays if I right-clicked on anything--even after a system reboot," wrote another. "I am not happy and have installed Sophos instead." This individual then went on to say they were not happy with that either, "as updates seem incredibly confusing...I shall now try McAfee."

In a statement issued to address the certificate revocation problem, VeriSign said that it had taken steps since 2001 to notify customers of the situation and, with each communication, to alert them to the expiration date and steps necessary to obtain a new Intermediate Certificate Authority (CA).