No, a firewall does NOT need to check certificates online. I do not want MY firewall to do this. My firewall shall manage network connections. And COMODO did do this job well for the last 10 years I have been using it. Well, now it does “more”, but it doesn’t do it WELL.
COMODO is not Windows! Btw I have disabled signature checks for executables on Windows.
For me firewall is, next to security, all about privacy and control. So, if I do want to restrict communication for ANY program - and COMODO shall not be the exception here - I should be able to do it with a firewall. If the firewall then SLOWS DOWN my PC while doing so, and the vendor tells me it’s by design, it’s a VERY POOR design.
Again, this behavior is new, this behavior disqualifies COMODO firewall from being a good firewall and enabling users to gain control over their PCs.
Thank you for this hint. Sadly (or gladly?) I had never used COMODO forums before this issue so I don’t know its structure. The question is: how much effort do you want your users to put into getting in touch with you. I tried to chat with COMODO, described my problem there … well guess, where this led … or if I even had received ANY reaction in the chat window …
I hope you take this issue more seriously than just saying: it’s by design that COMODO delays app starts on your PC for 30 seconds in certain situations.
I am going to be the devil’s advocate here and argue why there is a case in not using OSCP when there is no network connection like there was in v10 and v11.
I start from the assumption that a system is clean once CIS is installed and that the various layers of self protection keep the system clean. So, in the case there is no network connection we can safely assume that an executable that is deemed Safe in the Safe list has not been tampered with and is the original executable and therefor does not need OSCP check.
Even though an internet connection is ubiquitous there are still situations where systems may run offline.
Therefor I think the users have a valid case to ask for an option to disable OSCP check either in general or only when there is no internet connection. The self protection of CIS is strong enough to mitigate for the minor loss of security.
I would like to further argue in favor because CIS is also and from its foundation a tool that caters to power users. It is OK to have OSCP enabled by default for the mainstream use patterns but it should have the option to disable it given its dual nature.
A few months ago, I opened a topic about this (which was later moved to this thread) that got closed by a moderator without an answer. Then I noticed another user had just a few days before opened another topic about the same issue, and that topic was closed by the same moderator because “preventing CIS from doing its job is a user’s problem” ???
And that is just sad. I understand that CIS has always performed very well in leak tests (that is the main reason I still use it) and this CRL checking is probably meant to aid in that regard. I also understand that it’s difficult to apply the Unix philosophy of “doing one thing and doing it well” in here because CIS is not just a firewall like iptables, but also a fully-featured solution.
However, a fully-featured solution should have among its features the capability of appealing to users who understand what they are doing, are aware of the small risk and want to avoid this checking and the delays that may come with it. Those delays happen not just when CIS is configured to block itself, but also when the machine has connectivity problems.
Sorry, but saying that it’s a user’s problem only pushes that kind of user to look for an alternative solution.
what’s to be done to move forward here? To move those posts (mine included) to this thread called “Resolved/Outdated Issues” is definitely wrong, as the active conversation shows.
So, what is the next step? Who is going to decide how to proceed here? Or are we users expected to keep on talking to ourselves in some “outdated threads” area of this forum?
