http://www.wilderssecurity.com/showthread.php?t=242453
Looks like Comodo’s popularity is going to go down even further!
What does Melih have to say about this I wonder?
That’s an ssl certificate (not a code signing cert).
Now let me explain the SSL Certificate market…
Until Geotrust came into picture in 2001 all SSL certificates were issued after validating the applicant to make sure they were a legitimate company (just that it existed as a legal entity etc so that the end user had a recourse).
Geotrust “innovated” their way into SSL market by removing this validation process and called it “Domain Validation”… which means the applicant has money and has a domain. And yes you guessed it, this means bugger all in terms of validation!
This allowed Geotrust to issue certificates very quickly to their customers. Of course this caused the end users to falsely trust sites too. One of the reasons why I initiated the CABForum was that this DV certs were eroding user trust in ecommerce by creating false sense of security.
Today, the biggest issuers of DV certs are Verisign and Godaddy. They have continued issuing DV certs which caused likes of Comodo to offer it as well. If we didn’t we would lose customer and the world would have no chance of fight back. We only issue a very small amount of DV certs compared to Verisign and Godaddy.
As far as I am concerned DV certs SHOULD NOT EXIST! Encrypting data for a recipient you have not verified is stupid at best!
Some people claim that DV certs has a place for just encryption for a site that has a pre-established trust, but that only happens if the user types https://www… and goes to site… if the user types http://www… and then clicks on a link, then there is no trust as you can’t trust this site in the first place cos its not validated (its just http).
So the problems that DV certs have caused has ranged from phishing sites to be secured with SSL to malware sites having a DV cert!
Perhaps it will take end users to start demanding the removal of DV certs from the market place! Cos likes of Verisign and Godaddy are against removing DV certs all together. (Verisign bought Geotrust for $120M two years ago).
Is this the first… NO
will this be the last… NO
Its time to demand NO MORE DV CERTS!!!
End users must start show that they care about their security and demand from their OS providers, Browser providers, Standards organisations that they want proper validation for SSL certs and Domain Validation should be banned!
Thanks
Melih
Thanks for the reply Melih. Maybe you could post on the Wilders thread too. I don’t really care too much, but you guys have a reputation to protect…
SSj100. I’ll take care of it. 
Cheers,
Josh
Thanks Josh
Melih
Some people asked me: Is it a good enough reason for Comodo to issue DV certs just because Verisign and Godaddy are issuing it?
Very good question and here is my answer.
Comodo cares for their security, so when somoene gets a DV cert from Comodo, we do try to explain to them it is important that they get a higher validation certificate like OV (Organisation Validation) or EV (Extended Validation). This way at lease we can convert some of the people who whould have bought DV into a validated customers. Its better than letting them just go and get a DV cert from other companies who do NOT explain the benefits of Validation and the problems of DV certs to their customers.
So when people buy a DV cert from Comodo, at least we get a chance to explain to them about the problems of DV, this is why Comodo has only a limited amount of DV certs in issuance compared to biggest issuers of DV certs Verisign and Godaddy.
Melih
Another important point is:
thru www.ccssforum.org we are trying to setup a good communication channels so that anyone who has found a malicious activity behind any certificate can report it the CAs immediately.
We encourage reporting of these and we will recommend that ccssforum.org has a public form where these can be reported. This way ccssforum.org can disseminate these reports to relevant CAs.
thanks
Melih
Some people who don’t understand SSL market in the world usually say that.
Do governments need to provide Certs?
It’s better.
But No way…
SSL Cert has some security holes?
Yes.
(I can show you how does it work if you want in the real world)
But if some people understand about SSL market as Melih said, they will not say that again.
There will be new algolithms and cert in the future but not yet.
Every year, there are few conferences about encryptions, securities in the world.
(I went a conference about security and algolithm last year. there were
many people from all over the world).
Many the publications of the results of researcher’s research works,
presenting researcher’s reports are rolled out.
why it’s not going to the real markets?
It’s not proved yet in the real world.
Most important thing is users need to have some knowledge about security first
instead of too much rely on security companies.
We are not living in the Precambrian Eon.
Its a new organisation about setting Standards for the Desktop Security products.
I mean even a $5 padlock you buy from hardware store has complied with some standards, yet the AV or Firewall you buy to protect your precious online identity, online banking etc has literally no standards they have to comply with!
So this organisation aims to introduce standards for the desktop security world and improve communication in the industry and provide a single voice and single point of contact.
Melih
BTW
I passed the details of this dv cert in question to our validation dept for them to investigate.
Melih
Melih Ive seen a lot of junk like this lately. Comodo’s wikipedia page was changed in a unfavourable manner (pure junk really), So I changed most back…
Wilders allways posts junk about comodo and especially CIS, then this callendar of updates seems to have personal issues or she/he don’t really understand certificates (tragic since he/she claims to be an expert). Softpedia was an other case of a company trying to push junk about comodo and spreading “hate”. Comodo needs to fight those rumor spreaders, especially since most is pure junk…
Maby have someone who talks good post in those forums that always attacks comodo and answer in a “nice” fashion or technical if thats what’s needed. Many companies has a dev or similar posting at wilders.
I don’t think sitting silent is the way to go. Comodo needs to tackle this sorts of stuff.
Since the bigger market share CIS gets the more desperate the other’s will get…
I really believe people have started to realise that CIS is actually not that annoying and offers better protection than the paid alternatives… But at the same time we have those who are doing EVERYTHING to make people pick the “alternatives”… Especially now when their major argument against CIS has failed, “Its too chatty”. You guys have made a good job preventing CIS chattiness… =)
If we didn't we would lose customer and the world would have no chance of fight back. We only issue a very small amount of DV certs compared to Verisign and Godaddy.As far as I am concerned DV certs SHOULD NOT EXIST! Encrypting data for a recipient you have not verified is stupid at best!
Sounds like a conflict of interests.
Most important thing is users need to have some knowledge about security first instead of too much rely on security companies.In the first instance, the average user has no option but to rely on security companies. In the second, security companies rely on end users to stay in business. So the less savvy the user, the better, correct?
Since comodo is not alone in this why do they get all the garbage?? I guess you are “Data” from COF? Do you think its fair to bash just comodo?
Looks like this donna is having personal issues… Seriously.
Not hard to deduce, but yes, I am same person from COU. look around there and you will see I don’t “bash” anybody. I tell it as I see it. Whoever It may be.
No it’s not personal. It’s a case of being let down by one you have supported. In that instance, people have the right to say their piece.
COU is performing a great service. Comodo is providing a great service, but it has to be made clear. Comodo are tarnishing that reputation.
Nobody likes to see products of this quality get bad feedback, but it is warranted.
Data
I believe to be deemed as not bashing Comodo, then you should (for correctness, at least) replace most instances of Comodo with Certification Authority in your posts. I suspect this is what Monkey_Boy means (correct me if I’m wrong).
I think you misunderstood… I did not claim that you was the one bashing. I only asked if you viewed it as fair that Verisign and Godaddy (and probably a whole bunch of Certification Authorities) are selling this “weak” certificate too??? Yet COF and similar sites (wilders) post it as like this is something comodo specific…
Its a weak certificate, but its something that many many Certification Authorities are selling so I don’t really see why Donna and similar should make a thread bashing soley comodo for it…
Verisign and Godaddy is the major pushers and sellers for this junk, yet they get no critic whatsoever for that… =S
Is that fair? To post it like comodo is supporting malware and junk like that? All reasonable people know that that is not true. Donna should at least mention that this applies to almost all Certification Authorities.
I can only comment on COU, Monkey_Boy=). I can’t comment on Wilders,. I’m not a member there, nor do I visit.
As regards Comodo and COU. Comodo users get support from COU, or at least they did. The rest do not. That’s the difference.
Is that fair? To post it like comodo is supporting malware and junk like that? All reasonable people know that that is not true. Donna should at least mention that this applies to almost all Certification Authorities.
I can’t speak for Donna, but i suggest she is stating views on what she has seen, same as the rest of us. We draw conclusions from the originating article, and what we have experienced personally.
We talk about diffrent things data… You talk about what and how you feel about comodo and how you get your opinions…
I talk about why I think donnas article should not be formulated like that and asks you if you view it as fair/nice of donna to ignore the fact that this is something that applies to almost all certification companies and present it as a comodo specific problem. Comodo isn’t even the big seller of this flawed certificate, Verisign and GoDaddy is…
Maby that should be mentioned as well? This is not a comodo specific problem that donna tries to present it as, making it sound like comodo certificates are worse while in fact they are no worse than those of any companies. Its ok for you not to like comodo, donna should bite the facts thou and accept that verisign and the whole industry seems to have this weak certificate.
And avoid presenting some personal propaganda angle that comodo is the malware lovvaa. COMODO DON*T LIKE THIS CERTIFICATE, but have to sell it since the competition does that… :-TD :-TD Better that comodo sells it and tells the buyers what’s weak with it… than the competition that keep their mouth dead silent. :-TD :-TD
I talk about the same thing. If you saw that thread, I agreed with what Donna put forward.
COMODO DON*T LIKE THIS CERTIFICATE, but have to sell it since the competition does that..That isn't sufficient cause though, is it.
Many installers now have a toolbar. That doesn’t imply that Comodo had to do it, yet they did. That started the ball rolling. Now this news about the certificates appears…
Okay, not only Comodo are doing it. Fair comment… But, Only Comodo have a string of free tools that I have trusted and recommended to others whenever I was asked about a free product. Where Comodo not engaged in providing those tools, this thread would not exist.
This is not a comodo specific problem that donna tries to present it asI know of no other cerificate provider that provides what Comodo does. Therefore, Comodo stand alone.
On sites that engage in security, this is a black mark, and the negatives will abound. Comodo brought it on themselves.
Personally, I think maybe the dust should settle now, and see what develops. Only Comodo can clear this up IMO.