SSP

[Guest]

[Xthink]

Winhelp

In my research I find Comodo's certificates far far more than anyone else ... I've been reporting on this issue since 2007, but Comodo just continues on as usual, blaming others, attacking the researchers, and uttering nonsense, but provides no solution.

Melih:

If you do pls tell us the percentages.  How many percent of the malware sites used Comodo certs vs other vendor`s certs.  You do NOT know this, if you did, you wouldn`t be doing what you are doing! Can you pls provide percentages to say that Comodo is not doing its part or even more that its fair share!

Is there any study/comparisson of malware sites using which vendor's cert?



Winhelp

Censored Thoughs,

re: but it doesn't look like you have proposed a solution either"

Why would I? ... it's not my area ... you should focus those comments to Comodo.

Not his job to PROPOSE (or even provide unbias idea) for a solution! His job is to descredit Comodo.

So what can we do to fight this?

1)We need to get a standard (yep.. there is NO STANDARD for issuing DV certs today) that mitigates fraudsters having access to this yellow padlock (nothing ever is 100%)

2)We all need to work together and report these sites so that they can be revoked quickly again limiting the damage. Common Computing Security Standard Website has a reporting form where this is fed to all CAs quickly. www.ccssforum.org/report.php . Please use this to report any maliciously used certificate so that it can be acted upon quicker.

Pls feel free to engage in a discussion (here or in Comodo forums) as to how we can make it safer for the end user. Again, Comodo stopping issuance doesn't make it safer, it might even end up with other CAs who might take much longer to revoke maliciously used certs. And a DV is a DV, yellow padlock indicator does not differentiate between vendors.. Users just see the yellow padlock and trust it.

Melih

The solution is not to pretend DV doesn't exist. The solution is to introduce a stringer standards for DV so its not easy for fraudster to obtain it and until that happens the solution is for everyone to report these sites to www.ccssforum.org/report.php   so that it can be acted on quickly.

Melih

Coming to now, Comodo has proposed a minimum standard to the CABForum for DV. Because today there is no standard for how to issue Yellow padlock. You see I believe a Certification Authority must Certify Identity, otherwise whats the point. So we are pushing for a standard, but we are getting resistance from the "DV Market Leaders" . Of course "DV Market Leaders" have Legal Monies to spend if browser people force a change on them. So it has be done amicably..but they resist!

So that's the story!

I think we need to educate users and get them to demand better standards from their browsers and be aware of DV certs (asking for too much but hey)..

We as Comodo will continue to push for minimum standards thru the CABForum and everyone should write to their Browser vendors and demand that they should improve the DV SSL standards.

Hope this clarifies, if not pls feel free to ask.

thanks

Melih

Melih/Comodo is doing their part.

That's what i undersdand from the whole blog (bias research?).

[Toggie]

The problem these people seem to have, is that Comodo issue certificates and they also supply security software. I and the majority, don't see a relationship between the two.

It's been said before, but I'll say it again, it's a petty vendetta against Comodo by a small insignificant group of so called security professionals. Nothing more and nothing less.

 

[Xthink]

If I understand it correct, certificate is just 1 way of securing the internet. It's just a part of the big internet security package. And not all security solutions of Comodo be it for desktop or enterprise are dependent on these certificates.

The reality: Malware sites have their way(s) of acquiring certificate(s) be it from Comodo (10% share of the market, from what I've read) or from any other vendors (90%).

If I'm using other security software from Comodo like CIS, isn't I'm more secure than just trusting the yellow padlock? A little safer at least.

My point is: Comodos providing other security softwares, especially CIS which is FREE, is a plus, and should be given credit.

[JamesFrance]

I tried to get a sensible discussion going at MRU, as I don't believe everyone there is so blinkered that they cannot look at this objectively.

Unfortunately one of those involved in the anti Comodo campaign kept posting against me and I was told to shut up by the Administrator, as I had been critical of Mike Burgess.   I have asked for that thread to be closed if I am not permitted to reply.

Having seen the latest on his blog, he is obviously determined to find something to attack Comodo about and will no doubt continue to do so.   His followers then copy his remarks on their own sites and encourage others to do the same as you can see here:
http://www.temerc.com/forums/viewtopic.php?f=10&t=6939

You will also see the suggestion not to recommend Comodo software which is likely to overload the Hijack This help forums even more than now.   Unfortunately those forums are rather incestuous and a few 'senior' members can have a lot of influence.

[Toggie]

Comodo really want to get rid of the padlock in it's current form. The problem is DV (Domain Validation - the blue bar) certificates really don't mean much. What Comodo wants, is better qualification of people requiring certificates. The problem is the other, bigger certificate authorities don't, yet, agree.

So these people picking only on Comodo for issuing certs to rouge sites  is way off target. It's been shown that Verisign (the biggest) has issued not one but two certificates to the same rouge site. Godaddy  too is not innocent by a long wag way, but these people seem focused only on Comodo.

It's really quite sad and not a little vindictive, but I guess they must do what they think is correct, even if ir is completely biased

[Toggie]

It's really funny, wherever you turn, it's the same 10 people posting the same remarks on each others blogs. It's really sad:

But I guess one has do do something to become an MVP, even if it is distorting the truth, or just regurgitating posts from myriad other blogs.

[Toggie]

I tried to get a sensible discussion going at MRU

Unfortunately, a lot of them are like children, fingers in ears, eyes closed and making La la sounds at the tops of their voices.

[Xthink]

I will try to register and post on that blog, though I think I can do nothing. If they don't acknowledge the opinion of knowledgeable others, how much more mine.

But it's my small way of saying Thank you very much Comodo.

[Toggie]

Thank you Xthink for showing your support

[Matty_R]

I found this line from someone called mystery to be somewhat odd!

Any now, any plans "against" Comodo?

And then they have the cheek to say it`s not a smear campaign.....

[Xthink]

The pleasure is mine. By using CIS, I already got more than what I'm giving in return.

[Xthink]

I found this line from someone called mystery to be somewhat odd!

And then they have the cheek to say it`s not a smear campaign.....

Now they are showing their true intention. It's not about security research as what they always claim.

[Melih]

Guys

We showed that

1)Mike Burgess hasn't got a clue about analysing malware sites as he missed the huge verisign cert on the website which he blogged about against Comodo. He only thought there was a comodo cert, but there were two certs! I had to point it out to him .

2)Mike Burgess..who claims to be a security professional was forwarding traffic from his MVP profile signature to malware sites for many months! Hmm.....good work Sherlock Holmes (Mr Burgess)... perhaps you should first analyse your own MVP Profile to find malware before you accuse anyone else! I mean how silly is that? Having your own profile signature pointing to Malware sites!! This in my opinion should certainly go down in history as the silliest security professional! Mike Burgess

3)The amazing Donna, who blatantly lied! Need I say more? I mean, publicly, openly LIED...

These are only few (very few) sad individuals. The only thing we can do is to feel sorry for them. They will cry, they will shout, they will attack.....but they change nothing! Because they have shown themselves to be nothing and nothing more than liars and incompetent so called security researchers! So lets all feel sorry for them and pray that their lives are not full of lies and injustice as they portray themselves to be.

Melih

[Toggie]

Mystery is MysteryFCM, he's another of the same clique. Has a blog and something to do with malwarebytes forum.

Obviously not much of a mystery as a five minute google will show...

[JamesFrance]

Oh that's the hpHosts guy.

[Tags:]