为什么我的 .Net 应用程序会联系 Verisign?
我编写了一个与网络通信无关的.Net应用程序。整个应用程序中没有一行代码使用 NIC,但我的防火墙在应用程序启动时发现它由于某种原因试图联系 Verisign。这种情况并不经常发生;事实上,这种事只发生过两次。
上次发生这种情况时,我能够在告诉防火墙允许访问网络之前启动 Wireshark。据我所知,没有真正的数据传输。它只捕获了 9 个 TCP 数据包:一些 SYN 数据包、一些 SYN/ACK 和一些 RST 数据包(RST 数据包已损坏)。我会怀疑我的第三方 dll 之一,但我不明白为什么数学库或图像处理库会尝试与 Verisign 建立连接,然后对该连接不执行任何操作。
我的客户所在的组织具有严格的安全性;我最不想看到的就是接到电话询问为什么我的应用程序连接到互联网。
有谁知道为什么会发生这种情况?有办法防止这种情况发生吗?
Wireshark 生成的 .pcap 文件位于此处。
I wrote a .Net application that has nothing to do with network communication. There is not a single line of code in the whole application that uses the NIC, but my firewall has caught it trying to contact Verisign for some reason when the app starts. This does not happen regularly; as a matter of fact, it has only happened twice.
The last time it happened, I was able to launch Wireshark before telling my firewall to allow access to the network. There was no real data transfer that I can tell. It only captured 9 TCP packets: some SYN packets, some SYN/ACK, and some RST packets (The RST packets were broken). I would suspect one of my third-party dlls, but I don't see why a math library or an image manipulation library would try to establish a connection with Verisign and then do nothing with that connection.
My clients are in organizations with tight security; the last thing I want is a phone call asking why my application is connecting to the Internet.
Does anyone know why this is happening? Is there a way to prevent it from happening?
The .pcap file that Wireshark generated is here.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
这是一个很好的链接 一个博客解释发生了什么,以及您可以添加的对应用程序配置文件的更改以阻止其发生,具体来说:
它与authenticode签名以及您几乎肯定不需要的PublisherMembershipCondition相关。 MSDN 对此进行了解释
需要注意的是 .Net 2.0 .Net 3.0 仅在 SP1 中添加了对此配置设置的支持。 .Net 3.5 支持此功能,无需任何服务包。
Here's a good link a blog explaining what's happening, and the changes to your application config file you can add to stop it from happening, specifically:
It's related to authenticode signing, and the PublisherMembershipCondition which you almost definitely don't need. That's explained here on MSDN
A thing to note is that .Net 2.0 and .Net 3.0 only added support for this config setting with SP1. .Net 3.5 supports this without any service pack.
如果您使用真实证书对程序集进行签名,.net 运行时必须检查数字签名。
If you sign your assembly with a real certificate, the .net runtime has to check the digital signature.
如果它是带有 SSL 的 Web 应用程序,则 IE 可能会尝试验证证书是否未被吊销。
If it's a web app with SSL, it could be IE trying to verify that the certificate hasn't been revoked.
是否有任何使用 Authenticode 签名的第 3 方 DLL ?
Are any of the 3rd party DLLs signed with Authenticode?
这些付费第三方 dll 是否可能进行某种使用身份验证?
Are these paid third party dlls which are possibly doing some sort of usage authentication?