Author Topic: Hackers mostly are using free comodo certificates?!  (Read 4635 times)

Offline saviour83

  • Newbie
  • *
  • Posts: 14
Hackers mostly are using free comodo certificates?!
« on: July 26, 2017, 10:16:43 PM »
Netcraft has blocked phishing attacks on more than 47,500 sites with a valid TLS certificate between 1st January and 31st March 2017. On 36% of these are by Comodo valid certificates?!

https://news.netcraft.com/archives/2017/04/12/lets-encrypt-and-comodo-issue-thousands-of-certificates-for-phishing.html

Offline saviour83

  • Newbie
  • *
  • Posts: 14
Re: Hackers mostly are using free comodo certificates?!
« Reply #1 on: July 26, 2017, 10:33:26 PM »
"Certificate authorities Let’s Encrypt and Comodo were responsible for nearly all phishing sites with valid SSL/TLS certificates, according to a new analysis..."

https://www.cso.com.au/article/617612/let-encrypt-comodo-blamed-issuing-apple-paypal-phishing-ssl-certificates/

Offline JoWa

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5231
  • I believe in doubt.
    • Evolutionary history of life
Re: Hackers mostly are using free comodo certificates?!
« Reply #2 on: July 27, 2017, 01:51:48 AM »
Not very surprising.
Quote from: Netcraft
Let’s Encrypt and Comodo are attractive to fraudsters as both offer automated, domain-validated certificates at no cost to end users. Let’s Encrypt’s ACME protocol allows for free automated issuance, while Comodo offers no-cost certificates via its trial certificates, cPanel AutoSSL, and its Cloudflare partnership.
https://news.netcraft.com/archives/2017/04/12/lets-encrypt-and-comodo-issue-thousands-of-certificates-for-phishing.html
Ubuntu 17.04, 64-bit | Chrome 62β | HTTPS Everywhere | Privacy Badger
Forum Policy | Comodo Product Help

Offline w-e-v

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 1498
  • BETA FORCE MEMBER
Re: Hackers mostly are using free comodo certificates?!
« Reply #3 on: July 27, 2017, 07:46:16 AM »
Interesting...

More interesting would be to know what is/has COMODO planning/planned to do, to stop this.

Offline saviour83

  • Newbie
  • *
  • Posts: 14
Re: Hackers mostly are using free comodo certificates?!
« Reply #4 on: July 27, 2017, 06:55:21 PM »
Interesting...

More interesting would be to know what is/has COMODO planning/planned to do, to stop this.

Comodo to ask for ID card everyone who want certificate - to show by uploading to comodo during registration. That will reduce the way someone to misapply certificates, to use for bad things, because can be identified and judged by law.

Today i try to find more and more lists from all websites around the world to download, change and implement on comodo web filtering, but web filtering does not work at all. Can not block website over https but just over http. This frustrated me badly.
In one way comodo give away free certificate to everyone without identification, on other side comodo can not block infected websites, fishing, malware sites with comodo free certificates and others, some websites use self generating certificates which on real are dangerous to visit that site because can catch web history from browser, bookmarks, saved passwords and other things and can upload to them on suspicious servers (fishing).

here in forum i found one post which say that comodo dns is not updated more than one year... 
« Last Edit: July 27, 2017, 06:59:20 PM by saviour83 »

Offline SSL Guru

  • Comodo's Hero
  • *****
  • Posts: 309
  • Retired Comodo Global Support Manager
    • Dağcılar Sitesi
Re: Hackers mostly are using free comodo certificates?!
« Reply #5 on: July 28, 2017, 05:50:12 AM »
Even an ID card (not necessarily available in all countries) would not be proof of identity.

And would you need to validate the ID before the certificate is issued? .... Not DV if you do.

I imagine anyone producing a phishing site would also provide a fake ID.

What I think Comodo want is DV certificates to be downgraded to unsecured by the browsers.
This would then give people a visible indication of a minimally validated certificate in use.
“You have to be odd to be number one”
Dr. Seuss

Offline JoWa

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5231
  • I believe in doubt.
    • Evolutionary history of life
Re: Hackers mostly are using free comodo certificates?!
« Reply #6 on: July 28, 2017, 09:44:09 AM »
What I think Comodo want is DV certificates to be downgraded to unsecured by the browsers.
That would mean that at least 70 % of all secured sites would be “unsecured”. In other words, “unsecured” would be the norm. Will people care? No. Will people care when the connection is really not not secure, if “unsecured” is the norm they are used to? No.
Warning fatigue.
Ubuntu 17.04, 64-bit | Chrome 62β | HTTPS Everywhere | Privacy Badger
Forum Policy | Comodo Product Help

Offline Dennis2

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 9226
Re: Hackers mostly are using free comodo certificates?!
« Reply #7 on: July 28, 2017, 02:13:35 PM »
That would mean that at least 70 % of all secured sites would be “unsecured”. In other words, “unsecured” would be the norm. Will people care? No. Will people care when the connection is really not not secure, if “unsecured” is the norm they are used to? No.
Warning fatigue.
As they do not really prove anything, you cannot really call it a secure website.

Maybe a different colour to say that they could possibly be a fake website, thereby warning the user to check.

Dennis
Moderator: Aims Forum a friendly place. Any concerns? Please PM me and/or review the Forum Policy 2012Updated.
System: Fedora 25 x64, APF, HTTPS Everywhere, ABP
Centos-6.8 x32, APF, HTTPS Everywhere, ABP


Offline JoWa

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5231
  • I believe in doubt.
    • Evolutionary history of life
Re: Hackers mostly are using free comodo certificates?!
« Reply #9 on: July 28, 2017, 02:51:32 PM »
As they do not really prove anything, you cannot really call it a secure website.

