Author Topic: Hackers mostly are using free comodo certificates?!  (Read 4428 times)

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14588
    • Video Blog
Re: Hackers mostly are using free comodo certificates?!
« Reply #15 on: July 29, 2017, 03:38:08 PM »
You are comparing apples with oranges...
"site" is a domain....."Third parties" are all People....

You have to compare the "key holder of the site" with "Third parties"...

I am not talking about value of OV or EV.
I am merely talking about the process of DV cannot be called "Secure Connection" or even "Encryption". So lets focus on DV process discussion.

So do you know the person who ends up with your data in a DV process?
here is an example: You connected to a brand new site...using DV....you sent them your data encrypted using DV. Do you know the person who received it?
Answer is NO.
Do you know if this person is not the same person as the one you were trying to avoid?
Answer is NO.
Hence you cannot attribute "ANY" positive indicator to DV process. You can't even call it "Encrypted"....You can say data is "Enciphered"...but NOT encrypted!

I wrote about this conundrum in this blog https://www.melih.com/2017/07/19/to-indicate-or-not-to-indicate-a-devilish-question/  Hope you can find time to read it.

Offline w-e-v

  • Star Group
  • Comodo's Hero
  • *****
  • Posts: 1498
  • BETA FORCE MEMBER
Re: Hackers mostly are using free comodo certificates?!
« Reply #16 on: July 29, 2017, 05:00:51 PM »
I get Melih's point with DV. Just because a site is encrypted doesn't mean your submitted data is secure. After all, the thief could have enrolled for a DV certificate and make you think you are on PayPal's website (or any other website you use every day).

Hence it should not be treated as secure as the OV or EV certificates, it should be treated as neutral.

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14588
    • Video Blog
Re: Hackers mostly are using free comodo certificates?!
« Reply #17 on: July 29, 2017, 05:32:01 PM »
Can you even call it "Encrypted"?

Because the definition of Encryption is:"encryption is the process of encoding a message or information in such a way that only authorized parties can access it"
https://en.wikipedia.org/wiki/Encryption

Because Encryption process is not complete, because you can't guarantee "only authorized parties can access it".....can it be called "Encrypted"?

or is it simply "enciphered"? "To encipher or encode is to convert information into cipher or code".


Offline milldogtjm

  • Newbie
  • *
  • Posts: 24
  • I am a IT student learing how to fix computers.
Re: Hackers mostly are using free comodo certificates?!
« Reply #18 on: July 29, 2017, 08:03:45 PM »
Can you even call it "Encrypted"?

Because the definition of Encryption is:"encryption is the process of encoding a message or information in such a way that only authorized parties can access it"
https://en.wikipedia.org/wiki/Encryption
Because Encryption process is not complete, because you can't guarantee "only authorized parties can access it".....can it be called "Encrypted"?or is it simply "enciphered"? "To encipher or encode is to convert information into cipher or code".
For an example a MITM attack could be introduced into the equation, and with this added then (JoWa) your worriment of being eavesdropped apron comes true. Also all encryptions can be broke or bypassed over time even if their keys are highest you can make them.

Offline JoWa

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5229
  • I believe in doubt.
    • Evolutionary history of life
Re: Hackers mostly are using free comodo certificates?!
« Reply #19 on: July 30, 2017, 02:36:04 AM »
So do you know the person who ends up with your data in a DV process?
here is an example: You connected to a brand new site...using DV....you sent them your data encrypted using DV. Do you know the person who received it?
Answer is NO.
Do you know if this person is not the same person as the one you were trying to avoid?
Answer is NO.
Hence you cannot attribute "ANY" positive indicator to DV process. You can't even call it "Encrypted"....You can say data is "Enciphered"...but NOT encrypted!

I wrote about this conundrum in this blog https://www.melih.com/2017/07/19/to-indicate-or-not-to-indicate-a-devilish-question/  Hope you can find time to read it.
For DV, what I see in the certificate is the domain(s). For OV and EV, usually the name of an organisation.

Like Shakespeare, we should ask “What’s in a name?”.

