PKISolutions/Asn1Editor.WPF

Remote IP connection attempts each time upon opening the file to be analysed or edited

Closed this issue · 7 comments

Nice tool. However it is surprising to see that outbound connections to two different IP addresses are attempted each time upon opening the file to be analysed or edited. I write here "are attempted" as in my particular case these connection attempts were blocked and reported by firewall.

Does the tool really need to connect anywhere for its proper operation?
To me it does not look so ... So what are these connection attempts intended for?

Can you provide network request details?
The application does not require any network connection and can work in a complete isolated (with no network adapters) without any limitations. So I'm wondering if it is really Editor that does these connections.

To my understanding, requests were sent when you tried to verify application signature. That process invoked CRL retrieval to validate signature for revocation. For example, first IP in your video is 172.64.149.23 and it is comodo's CRL endpoint:

PS C:\> nslookup crl.sectigo.com
Server:  redacted
Address:  redacted

Non-authoritative answer:
Name:    crl.comodoca.com.cdn.cloudflare.net
Addresses:  2606:4700:4400::ac40:9517
          2606:4700:4400::6812:26e9
          172.64.149.23
          104.18.38.233
Aliases:  crl.sectigo.com

so it is not application itself, it is signature validation function tries to validate the signature every time you run editor.

I have double-checked what is happening after openeing the application and it seems that the trigger is not opening the application, but opening the file.

unfortunately, your video doesn't prove this. You opened event viewer, then verified signature (which immediately caused in new events in event log), then started the application and then opened the file. Only after that you refreshed event viewer. There are no proofs that any new event was created between the application startup and opening file. You may need to check at what points events are generated. Like this:

  1. start editor, check if any network connection is made
  2. open file for decoding, check if any network connection is made
  3. open another file for decode, check if any network connection is made

This would be helpful to identify what can cause these connections.

an it is bit strange that windows is reporting asn1editor as the application which tries to establich the connection.

agree. Application itself doesn't check own signatures. However, it can be part of .NET runtime when application performs lazy reference library loading: application load dependencies (DLLs) on demand, when callstack contains the code from external file. But it is just a guess.


The only thing we know for sure -- these requests are related to digital signature validation and not part of application code. I can try to explain what causes these network connections, but not remediate them.

The only thing I can think of -- late SysadminsLV.Asn1Parser.dll loading. To confirm this, try to run the application, do not open file for decoding in main window. Instead, open Converter dialog, paste sample cert content as PEM and then click Validate button:

image

this should trigger network connections. After that, no further connections should be made.

the connection is triggered just by opening the Converter ...

yeah, then these connections are indeed triggered when application [lazily] loads SysadminsLV.Asn1Parser.dll dependency using implicit System.Reflection.Assembly.Load* call. And this call triggers signature validation since the module being loaded is digitally signed. Unfortunately, I can't do anything here because I don't own Microsoft code. Shipping unsigned binaries is not an option.