This is the 2nd occurence of strange entries on my proxy logs, within a few days (comments below):
*********************************************** 10* - - [28/May/2004:14:09:17 +0200] "GET http://delivery.inet-traffic.com/inetdl.exe HTTP/1.0" 200 247544 TCP_REFRESH_HIT:DIRECT 10* - - [28/May/2004:14:09:19 +0200] "GET http://crl.thawte.com/ThawteServerCA.crl HTTP/1.0" 200 243691 TCP_CLIENT_REFRESH_MISS:DIRECT *********************************************** And from another workstation's IP *********************************************** 10* - - [25/May/2004:16:42:35 +0200] "GET http://www.mt-download.com/MediaTicketsInstaller.cab HTTP/1.0" 200 78402 TCP_MISS:DIRECT 10* - - [25/May/2004:16:42:36 +0200] "GET http://crl.thawte.com/ThawtePremiumServerCA.crl HTTP/1.0" 200 852 TCP_CLIENT_REFRESH_MISS:DIRECT 10* - - [25/May/2004:16:42:36 +0200] "GET http://crl.thawte.com/ThawteCodeSigningCA.crl HTTP/1.0" 200 8613 TCP_CLIENT_REFRESH_MISS:DIRECT *********************************************** Here are questions I am wondering about : 1) What are those .crl files used for? Are they used by [spy/ad]wares for some reason I ignore? Maybe they could be used to "corrupt" actual browser's certs? This would be serious... Say some spyware changes certs of banks, and modifies [\/etc\/hosts/lmosts]... Or maybe they are used for something else I am not thinking of... I did not see HTTPS traffic (no CONNECT) in the near future of these events in the logs. 2) I cannot believe this is a coincidence, as it has occured twice within a few days. The [spy/ad]ware download and the cert retrieval definetely seem related. Has anyone noticed the same behaviour? URLs on top are real, and downloading and testing those files can easily be tested. I thought I'd post these informations on this list, in case others have noticed stuff. Vincent