Maybe a different colour to say that they could possibly be a fake website, thereby warning the user to check.

Dennis
If the certificate is valid, and the TLS-configuration is “modern”, the connection is secure/private. That is not to say the the site should be trusted. The security mentioned is required for trust, but may not be enough for trust, depending on what you do on the site. In some cases you probably want to know (see a verification of) that you are actually on your bank’s site, for example.

Since both OV- and EV-certificates include the owner’s name (O), I think browsers should show that information in the URL-bar for both OV and EV. DV does not have such information to show, which is in a way an indicator of lower trustworthiness.
Ubuntu 17.04, 64-bit | Chrome 62β | HTTPS Everywhere | Privacy Badger
Forum Policy | Comodo Product Help

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14588
    • Video Blog
Re: Hackers mostly are using free comodo certificates?!
« Reply #10 on: July 28, 2017, 05:45:43 PM »
If the certificate is valid, and the TLS-configuration is “modern”, the connection is secure/private.......

I disagree with the above statement that the "Connection is secure/private".

Secure from who?

Your answer will be: from prying eyes.

My answer will be: how do you know the recipient is not the same person as the one you are trying to avoid?

Your answer has to be: I don't know...

My answer will then be: If there is a chance that the recipient can be the very person you are trying avoid, how can you call it "secure or private"?

Your answer will be: .........

Offline JoWa

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5231
  • I believe in doubt.
    • Evolutionary history of life
Re: Hackers mostly are using free comodo certificates?!
« Reply #11 on: July 29, 2017, 02:55:49 AM »
“Secure from who?” Secure from any third party, making it impossible for a third party to read the data in transit, or to tamper with it.

“how do you know the recipient is not the same person as the one you are trying to avoid?” The same person? If I want to share information securely with “DV-site.org”, there are 7,5 billion people I want to avoid sharing it with, and 7,5 billion people I don’t want to be able to tamper with the data. Anyone but “DV-site.org” I want to avoid. Being able to do so is worth a lot to me. I log in on forums with a DV-certificate every day, and am glad that my login credentials are secure and private in transit, and that third parties can not monitor my activities on those sites.

What do I know about the site/forum where I log in, if it has a DV-certificate? I only know the URL/domain, and keep an eye on it.

Next I log in on a typical email site. It has an OV-certificate. Looks just like DV in my browser. Only if I open the certificate viewer can I see the difference. Does the average user ever open the certificate viewer? Of course not. How, then, is OV better than DV?

As I said in my previous post, I think (O) should be visible in the URL-bar for both OV and EV. I know Dragon now does so, using Chrome’s new EV-indicator for OV, and Chrome’s old EV-indicator for EV (if I remember rightly). A bit confusing, perhaps, and not standardised in any way. That is an exception, as in most browsers DV and OV look the same, and EV is different.

Mobile browsers? Even worse. At least in Chrome on Android, DV, OV and EV look the same. And mobile phones are the leading browsing platform.

Related: https://forums.comodo.com/-t115970.0.html
Ubuntu 17.04, 64-bit | Chrome 62β | HTTPS Everywhere | Privacy Badger
Forum Policy | Comodo Product Help

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14588
    • Video Blog
Re: Hackers mostly are using free comodo certificates?!
« Reply #12 on: July 29, 2017, 10:53:05 AM »
lol.....

how do you know the recipient is not the "any third party"?

How do you know the recipient is not one of the 7.5b people you want to avoid?

You are confusing key with key holder....who is the key holder? do you know who that person is ?

Offline SSL Guru

  • Comodo's Hero
  • *****
  • Posts: 309
  • Retired Comodo Global Support Manager
    • Dağcılar Sitesi
Re: Hackers mostly are using free comodo certificates?!
« Reply #13 on: July 29, 2017, 12:05:05 PM »

For me......I don't believe DV should exist in an internet security arena.

And thats mainly for the reasons Melih is outlining in this thread.
“You have to be odd to be number one”
Dr. Seuss

Offline JoWa

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5231
  • I believe in doubt.
    • Evolutionary history of life
Re: Hackers mostly are using free comodo certificates?!
« Reply #14 on: July 29, 2017, 12:08:35 PM »
If I am the first party, the site I choose to connect to is the second party, and all third parties are left out.

I’m not confusing key with key holder I’m talking about the site rather the owner of the site (one does not connect to a person or an organisation, but to a server hosting a site). If one of the forums I log in to would upgrade from DV to OV, and I would be able to see that the site is owned by some Sven Svensson in Sweden, how does that make anything any better? There are one thousand Sven Svensson in Sweden. Can I trust them all? Why should I trust any one of them without knowing them? Or should I trust only sites run by registered organisations with a known address?

If I go to sites.google.com/site/somethingveryfunny, it has an OV-certificate, and I can see that the domain belongs to Google Inc (if I bother to open the certificate viewer), but somethingveryfunny is created by someone else. Should I trust the someone else, if I happen to trust Google Inc?

This forum has an EV-certificate. Excellent, but what does that mean, when Comodo CA has been validated by itself (Comodo CA)?

I think your reasoning makes most sense when someone goes to a site it did not intend to, like your example with PayPal in your article. To be fooled by that phishing site, which has a URL very different from PayPal’s, the user must not pay any attention to the URL, which means no attention the URL-bar, where the security indicator is. It is then likely that the user will not miss the missing PayPal, Inc. [US].
Ubuntu 17.04, 64-bit | Chrome 62β | HTTPS Everywhere | Privacy Badger
Forum Policy | Comodo Product Help

 

Seo4Smf 2.0 © SmfMod.Com Smf Destek