If I see Comodo CA Ltd [GB] in the certificate, I still don’t know the person I am communicating with. Is it you, the CEO, or a server administrator? Comodo CA is part of Comodo Group, with more than one thousand employees.

If I see Google Inc, is it Sundar Pichai I am communicating with, or one (or more) of the 57 thousand employees? I have no idea.

If we look at one of the forums I mentioned before, it is a local Ubuntu community in Sweden. The domain is owned by Canonical. Is it Canonical’s name you want to see in the certificate? No one at Canonical controls the server. One member of the local community does, our current server administrator. I know who he is and can contact him. Is it his name you want to see in the certificate? Will you feel more secure visiting our site/forum if you see the name of a person you don’t know anything about in the certificate?

Thanks for the link. That is the article I referred to in my previous post.
Ubuntu 17.04, 64-bit | Chrome 62β | HTTPS Everywhere | Privacy Badger
Forum Policy | Comodo Product Help

Offline JoWa

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5229
  • I believe in doubt.
    • Evolutionary history of life
Re: Hackers mostly are using free comodo certificates?!
« Reply #20 on: July 30, 2017, 02:51:35 AM »
Can you even call it "Encrypted"?

Because the definition of Encryption is:"encryption is the process of encoding a message or information in such a way that only authorized parties can access it"
https://en.wikipedia.org/wiki/Encryption

Because Encryption process is not complete, because you can't guarantee "only authorized parties can access it".....can it be called "Encrypted"?

or is it simply "enciphered"? "To encipher or encode is to convert information into cipher or code".
Let’s see if I understand authorised rightly.

When I go to a site, I authorise it to exchange information with me. Right? I always go to a site, not to a person or organisation. It’s also not a person who encrypts and decrypts the data.

I go to “DV-site.org”, we shake hands, saying “ClientHello” and “ServerHello”, and “let’s establish a secure connection using the best mutually supported cipher suite”, and so we do (we chose TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256), and I can see “DV-site.org”, a site authorised by me, in the certificate. Now, the communication between my computer and the server hosting the site is perfectly encrypted with a modern cipher suite.
Ubuntu 17.04, 64-bit | Chrome 62β | HTTPS Everywhere | Privacy Badger
Forum Policy | Comodo Product Help

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14588
    • Video Blog
Re: Hackers mostly are using free comodo certificates?!
« Reply #21 on: July 30, 2017, 10:08:44 AM »
in order to keep the focus....my argument is about DV not deserving a "positive indicator"...
are you claiming DV does deserve an indicator?

Also: 2 questions for you pls with yes/no answers.

1)do you agree with this definition of Encryption? https://en.wikipedia.org/wiki/Encryption :encryption is the process of encoding a message or information in such a way that only authorized parties can access it

2)Do you agree that with DV process we do not know who is receiving our data?

(please keep the discussion to just DV process as it becomes unmanageable to discuss about all the problems about everything if you bring everything else, I am more than happy to discuss other issues once we solve the DV issue as it will create the foundation for the discussion).

Btw: If you define what "Identity" is in legal terms, it will help the understanding. You clearly differentiated between Identity and site with your following statement
"When I go to a site, I authorise it to exchange information with me. Right? I always go to a site, not to a person or organisation.". You accept both a person and organization is "identity" vs just domain name. These are discussions we can have after you answer the above questions pls.

Offline JoWa

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5229
  • I believe in doubt.
    • Evolutionary history of life
Re: Hackers mostly are using free comodo certificates?!
« Reply #22 on: July 30, 2017, 12:47:06 PM »
in order to keep the focus....my argument is about DV not deserving a "positive indicator"...
are you claiming DV does deserve an indicator?
Yes, for what it does (keeps data private between two ends, client and server). OV may well have a different indicator, more like EV.
Also: 2 questions for you pls with yes/no answers.

1)do you agree with this definition of Encryption? https://en.wikipedia.org/wiki/Encryption :encryption is the process of encoding a message or information in such a way that only authorized parties can access it
Yes, with the understanding of authorised described above. My computer and the server it’s connected to are the two authorised parties.
2)Do you agree that with DV process we do not know who is receiving our data?
We do not know what person(s) have access to the server and the information it recieves. (When do we know that?)
(please keep the discussion to just DV process as it becomes unmanageable to discuss about all the problems about everything if you bring everything else, I am more than happy to discuss other issues once we solve the DV issue as it will create the foundation for the discussion).

