Inability to authenticate hits us right where it hurts - security!

[Guest]

[Melih]

Inability to authenticate hurts us

please feel free to share your views with us.

thanks

Melih

[gibran]

Authentication through diigital signing sure it opens many new possibilities.

It's too bad that many end users don't know much about that nor how to use digital signature to check software integrity.

With a digital signature it is possible to confirm both the developer and validate the software against tampering and it provide much more reliable info about developers than a normal Version Info tab.

Adding digital signature support in security software is the way to go not only to create a list of trusted vendors but also a list of untrusted ones (eg to use it for parental control purposes).

Most of these rogue developers don't even bother to digitally sign their apps since that would mean to let everyone know their real address.
Thus this  will often be enough to confirm that an application was built by a legit developer.

Usually almost all software installer has to be digitally signed in order to get Windows Logo Seal.

[LaserWraith]

Ok, this is a bit  , but I wanted to say it:

The title, or whatever the text is called that shows on the browser tab, of Melih's website is in all CAPs, which makes it look like one of those attacker sites.  I know Melih is a security guy, so this is just a comment to make his website not seem like a "bad guy's" site.

[tukapua]

when i brought this pc i asked my isp for an antivirus and they sent me the link to free macafee which worked for about a month then i found that it was always going down, so i eventually deleted the whole suite. now i had no protection, then i remembered an it guy sayin he thought comodo was pretty good
 so i put comodo in my browser and up it came offering free service. now
 im uncertain if its comodos doin, but my pc is goin like a rocket now!!! and i have a very limited broadband program which slows to dial up very quickly. so far it is still loading stuff at breakneck speed and im crossing everything in the hope that it really is comodos doing and not my broad band. anyway even if it is broadband i am really glad i have comodo as my pc's protection. thank you melih!
 

[Melih]

when i brought this pc i asked my isp for an antivirus and they sent me the link to free macafee which worked for about a month then i found that it was always going down, so i eventually deleted the whole suite. now i had no protection, then i remembered an it guy sayin he thought comodo was pretty good
 so i put comodo in my browser and up it came offering free service. now
 im uncertain if its comodos doin, but my pc is goin like a rocket now!!! and i have a very limited broadband program which slows to dial up very quickly. so far it is still loading stuff at breakneck speed and im crossing everything in the hope that it really is comodos doing and not my broad band. anyway even if it is broadband i am really glad i have comodo as my pc's protection. thank you melih!
 

We care when we code our programs. We make sure to provide the most efficient and high performance code possible and hence you are seeing the benefit you are!

Our users deserve nothing less!

Melih

[00hmh]

Melih,

What's the story on the linked problem with certificate resellers?

http://benjamin.smedbergs.us/blog/2008-12-24/how-to-disable-the-comodo-root-certificate-in-firefox/

Whether it is truly a problem or not, many tech savvy people have come across this.  I noticed it in Steve Gibson's GRC newsgroups, and found this link there.  I would expect Comodo to respond publicly to these reports and at least have a company response available online to get the other side of the story out.   If you have done so, please post the link.

[The Joker]

And here http://blog.mozilla.com/rob-sayre/2008/12/24/dismay/ they talk about COMODO fiasco!

[Melih]

One of our resellers had an issue in their system. We take this very seriously . We acted quickly and revoked the cert, we have suspended the reseller account, we are re-doubling our auditing and re-evaluating our procedures.  We are not the first to suffer in the hands of DV certs ( DV certs are not for ecommerce)(there simply is no standard for these kind of certs) and we won't be the last until a standard setup for DV certs. As it happens Comodo put forward a new proposal for a minimum standard for DV certs on 2nd of Dec 2008 (just few weeks ago) to the cabforum (the org that I initiated in 2005). As you all know, CABForum created the EV SSL standard for high assurance SSL certs called EV SSL (which creates a ceiling for high assurance validation) but there is no standard for where the floor should be for lower assurance certs like DV certs.

We hope this latest event will act as a catalyst to unite the industry and come up with a minimum standards for DV certs. DV certs have no place in the world of Ecommerce. Minimum standard for DV certs is well overdue! We owe it to our users!

Melih

[SiberLynx]

Hi Guys,

That is an interesting and important issue to discuss.

Apart from authentication and alleged “fiasco” I would make a short note regarding Digital Signature issue raised by gibran

It's too bad that many end users don't know much about that nor how to use digital signature

… indeed and absolutely True…

At the same time it looks like that the way it is implemented, maintained, used and so on... it does not provide much.
Just grab Autoruns from SysInternals (now it belongs to Microsoft); check “Verify code signature”; hit Refresh and enjoy “Not verified” in the list. The most of items (a lot!) will be from Microsoft. And who had any doubts about that one ? .
I am sure you will find some important security software you are using and other important “pieces of code” unsigned too. Comodo is fine in this respect 
 
Probably

Adding digital signature support in security software is the way to go…

but it seems that currently it doesn’t make a lot of sense. The approach, implementation and the way it somehow can help end user from security point of view should be completely re-designed, probably from the scratch. Another way to go?

Cheers

[Melih]

unfortunately digital certificates are yet to find its right place in the digital world. It is totally under utilised and it has next to nothing in terms of validation standards. Apart from EV SSL (thanks to the committe i started in 2005).

Melih

[SiberLynx]

unfortunately digital certificates are yet to find its rightly place in the digital world. It is totally under utilised and it has next to nothing in terms of validation standards. Apart from EV SSL (thanks to the committe i started in 2005).
Melih

Thanks for response, Melih.

That's precisely what I was driving at (unfortunately)
Let's hope that will go through serious changes

Cheers!
Season's Greetings to you and yours and more success to the company!  (R)

[cbncom]

last year i got an MS Windows warning message that some program is making unauthorised copies of my files and programs; anti virus software is available; click to download etc. and viola. i downloaded a fake security patch that took control of my computer completely. it disabled my task manager, so i could no longer end tasks. it disabled my add/remove program option. it also froze my restore option in 'system restore' - the calender in the restore screen froze and i could never go back to an earlier version for restore! AND i could not edit my registry keys!!!

eventually after a lot of frustrated and wasted days and nights, I had to re-format the entire HD of 160 GBs, create new partitions and reinstall the OS, before getting my system to normalcy. It was a traumatic learning experience for me. if only i could have known that the MS Windows logo, in the warning message was fake !!!!. I could have avoided the nigtmare, and immensely been thankful to COMODO.

since then I tried various trial options of well known, branded (for the moment let them remain nameless) anti virus s/w downloaded from the internet. But they were more malicious than the malice they were supposed to fight, if you got on their wrong side!. i.e. at the end of the trial period, if you didnt buy them, then they would give more trouble than the virus / malware they eliminated (!). Add/remove program or Uninstal wouldn't work. They'll never go away. They would not also allow you to download / install another anti virus. Invariably one had to re-install the OS every time, to get rid rid of these 'high flying pests'.

that is when i discovered COMODO. It was like what they say Incredible but True. there was no trial period! and when they said free, it was FREE. Boy i couldnt beleive it. but i installed, tested, tried and now I swear by it. it was like a God Send to us. yes 'us' ; i have recommended it to so many friends and NOW they all swaer by it.  Thank you COMODO (L)

cbn pbn20081[at]gmail.com

[Melih]

thank you cbncom!

Fake AVs are one of the biggest problems of inability to authenticate a legitimate AV providers.

We are building even better security and usability with the next version of our products!

thank you

Melih

[Tags:]