Windows Server 2000/2003 Thread, Is this secure? in Technical; To get some software to work I've had to Disable the GPO option "Check for server certificate revocation" for student ...
17th June 2010, 11:03 AM #1
Is this secure?
To get some software to work I've had to Disable the GPO option "Check for server certificate revocation" for student users.
Can somebody explain what this means and whether disabling it shouldn't open any security holes?
17th June 2010, 11:12 AM #2
Disabling it is a bad idea.
When a certificate is published, the certificate authority has no further control over it until it expires. So if the certificate is used for Bad Things™, it can give the user a sense of trust without any justification.
So instead, authorities embed a link to a revocation (from the verb to revoke) list in the certificate, and the browser checks this before allowing the connection. If the certificate has been revoked, an error is displayed.
Disabling the check disables this protection.
17th June 2010, 11:18 AM #3
Check for updates for the software in question.
Certificate Revocation means that the content is signed but with a certificate that has been revoked by the issuing agency. This could be for a variety of reasons.
Effectively it means your content cannot be trusted as having come unaltered from the stated source, if downloaded potentially a huge problem, on a official CD perhaps less so.
No doubt someone with more insight than me with have something to add.
17th June 2010, 11:23 AM #4
So, why do I need to disable this to get the software to work? I'm waiting to hear back from the software support.
The software in question is a local exe that then pulls it's users etc from a secure site (at their end). When I first installed this software it worked, then went off a couple of weeks ago.
Do you think the problem is more related to a certificate at their end? And should I tell them to sort it at their end rather than me possibly opening up a hole?
17th June 2010, 11:26 AM #5
a) the certificate has been revoked b) the revocation list is unavailable c) the revocation list can't be fetched through your filter or d) some other problem.
Thanks to powdarrmonkey from:
Hightower (17th June 2010)
By FN-GM in forum Windows
Last Post: 13th April 2009, 06:29 PM
By Dafty in forum Hardware
Last Post: 27th March 2009, 11:11 PM
Last Post: 31st March 2008, 09:51 AM
By FreeWill in forum Wireless Networks
Last Post: 9th October 2007, 11:45 AM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)