Author Topic: Shame on you, Comodo!  (Read 92383 times)

Offline joepie91

  • Newbie
  • *
  • Posts: 3
Re: Shame on you, Comodo!
« Reply #60 on: June 25, 2016, 07:59:47 PM »
CA's job is not merely to Validate (heck, there is no validation in DV certs!) and  issue a cert

Yes, there is. You validate that the requester owns the domain, through any of a number of ways - in other words, you are validating the domain, exactly like the name suggests. If you're not doing that, there's a problem with your infrastructure.

Quote
but the whole lifecycle of the cert that includes revocation.

Revocation is used for falsely issued certificates (eg. if the validation process turned out to be broken), and for compromised certificates (initiated by the certificate requester). Those are the only purposes of revocation in the CA model, as-designed. The CA has absolutely nothing to do with what the certificate is used for, as also confirmed by for example the CA/Browser Forum's EV guidelines, which were quoted earlier by My1.

Quote
CAs run the PKI infrastructure, validation is only one part of it.

CAs only run their PKI infrastructure, for their slice of the pie. That's completely irrelevant to content-policing.

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14651
    • Video Blog
Re: Shame on you, Comodo!
« Reply #61 on: June 25, 2016, 08:08:35 PM »
Yes, there is. You validate that the requester owns the domain, through any of a number of ways - in other words, you are validating the domain, exactly like the name suggests. If you're not doing that, there's a problem with your infrastructure.

Revocation is used for falsely issued certificates (eg. if the validation process turned out to be broken), and for compromised certificates (initiated by the certificate requester). Those are the only purposes of revocation in the CA model, as-designed. The CA has absolutely nothing to do with what the certificate is used for, as also confirmed by for example the CA/Browser Forum's EV guidelines, which were quoted earlier by My1.

CAs only run their PKI infrastructure, for their slice of the pie. That's completely irrelevant to content-policing.

1)You are wrong about Domain Validation: CAs do NOT "validate requester  owns the domain" as you wrongly claim. CAs only check if the requester has "control" of the domain. This "requester" could be the hacker who is controlling the domain and they would still get a certificate.

2) CABforum guidelines:) https://en.wikipedia.org/wiki/CA/Browser_Forum

Offline joepie91

  • Newbie
  • *
  • Posts: 3
Re: Shame on you, Comodo!
« Reply #62 on: June 25, 2016, 08:12:08 PM »
1)You are wrong about Domain Validation: CAs do NOT "validate requester  owns the domain" as you wrongly claim. CAs only check if the requester has "control" of the domain. This "requester" could be the hacker who is controlling the domain and they would still get a certificate.

Granted, that was poor wording on my side. Regardless, this is the first revocation scenario I described; a falsely issued certificate.

Quote
2) CABforum guidelines:) https://en.wikipedia.org/wiki/CA/Browser_Forum

I'm not sure what you're trying to say with this. Yes, that's the organization I was referring to, and the linked excerpt comes from their EV guidelines, section 2.1.3.

Offline My1

  • Comodo Member
  • **
  • Posts: 26
Re: Shame on you, Comodo!
« Reply #63 on: June 26, 2016, 03:30:41 AM »
well but it also is about HOW you check the "domain control" I personally would say either over administrative email addresses (postmaster etc), DNS (if you can mess with DNS you can also change the mailsever) or the email address listed in the whois.

I personally think that just uploading an HTML text or whatever file isnt that good

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14651
    • Video Blog
Re: Shame on you, Comodo!
« Reply #64 on: June 26, 2016, 09:39:16 AM »
well but it also is about HOW you check the "domain control" I personally would say either over administrative email addresses (postmaster etc), DNS (if you can mess with DNS you can also change the mailsever) or the email address listed in the whois.

I personally think that just uploading an HTML text or whatever file isnt that good


If you have DNS (depending on which level control, eg: State level control etc), then you can re-route the web traffic too. 

Offline My1

  • Comodo Member
  • **
  • Posts: 26
Re: Shame on you, Comodo!
« Reply #65 on: June 26, 2016, 09:45:37 AM »
yes but getting control of the DNS is harder than MITM'ing an HTTP connection, especially if the DNS is nicely secured (I have 2 Factor auth in place for that.

my point is that web should not be done since it's pretty low.

