Asn1Editor.WPF
Asn1Editor.WPF copied to clipboard
PKISolutions
Remote IP connection attempts each time upon opening the file to be analysed or edited
Nice tool. However it is surprising to see that outbound connections to two different IP addresses are attempted each time upon opening the file to be analysed or edited. I write here "are attempted" as in my particular case these connection attempts were blocked and reported by firewall.
Does the tool really need to connect anywhere for its proper operation? To me it does not look so ... So what are these connection attempts intended for?
Can you provide network request details? The application does not require any network connection and can work in a complete isolated (with no network adapters) without any limitations. So I'm wondering if it is really Editor that does these connections.
To my understanding, requests were sent when you tried to verify application signature. That process invoked CRL retrieval to validate signature for revocation. For example, first IP in your video is 172.64.149.23 and it is comodo's CRL endpoint:
PS C:\> nslookup crl.sectigo.com
Server: redacted
Address: redacted
Non-authoritative answer:
Name: crl.comodoca.com.cdn.cloudflare.net
Addresses: 2606:4700:4400::ac40:9517
2606:4700:4400::6812:26e9
172.64.149.23
104.18.38.233
Aliases: crl.sectigo.com
so it is not application itself, it is signature validation function tries to validate the signature every time you run editor.
an it is bit strange that windows is reporting asn1editor as the application which tries to establich the connection. I would expect that the asn1editor signature shoud be verified by the operating system, and some process of the operating system should try to establich the connection, and not the application itself
From: Antanas Živatkauskas @.> Sent: Tuesday, March 19, 2024 19:35 To: PKISolutions/Asn1Editor.WPF @.> Subject: Re: [PKISolutions/Asn1Editor.WPF] Remote IP connection attempts each time upon opening the file to be analysed or edited (Issue #39)
thank you very much for the explanation.
there is a small detail regarding "signature validation function tries to validate the signature every time you run editor."
I have double-checked what is happening after openeing the application and it seems that the trigger is not opening the application, but opening the file. In the video which I made this cannot be seen as there were other events from the moment the application was opened and the moment the file was opened.
From: Vadims Podans @.> Sent: Tuesday, March 19, 2024 18:21 To: PKISolutions/Asn1Editor.WPF @.> Cc: sekmadienis @.>; Author @.> Subject: Re: [PKISolutions/Asn1Editor.WPF] Remote IP connection attempts each time upon opening the file to be analysed or edited (Issue #39)
To my understanding, requests were sent when you tried to verify application signature. That process invoked CRL retrieval to validate signature for revocation. For example, first IP in your video is 172.64.149.23 and it is comodo's CRL endpoint:
PS C:> nslookup crl.sectigo.com Server: redacted Address: redacted
Non-authoritative answer: Name: crl.comodoca.com.cdn.cloudflare.net Addresses: 2606:4700:4400::ac40:9517 2606:4700:4400::6812:26e9 172.64.149.23 104.18.38.233 Aliases: crl.sectigo.com
so it is not application itself, it is signature validation function tries to validate the signature every time you run editor.
— Reply to this email directly, view it on GitHubhttps://github.com/PKISolutions/Asn1Editor.WPF/issues/39#issuecomment-2007615605, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BAIKTNIKDCCL2IUWTVZIETDYZBQZXAVCNFSM6AAAAABE46XWTOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMBXGYYTKNRQGU. You are receiving this because you authored the thread.
I have double-checked what is happening after openeing the application and it seems that the trigger is not opening the application, but opening the file.
unfortunately, your video doesn't prove this. You opened event viewer, then verified signature (which immediately caused in new events in event log), then started the application and then opened the file. Only after that you refreshed event viewer. There are no proofs that any new event was created between the application startup and opening file. You may need to check at what points events are generated. Like this:
- start editor, check if any network connection is made
- open file for decoding, check if any network connection is made
- open another file for decode, check if any network connection is made
This would be helpful to identify what can cause these connections.
an it is bit strange that windows is reporting asn1editor as the application which tries to establich the connection.
agree. Application itself doesn't check own signatures. However, it can be part of .NET runtime when application performs lazy reference library loading: application load dependencies (DLLs) on demand, when callstack contains the code from external file. But it is just a guess.
The only thing we know for sure -- these requests are related to digital signature validation and not part of application code. I can try to explain what causes these network connections, but not remediate them.
The only thing I can think of -- late SysadminsLV.Asn1Parser.dll loading. To confirm this, try to run the application, do not open file for decoding in main window. Instead, open Converter dialog, paste sample cert content as PEM and then click Validate button:
this should trigger network connections. After that, no further connections should be made.
the connection is triggered just by opening the Converter ...
as I wrote earlier, connections are attempted until they are allowed through windows firewall (outbound). If I allow connection to succeed, no more attempts are made on subsequent actions (opening file, opening Converter)
From: Vadims Podans @.> Sent: Thursday, March 21, 2024 12:45 To: PKISolutions/Asn1Editor.WPF @.> Cc: sekmadienis @.>; Author @.> Subject: Re: [PKISolutions/Asn1Editor.WPF] Remote IP connection attempts each time upon opening the file to be analysed or edited (Issue #39)
The only thing I can think of -- late SysadminsLV.Asn1Parser.dll loading. To confirm this, try to run the application, do not open file for decoding in main window. Instead, open Converter dialog, paste sample cert content as PEM and then click Validate button:
image.png (view on web)https://github.com/PKISolutions/Asn1Editor.WPF/assets/6384119/2ef91403-a4ae-4927-8483-ad36051dbcde
this should trigger network connections. After that, no further connections should be made.
— Reply to this email directly, view it on GitHubhttps://github.com/PKISolutions/Asn1Editor.WPF/issues/39#issuecomment-2011905144, or unsubscribehttps://github.com/notifications/unsubscribe-auth/BAIKTNN5B6BAXS22NH72OLTYZK23TAVCNFSM6AAAAABE46XWTOVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMJRHEYDKMJUGQ. You are receiving this because you authored the thread.Message ID: @.***>
the connection is triggered just by opening the Converter ...
yeah, then these connections are indeed triggered when application [lazily] loads SysadminsLV.Asn1Parser.dll dependency using implicit System.Reflection.Assembly.Load* call. And this call triggers signature validation since the module being loaded is digitally signed. Unfortunately, I can't do anything here because I don't own Microsoft code. Shipping unsigned binaries is not an option.