tags:

views:

319

answers:

5
+7  Q: 

Why is my .Net app contacting Verisign?

I wrote a .Net application that has nothing to do with network communication. There is not a single line of code in the whole application that uses the NIC, but my firewall has caught it trying to contact Verisign for some reason when the app starts. This does not happen regularly; as a matter of fact, it has only happened twice.

The last time it happened, I was able to launch Wireshark before telling my firewall to allow access to the network. There was no real data transfer that I can tell. It only captured 9 TCP packets: some SYN packets, some SYN/ACK, and some RST packets (The RST packets were broken). I would suspect one of my third-party dlls, but I don't see why a math library or an image manipulation library would try to establish a connection with Verisign and then do nothing with that connection.

My clients are in organizations with tight security; the last thing I want is a phone call asking why my application is connecting to the Internet.

Does anyone know why this is happening? Is there a way to prevent it from happening?

The .pcap file that Wireshark generated is here.

A: 

Are these paid third party dlls which are possibly doing some sort of usage authentication?

Anthony Potts  2009-12-17 17:34:38
They are paid, but their licensing mechanism consists of looking for a license key included in a file on the computer.
Phil  2009-12-17 17:38:21
Well, that's one licensing mechanism. The other one doesn't seem to have a license verification mechanism.
Phil  2009-12-17 17:39:12
+1  A: 

If it's a web app with SSL, it could be IE trying to verify that the certificate hasn't been revoked.

David  2009-12-17 17:37:35
AFAIK, the same can be true for any signed .net assemblies, not necessarily connected to IE or web apps. The system would contact a Certificate Revocation List (CRL) server to check if anything shall not be trusted anymore. There is a system-wide option to disable this behaviour, but I can't remember where is it.
atzz  2009-12-17 17:58:26
+1  A: 

Are any of the 3rd party DLLs signed with Authenticode?

sixlettervariables  2009-12-17 17:41:22
+2  A: 

If you sign your assembly with a real certificate, the .net runtime has to check the digital signature.

Joel Coehoorn  2009-12-17 17:47:54
+7  A: 

Here's a good link a blog explaining what's happening, and the changes to your application config file you can add to stop it from happening, specifically:

<configuration>
   <runtime>
       <generatePublisherEvidence enabled="false"/>
   </runtime>
</configuration>

It's related to authenticode signing, and the PublisherMembershipCondition which you almost definitely don't need. That's explained here on MSDN

A thing to note is that .Net 2.0 and .Net 3.0 only added support for this config setting with SP1. .Net 3.5 supports this without any service pack.

dwhiteho  2009-12-17 17:51:59

related questions

Subsonic Vs NHibernate
How to check For File Lock in C# ?
Is nAnt still supported and suitable for .net 3.5/VS2008?
Limit size of Queue<T> in .NET?
Viewstate invalid when using Safari
Free OCR library
Unhandled Exception Handler in .NET 1.1
Localising date format descriptors
Get a new object instance from a Type in C#
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
.NET Testing Framework Advice
Embedded Database for .net that can run off a network
Automatically update version number
Homegrown consumption of web services
How do you migrate a large app from VB6 to VB .net ?
.NET Migrations Engine
Adding Scripting functionality to .NET applications
SQLite and XSD
Floating Point Number parsing: Is there a Catch All algorithm?
How do I programmatically create a PDF in my .NET application?
How do I sync the SVN revision number with my ASP.NET web site?
XSD DataSets and ignoring foreign keys
Anatomy of a "Memory Leak"
Reliable Timer in a Console Application
How do I calculate relative time?