Digicert Certification Authority IP Address Included in Prohibited Sites Registry

    September 29, Roskomnadzor, following the decision of the Oktyabrsky District Court of Stavropol of 2013, entered the IP address 93.184.220.29 in the register of banned sites. This court decision obliges to block the websites and mobile applications of some bookmakers, and if everything is obvious with the blocking of websites, then, in all likelihood, the experts of the Stavropol prosecutor’s office (a lawsuit was filed on their behalf) faced the limitation of the application’s performance, and simply declared all the IP addresses that the application accessed at the time of launch, including the addresses of the CRL (certificate revocation list) and OCSP servers (certificate status checking server) global certification prices The channels used for HTTPS encryption.

    Screenshot of the site eais.rkn.gov.ru

    This court decision became known due to the blocking of links to Comodo CRL files in July this year ( "Roskomnadzor blocked itself and some government sites (Comodo)" from BupycNet ), now the address belongs to another certification center - Digicert.
    $ host crl3.digicert.com
    crl3.digicert.com is an alias for cs9.wac.phicdn.net.
    cs9.wac.phicdn.net has address 93.184.220.29
    $ host ocsp.digicert.com
    ocsp.digicert.com is an alias for cs9.wac.phicdn.net.
    cs9.wac.phicdn.net has address 93.184.220.29
    So, when you try to open sites that use Digicert certificates in Firefox and Chrome, you will encounter a 3 or 10 second delay due to the inability to check the status of the certificate, or even see an error in browsers that do not allow you to open the site in case of certificate verification problems for recall (Safari on OS X).

    The author and commentators of the site shortcut.ru in the article “Why Facebook doesn’t work on the Mac”? noted the inoperability of Facebook.com and Github.com in Safari since October 3 and suggest disabling revocation checking in the OS settings.
    X509v3 Subject Alternative Name: 
        DNS:*.facebook.com, DNS:*.facebook.net, DNS:*.fb.com, DNS:*.fbcdn.net, DNS:*.fbsbx.com, DNS:*.m.facebook.com, DNS:*.messenger.com, DNS:*.xx.fbcdn.net, DNS:*.xy.fbcdn.net, DNS:*.xz.fbcdn.net, DNS:facebook.com, DNS:fb.com, DNS:messenger.com
    X509v3 CRL Distribution Points: 
        Full Name:
            URI:http://crl3.digicert.com/sha2-ha-server-g5.crl
        Full Name:
            URI:http://crl4.digicert.com/sha2-ha-server-g5.crl

    An entry in the registry on the website of Roskomsvoboda

    UPD: IP is excluded from the registry on 10/10/2016.

    Also popular now: