The Internet has thousands of threads about the Akamai creeps. Two decades, no answers; just idiotic lies from morons who believe Power is their friend. They're big, right? What reason would they have to 'risk' it all? This is the logic used to convince morons that online poker is legit. Like Absolute and UB.
At best, they're incompetent. Which is kind of amazing, because billion-$ corporations are somehow compelled to host their websites on Akamai servers. At worst, they're corrupt. Which is kind of amazing, because billion-$ corporations are somehow compelled to host their websites on Akamai servers.
http://forums.techguy.org/web-email/...ai-net-fb.html
No responses.
http://forums.techguy.org/general-se...i-net-img.html
No responses.
http://forums.techguy.org/web-email/...mai-net-2.html
2007 thread with multiple complaints, no solutions. Yahoo said it was a minor problem that would go away soon. 2007.
Originally Posted by Anonymous
This problem started happening to me since last week I started protesting in facebook against the corrupted politicians running the planet
One poster linked to
SecuriTeam's warning:
Some Akamai hosts allowed anyone to proxy SSL connections through them. That is, anyone could freely "Akamaize" his or her own SSL Web server (see:
http://www.peacefire.org/bypass/Proxy/akamai.html). Because popular browsers (e.g., Netscape and IE) implicitly trust Verisign CA certificates, a malicious SSL server could spoof SSL certification via Akamai's use of Verisign server certificates. The effect was that simply checking a site for the existence of a Verisign server certificate had no meaning. Anyone would have been able to use a Verisign server certificate (specifically, one issued to Akamai) for signing arbitrary content.
After Verisign issued 'bogus' Microsoft certificates (their explanation was that someone fooled them into issuing them to Microsoft Corporation, Microsoft was like "eh these things happen, no problemo homie") in like 2001, the question I've asked many times without an answer is WHY ARE VERISIGN STILL IN BUSINESS? No one else really asks that question. Everyone is so wonderfully forgiving.
This guy demolishes Microsoft's insulting claims post-incident. You would have to be a world-class imbecile (almost, Filipino-level stupid) to fail to understand that Microsoft's mistakes aren't really mistakes so much as 'mistakes'. And insulting ones, at that.
We've seen how VeriSign publishes its CRLs, and examined whether its certificates and CRLs are within RFC 2459's requirements. Now let's revisit the question of exactly how Windows obtains and uses VeriSign CRLs. In particular, does Microsoft's CryptoAPI support the Well-Known-URL method, or does it rely on the user to provide the Manual method? The rather astonishing conclusion one must arrive at is "Neither".
To be specific, Microsoft's CryptoAPI, as shipped by Microsoft, only handles CRLs when they are listed in certificates that have the CRL Distribution Point extension of RFC 2459.
Microsoft is simply refusing to acknowledge the question of how it could design and ship a revocation infrastructure relying entirely on a feature it must have known didn't exist in the VeriSign certificates it was accepting.
Any system -- even Microsoft's -- could have an internal Well-Known URL for VeriSign, from which it automatically obtains suitably-recent CRLs for any VeriSign certificates it cares to accept. As an unautomated alternative, any system -- even Microsoft's -- could have a simple Manual procedure for obtaining and using CRLs. Which systems actually do this is a different question entirely. Indeed, one system we certainly know cannot and does not: Microsoft's.
But maybe a simple Manual process WILL work with MSIE. Here's what one user wrote to me about the process:
- Go to the VeriSign CRL site and click on the link named Class3SoftwarePublishers.crl to download the CRL.
- Go to Tools | Internet Options, then click on the Contents Tab.
- Click the Certificates button.
- Click Import, then use the Certificate Manager Import Wizard to import the CRL.
- Follow the confirmation instructions in Microsoft Security Bulletin MS01-017:
In IE, select Tools, then Internet Options. Select the Advanced tab, then scroll to the section titled Security and verify that "Check for publisher's certificate revocation" has been selected.
- Verify that the CRL is in use by downloading an OCX and following the instructions on Microsoft's update confirmation page.
[U][But it's not working because] I followed the procedure listed, and what it says under Digital Signature Information is "This signature is okay" rather than anything about revocation.
Now it's possible that I've done something wrong, but [it seems pretty straight-forward].
Either way, something is very wrong.
The really interesting thing is that VeriSign has been publishing CRLs under its current mechanisms FOR YEARS, indeed, for years before RFC 2459 was ever written. Either it was wasting time and money doing so, since those CRLs were never used by anyone, or someone somewhere managed to figure out a way to get the VeriSign CRLs and use them properly. That Microsoft was unable to do so is the real issue here.
This leaves a really big unanswered question:
Why would Microsoft base its entire CRL and revocation infrastructure on an optional feature that was absent from certificates issued by one of its principal certificate providers?
At the very least, there are some gravely flawed design assumptions here, or there is a major breakdown in communication and requirements. Microsoft alone knows the real answer, and Microsoft alone should be held accountable.
Amazingly, this condition (unobtainable and/or unusable VeriSign CRLs) must have persisted for some time. That is, the revocation problem itself has existed since CryptoAPI first shipped. Windows has NEVER been able to obtain and use a VeriSign CRL. If it had, then Microsoft would not have had to issue ANY patch or update.
Security is a chain. Break one link and the whole chain fails. The critical broken link in this incident was Microsoft's sole reliance on a feature that simply didn't appear in the certificates it was accepting.
He didn't do anything wrong. Every other day, I follow a procedure outlined on an Microsoft "FastRelease Article" or listed on an Apple or AppleDeveloper forum to address one of the millions of security 'breaches' left intentionally open on systems shipped by every single OEM and software provider. I'm not a moron. Nothing about these steps are especially complicated, with the exception of getting them to work.
I reach the final step and the command prompt returns zero output, i.e. in this imbecilic quasi-Orwellian industry, that's supposed to mean "success" - except, there isn't any. I appreciate the brilliance, in tactics. But I'm the only person who does. Everyone else just gets frustrated. I get horrified because the only thing worse than a stack of new error messages, is no error messages. You know how ridiculous it is trying to elicit 'expert' assistance for a command that produces zero output upon completion?
It's about as ridiculous as posting a log of error messages. I have single (1) logs with millions of lines of errors when I open them in Notepad. I've posted links to them. I've read huge portions. Pretty sure millions of errors during failed installs = something is very wrong. You can investigate those error messages if you want to get more error messages. Keep spinning round and around hunting down Microsoft and Apple errors and you could spend 14 months and 6 figures USD going backwards.
I know this because I did this once, and this is what happened to me. You could probably achieve the same in a shorter period of time, and I imagine it wouldn't cost you as much. In late May and early July, I was going 'crazy'; offering Thai networking specialists 10,000 and 20,000 baht "no strings attached" upfront fees just to take a look. It's funny, some really hated money and simply weren't interested. So I upped the offers. Understand, I'm holding cash out when making these offers; I'm not promising cheques payable upon invoice or COD. They hate money at Pantip and FortuneTown, what can you do. A few didn't though; at least, not initially. A lot of experts came to my apartment in 2011. The manner in which they left though...
I know what horror combined with self-hatred, frustration and terror looks like. I have woken up with "big-boned" girls I believed were adorable the night before, when I used to drink. My systems are "big-boned" girls. My cash was the alcohol. The guys that stumbled backwards out of my Siri@Sukhumvit apartment...I recognised those guys. "Nothing is wrong", they said. "Everything is fine."
They just had to go.
-----
This is interesting.
http://revealingerrors.com/akamai_ssl
Not happy about this Akamai shit. Have spent ages looking into DNS redirecting and am convinced there is a connection here with Akamaitechnologies. What do we do, stop purchasing stuff online because that is the only way to be secure? Very worrying indeed. The Internet is rapidly becoming an unworkable pool of shit. God only know what it will be like in ten years time??? When I have found a way to block Akamai, I will and if that means I can't access sites as a result then so be it!
Posted by Christopher Bergner at Mon Mar 21 15:38:22 2011
I have spent many days doing the same thing and am also convinced Akamaitechnologies are FILTHY CORRUPT. There are thousands of threads on the Internet with no answers, just idiotic lies about it being "fixed soon".
None of this covers why Akamai feels the need to persistantly portscan anything and everything that connects to a site hosted on one of their servers, and their own website fails to explain the need for this assault.
Posted by Anonymous at Wed Mar 16 21:45:57 2011
I've got a pretty good idea why.
Threaded Mode