DNS or admin/whois email addresses are in my opinion the best ways because from what I know DNS Servers generally have fewer people who can access those from the inside than the web server, most probably because the DNS servers are also important for email delivery and other stuff you may have in the DNS.

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14651
    • Video Blog
Re: Shame on you, Comodo!
« Reply #66 on: June 26, 2016, 09:56:43 AM »
yes but getting control of the DNS is harder than MITM'ing an HTTP connection, especially if the DNS is nicely secured (I have 2 Factor auth in place for that.

my point is that web should not be done since it's pretty low.

DNS or admin/whois email addresses are in my opinion the best ways because from what I know DNS Servers generally have fewer people who can access those from the inside than the web server, most probably because the DNS servers are also important for email delivery and other stuff you may have in the DNS.

at ISP and State level DNS have been known to be re-routed.
If you are talking a specific attack just to your enterprise and how you can protect yourself and your enterprise, then I concur. however, then the security is as good as the path that your email servers take. Again they can be hacked and traffic for it could be re-routed depending what kind of mail server you are dealing with.

Offline My1

  • Comodo Member
  • **
  • Posts: 26
Re: Shame on you, Comodo!
« Reply #67 on: June 26, 2016, 10:15:03 AM »
and that's one point where DANE plus a 2step auth DNS Server (e.g. cloudflare which can be used as pure DNS Server, I do that) would really shine.

in that case even if the DNS would be rerouted. if you know that a place has DNSSec that suddenly doesnt have it when accessing it from a different location (there are enough webservices for that) you can know something is wrong.

and in that case a self-signed (or creted by an own CA) TLSA cert is actually a better kind of auth for that.
why? simple. without the TLSA part the cert doesnt have any trust anchor and unlike CAs the DNSSec has a much stricter trust model, meaning that even if the chinese gov would have something against me, they cant force a chinese CA or the maintainer of the chinese TLD dnssec key (assuming they have dnssec) to manipulate my site because they CANT.

with DNSSec everything binds to ONE root key, and you can only create DNSSec'ed stuff for the same level or below ON THE SAME BRANCH.

and in case they would try to cut off the DNSSec data the TLSA cert wouldnt make any sense (because no TLSA/DANE without DNSSec) to the browsers because they dont trust that, and only then they could get a CA in their legislation to do stuff.

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14651
    • Video Blog
Re: Shame on you, Comodo!
« Reply #68 on: June 26, 2016, 02:33:15 PM »
I agree DNS needs some work!

Offline w33d3r

  • Comodo's Hero
  • *****
  • Posts: 276
We already give Certificates for free..have been for many years...
These certificates do not have any "validation" apart from checking to see if you have a temporary control of the domain. These kind of certificates should not show the padlock as these certificates provide encryption but do not validate who you are encrypting for. You could be encrypting your data for the hacker you are trying to avoid in the first place :).

So to summarise

1) You do not know who you are encrypting for (as there is no validation).
2) Anyone who takes temporary control of your domain (or email server) can obtain these certificates without your knowledge
3) We have been giving these for free for many years anyway ;)

So what is the news again? ;)

Melih

Well the news recently seems to be Comodo trying to undermine Let's Encrypt by applying for the same name as a trademark .. after they have already become established

A bit underhanded dont you think ? I thought they posed no threat to you ?

https://letsencrypt.org/2016/06/23/defending-our-brand.html

Why are ( or why were ( if its true that you are no longer persuing this course ) ) you doing this ?
« Last Edit: June 26, 2016, 04:03:45 PM by w33d3r »

Offline EricJH

  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 25611
Re: Shame on you, Comodo!
« Reply #70 on: June 26, 2016, 05:48:22 PM »
W33d3r I split your post from the other topic and merged it with this one. Please notice that Comodo is not pursuing to use the Let's Encrypt brand name:
With LE now being an operational business, we were never going to take the these trademark applications any further.  Josh posted a link to the application and as of February 8th it was already in a state where it will lapse.

Josh was wrong when he said we’d “refused to abandon our applications”.  We just hadn’t told LE we would leave them to lapse.

We have now communicated this to LE.

Comodo has filed for express abandonment of the trademark applications at this time instead of waiting and allowing them to lapse.

Following collaboration between Let's Encrypt and Comodo, the trademark
issue is now resolved and behind us and we'd like to thank the Let's Encrypt
team for helping to bring it to a resolution.


Offline John Buchanan

  • "Democracy is two wolves and a lamb voting on what to have for lunch. Liberty is a well armed lamb contesting the outcome of the vote." ~ Benjamin Franklin
  • Global Moderator
  • Comodo's Hero
  • *****
  • Posts: 6683
  • Personal Dragons can be defeated. Improve yourself
Re: Shame on you, Comodo!
« Reply #71 on: June 26, 2016, 10:40:20 PM »
This topic should be considered complete.
Everything has been said and this issue is resolved.
Please follow Comodo Forum Policy

Bah! Ban 'em all! The only good member is a banned member
And a member is just a policy violator who hasn't been caught yet. >:-D

Offline w33d3r

  • Comodo's Hero
  • *****
  • Posts: 276
Re: Shame on you, Comodo!
« Reply #72 on: June 27, 2016, 03:46:10 AM »
This topic should be considered complete.
Everything has been said and this issue is resolved.

No, its not finished until Melih fesses up to why he started trying to claim the name for the trademarks when he knew full well that someone else was using it.

An open source project designed for the betterment of the internet was being attacked by Comodo .. Yes the Express Abandonment is now filed ..

But melih is avoiding answering why he did it in the first place

An apology for making a bad judgement call publicly would be good and pave the way for trust to come back to Comodore - Because right now the company has lost a huge amount of that in the eyes of the public.

This company is supposed to be about trust isn't it ?

The topic has just been watered down with technical babble so far by the CEO

The questions people want answered throughout the topic have just been studiously avoided.


[at]Eric - Thank you for moving the post, I did a search before posting but was not aware of this topic.

Offline SSL Guru

  • Comodo's Hero
  • *****
  • Posts: 320
  • Retired Comodo Global Support Manager
    • Dağcılar Sitesi
Re: Shame on you, Comodo!
« Reply #73 on: June 27, 2016, 06:30:24 AM »
This topic should be considered complete.
Everything has been said and this issue is resolved.

Agreed......just flogging a dead horse now.
“You have to be odd to be number one”
Dr. Seuss

Offline Melih

  • CEO - Comodo
  • Administrator
  • Comodo's Hero
  • *****
  • Posts: 14651
    • Video Blog
Re: Shame on you, Comodo!
« Reply #74 on: June 27, 2016, 09:44:09 AM »
No, its not finished until Melih fesses up to why he started trying to claim the name for the trademarks when he knew full well that someone else was using it.

An open source project designed for the betterment of the internet was being attacked by Comodo .. Yes the Express Abandonment is now filed ..

But melih is avoiding answering why he did it in the first place

An apology for making a bad judgement call publicly would be good and pave the way for trust to come back to Comodore - Because right now the company has lost a huge amount of that in the eyes of the public.

This company is supposed to be about trust isn't it ?

The topic has just been watered down with technical babble so far by the CEO

The questions people want answered throughout the topic have just been studiously avoided.


[at]Eric - Thank you for moving the post, I did a search before posting but was not aware of this topic.

We applied before the product was launched. This is when the project was looking for funds and there was a chance that it wouldn't launch.
When it launched we decided to abandon the application. We meant no harm and there was no harm done to anyone.

I don't believe encryption without authentication blindly makes internet a safer place. (see the other topic on this).
Sponsors of LE, imo, are using LE to subsidize their certificate costs by getting others donating/sponsoring LE.

LE is NOT a CHARITY!!!!!!

(http://www.differencebetween.com/difference-between-charity-and-vs-non-profit/)

A Charity is designed to help social causes etc....LE IS NOT A CHARITY....

SO a $10 an end user donates to LE might actually end up subsidizing likes of Akamai, Cisco, OVH who needs millions of certificates themselves and now have found a way to get the end users to subsidize it. All this while running unmanaged certificates who are NOT revoked in a timely manner, hurting consumers! (do you want certificates staying unrevoked although its being used by phishers and malware people?)

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek