Comodo continues to issue certificates to known Malware

So you think that since comodo offers a free none crippled security suite with a optional toolbar that helps keeping it free to all the people that can’t afford security makes comodo “worse”?

Comodo is the one who have actually tried to STOP selling those certificates… unfortunately they could not get it to go around economically…

Its not so much to whine about…

Since the competitors are selling a lot more of those specific certificates and pushing for them a lot more. Comodo push for the stronger alternatives… That’s what they can do atm.

So you think that since comodo offers a free none crippled security suite with a optional toolbar that helps keeping it free to all the people that can't afford security makes comodo "worse"?

No. I think that the pre-ticked selections regarding the toolbar/homepage/search are what makes Comodo worse.

The toolbar should make no difference. Last time I looked, the products were free for ever, with companies taking up the pro version for example, subsidising it all.

Free users, while getting the product free, are still beta testers to a degree, yet they are expected to install a none required toolbar. At least make it Opt-in, not opt-out. Ask do not have a good reputation.

On sites that engage in security there are some people willing to make this a black mark whereas there is no way for any CAs to foresee the intention of those requesting certificates nor it would be feasible to extend EV-SSL certification procedure to the DV-SSL certificates Comodo provides.

Even if Comodo would be willing to extend EV-SSL certification procedure to the DV-SSL certs this would cause only confusion about the intrinsic value of DV-SSL certificates. Removing DV-SSL certificates from the existing offer will not solve the ongoing scenario although it will effectively prevent FUD that leverage on these aspects.

Anyway as long, in sites engaged in security, there would be no one willing to acknowledge that DV-SSL certificates are not the same as EV-SSL, many people will rely on DV-SSL to cut costs regardless of who provides them, obviously to the advantage of those who actually got the highest marketshare for DV-SSL.

Indeed the toolbar makes no difference, CIS is still free and user can un-tick what they have no use for. There have been a lot FUD ridden efforts on this and there is no point to have this topic go OT for this.

All the certificates relating to this site was revoked.

We do not tolerate malicious intent in any form.

As soon as we were alerted to this, our Validation team analysed these sites and immediately revoked their SSL Certs. Thank you for alerting us to this and look forward to our users continous reporting of any malicious activity on internet.

We are hopeful that through www.ccssforum.org we can improve the speed of alerts and response.

thank you

Melih

Yes, the irony of that is startling isn’t it? Actually the irony of an MVP saying that & ignoring the bigger (and far more important) picture isn’t too bad either. However, the ignorance of the MVP is just plain startling.

Interesting back to the year+ old tool bar (which been done to death btw). The MVP’s comment & context of Comodo’s toolbar to his blog does, as he said, “really makes you wonder”.

I believe that should read: Ask did not have a good reputation. Note past tense.

Ignorance has always caused problems for humanity! Look at terrorism, look how human race suffered during the dark ages.

They simply do not get all the work Comodo has done in trying to stop DV certs, all the work we have done creating a better Trust Indicator EV SSL and all the work we do fighting malware. And all they can do, while we spend millions of dollars of our own money trying to make internet a better place and protect users is to whinge, whinge and whinge more. And all this whinging is based on the wrong assumption about Comodo! They don’t even get their facts right before they spurt out whinges!

But, Comodo is prevailing! These negative, ill intentioned, ignorant people can only harm themselves with their whinging! More and more people choosing Comodo and trusting Comodo! So there you have it (even though this is more of my time than what they really deserve but I will not spend any more time on these ignorant people)

Melih

Instead of trying to stop… Just stop!

I believe that should read: Ask did not have a good reputation. Note past tense.

And if your neighbour poisened your dog last year, you would still trust them now? Ok.

I suppose there’s no real reply that can be applied to melih’s final comment, there. Shame… I expected more.
88)

A total letdown. :-TD

Can I ask you what you were expecting then ?

Xan

Obviously Data wants Comodo to stop issuing DV’s immediately. Presumably, he’s already tackling GoDaddy & Verisign with the same message. Right Data?

FUD is poison advocating fear that can be spread even unintentionally to the point it expands virally often making difficult to identify the originator source.

Lol. :-TU :-TU I doubt he does that, this shows how double standards some people actually have… =S

The issue of the inherent vulnerability that DV certs suffer from is different than what Comodo itself does.

DV certs are vulnerable.

Comodo has been championing to change that since 2005.

Comodo has founded www.cabforum.org and created a new trust indicator “green bar” (because the trust in yellow padlock is misplaced)

Comodo still todate is trying to mitigate the risks of DV certs by trying to convince the industry to adopt a new standard for DV certs. (with our efforts in www.cabforum.org)

Comodo is educating anyone who tries to get a DV cert from Comodo about benefits of Validation hence improving the understanding of SSL certs and pit holes and dangers posed by DV certs to ecommerce.

So pls tell me which one we should not be doing?

Melih

PS: why don’t you guys ask Browser makers and other Certification Authorities as to what they are doing to create a minimum standard for DV certs!

DV certs do NOT offer security unless the user types the https url in full into the address bar in the browser for a site they have already pre established trust with. Clicking on an https link on an http site is flawed if the https site has a DV cert! And DV certs should NOT be used for any ecommerce whatsoever!

Here is yet another uninformed argument

Comparing OV certs that Comodo and Verisign issues!

Knock, knock… do you even know the difference between DV, OV or EV certs?
Yet you are writing about it!

Please get your facts right before you write anything!

This is really bad… this blog site has done ZERO background check into anything!!!

“it only takes one hour for Comodo to provide validation for an SSL Certificate, compared to 3-7 days for the other vendors. Note also that “Company Legitimacy” is also provided:”

eh? are you for real? This is totally a false statement and below are the proof of your false statement!

Compare Certificates | GeoTrust (a Verisign Company), issuance is 10 min…

http://www.godaddy.com/gdshop/ssl/ssl.asp?ci=8979 (click on Certificate Features and see time of issue… it says Turbo-Fast! Issued in minutes)

The author of this misinformed blog even gets the Comodo cert wrong… its
Sectigo not the OV certs you compared!

And did you even read what we have wrriten there?

“128 bit SSL Certificates designed for encrypting web sites for low volume online transactions. Trusted by over 99.3% of current Internet users, Positive SSL is the solution for new websites or environments where trust has been established and entity verification (for identity assurance) is not needed. Positive SSL Certificates do not carry any warranty.”

Any other DV vendor trying to educate the users like we are?

Shame on this so called securitygarden blog for spreading false and misleading information! Shame on you! Obviously they are ill informed, have no knowledge of the SSL market yet they are more than happy to utter ignorance on their blog site… Shame!

Melih

Obviously Data wants Comodo to stop issuing DV's immediately. Presumably, he's already tackling GoDaddy & Verisign with the same message. Right Data?

Obviously not paying attention.

FUD is poison advocating fear that can be spread even unintentionally to the point it expands virally often making difficult to identify the originator source.

Very informative. I'm sure that applies to sombody, somewhere. However, here we discuss a real, pertinent (to Comodo) fact.

Lol. I doubt he does that, this shows how double standards some people actually have.. =S

Here I was thinking we were having a decent, intelligent convo, and now you have a personal go at me.

So all it shows is that this forum can’t take the knocks and so tries to deflect the issue by poking fun.

For a professional level board, double standards it certainly is. Shameful!

Does that mean you have contacted GoDaddy & Verisign on the issue of DV validation or not?

BTW

I will check further but we reacted to this as fast as we could as soon as we found out about it.

I was alerted to this first by Sunbelt’s CEO (Thank you Alex) and we pushed this into our validation dept asap and revoked it as soon as we found it to be malicious.

Does anyone know if the original poster had actually sent us an email before he published this article? I would like to find out if he has and who to so that we can improve the communication channel if an email was sent. In the poster’s site http://msmvps.com/blogs/hostsnews/archive/2009/05/16/1692519.aspx he/she states:

“I was following up on a list of malware sites posted on Dancho Danchev’s Blog and yet again I find Comodo issuing certificates to these Malware writers”

He doesn’t claim that he sent an email to us to inform us before he went public. To my knowledge we haven’t received any emails from him or emails from Dancho Danchev’s site. We found these out after they went public.

So people claiming that we should have acted sooner: Well we did! But it seems as the bloggers were eager to write their blogs without informing us about it. So the question should be the ethics of publishing these kind of material without informing the security vendors in the first place.

People might not realise that AV vendors and other malware analysts find malware which uses certs on almost daily basis. The biggest problem is there is no industry wide cooperation about how to report these to Certification authorities for a speedy resolution.

www.ccssforum.org is going to handle that and the work has already started trying to bridge the gap between AV industry and CAs. Once again Comodo has been at the forefront of proactively solving industry problems.

Melih

Why would I contact companies who have nothing to do with the matter at hand?

Data

What aspect can Comodo improve? (I am more than happy and willing to improve whatever we can)

Melih

Indeed. Although I wasn’t able to guess it was going to be informative for you. Thanks for pointing that out.

However the assumption that it would have been possible for any CAs (not only Comodo) to prevent the previously mentioned scenario pertaining DV-SSL certs has yet to be proven true whereas those explicitly leveraging on such Hindsight arguments provide way more informations about themselves than about the fact itself.

On top of this apparently there are self-claimed eminences of security scene (somebody, somewhere) providing incorrect informations. Or those who implicitly claim to be speech-persons for entire security communities (or rather stretch their personal viewpoints to whole communities).