Btw: If you define what "Identity" is in legal terms, it will help the understanding. You clearly differentiated between Identity and site with your following statement
"When I go to a site, I authorise it to exchange information with me. Right? I always go to a site, not to a person or organisation.". You accept both a person and organization is "identity" vs just domain name. These are discussions we can have after you answer the above questions pls.
A site is not a legal identity, it’s just software on a server. A person is, if we have its full name and personal identity number (whatever that may be called in other countries). For an organisation the corresponding number (organisationsnummer in Swedish) would be required.
Ubuntu 17.04, 64-bit | Chrome 62β | HTTPS Everywhere | Privacy Badger
Forum Policy | Comodo Product Help

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14588
    • Video Blog
Re: Hackers mostly are using free comodo certificates?!
« Reply #23 on: July 30, 2017, 03:16:22 PM »
Yes, for what it does (keeps data private between two ends, client and server).

keep it "private" from whom?

Offline JoWa

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5229
  • I believe in doubt.
    • Evolutionary history of life
Re: Hackers mostly are using free comodo certificates?!
« Reply #24 on: July 30, 2017, 04:06:29 PM »
From anyone who might be trying to read and/or tamper with the data being transported between the client and the server.
Ubuntu 17.04, 64-bit | Chrome 62β | HTTPS Everywhere | Privacy Badger
Forum Policy | Comodo Product Help

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14588
    • Video Blog
Re: Hackers mostly are using free comodo certificates?!
« Reply #25 on: July 30, 2017, 04:15:50 PM »
From anyone who might be trying to read and/or tamper with the data being transported between the client and the server.

How do you know the person who is trying to read/tamper with the data is not exactly the same guy who is receiving your data? Do you know?

Offline JoWa

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 5229
  • I believe in doubt.
    • Evolutionary history of life
Re: Hackers mostly are using free comodo certificates?!
« Reply #26 on: July 31, 2017, 12:25:18 AM »
Do I ever know that?
Of course if i am logging onto my mail server and i know the URL/IP address (where there is a pre-established trust exist between me and the URL/IP) i might not need authentication but just encryption. You see in reality you will always need Authentication for encryption, but sometimes that authentication is Pre-established. In cases where "authentication" is pre-established, all you need is just encryption.
So, for the forums with DV-certificates where I log in frequently, the pre-established trust is authentication enough?

And to return to your article, is the real problem DV, or is it that a person who enters its login credentials on what looks like a PayPal-site, but has a totally different URL, did not look at the URL-bar at all, not noticing the incorrect URL and the missing EV-indicator?
Ubuntu 17.04, 64-bit | Chrome 62β | HTTPS Everywhere | Privacy Badger
Forum Policy | Comodo Product Help

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14588
    • Video Blog
Re: Hackers mostly are using free comodo certificates?!
« Reply #27 on: July 31, 2017, 09:34:33 AM »
again, if you answer the question we can progress the discussion.

How do you know the person who is trying to read/tamper with the data is not exactly the same guy who is receiving your data? Do you know?

Offline Sanya IV Litvyak

  • Comodo's Hero
  • *****
  • Posts: 4212
  • Lurking
Re: Hackers mostly are using free comodo certificates?!
« Reply #28 on: July 31, 2017, 01:15:14 PM »
How do you know the person who is trying to read/tamper with the data is not exactly the same guy who is receiving your data? Do you know?

Can you clarify your question with an example? With my current understanding of the question, the same issue applies to every other certificate as well, so I must not understand the question correctly.
I support privacy and freedom online - eff.org

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14588
    • Video Blog
Re: Hackers mostly are using free comodo certificates?!
« Reply #29 on: July 31, 2017, 01:18:34 PM »
Can you clarify your question with an example? With my current understanding of the question, the same issue applies to every other certificate as well, so I must not understand the question correctly.

I wrote extensively in my blog.

 

Seo4Smf 2.0 © SmfMod.Com Smf Destek