But we acted as fast as we could? So I do not understand why they are saying we should react faster? They are under false assumption that that msvp guy emailed us… He didn’t to my knowledge.
Also pls tell Donna, she doesn’t understand how SSL Certificate validation work (no disrespect intendent). Identity of the domain owner is only validated by OV or EV certs. DV certs do NOT validate the owner of the domain (which is a big problem). And NO SSL cert validate the content of the website. Again DV certs do NOT validate/certify the identity of the owner (pls do tell her). Also pls do tell her we revoke any site who breaches our T&Cs and we revoke certs immediatley like we did with todays incident. Again pls tell her, as soon as we found out we revoked, we were not emailed by that guy to my knowledge.
I know she is ticked with ask issue, but she has to be fair and treat issues seperately.
Apparently some are explicitly encouraging everybody to not report such sites to Comodo. Such sites are claimed as known whereas it is unspecified if they are such before the certification. Nor it is possible to verify if other claims are facts or conjectures whenever individual viewpoints about responsible disclosure related topics may eventually differ.
What's the use of reporting to Comodo if they will ask the alerter on security/privacy issue to shut-up? And why give email address in the first place to report problems on certificates issued to known malware/rogue by Comodo?
Whenever somewhere else it is suggested that it would be fine to address the issue by pushing on Comodo alone something should more reasonably proposed as a standard for all DV-SSL certs of all CAs (if ever some advices would be actually feasible for DV-SSL certs) whereas it doesn’t apparently matters that focusing on Comodo alone is not going to solve the issue.
“Which means to me also of what you’ve describe. He claims that I and others is believing Mike have emailed them but he believe there is none.
Now after searching MVP Mike’s blog showing that they respond before to his reports, it simply show that Mike did not fail to report and that they acted before…”
You say we responded to MVP Mike before and he gave us kudos. So why would we not respond to him this time if he sent us an email? Your logic doesn’t make sense. If we responded before then we would respond again. And we did respond as soon as we were alerted but did NOT receive any emails from MVP Mike as far as I know.
Also Donna, you seem to be under misunderstanding that CAs check the applicants website and their content when issuing DV certs. They do not! DV certs are automatically issued once money is paid to the domain holder.
“Right or wrong, the implication to me is that perhaps more than an hour is needed in order to determine whether the requester is qualified to receive the Organizationally Validated (OV) SSL Certificate.”
As long as the applicant provides the necessary documentation it doesn’t take more than an hour of a validation expert to validate the documents provided. The reason why process might take longer is if the applicant can’t provide the necessary documents. If validation took 3-7days of someone’s time then it couldn’t have been priced at low hundreds of dollars.
Also Corrine, why are you talking about organisational validation certs in the first place?
The issue here is DV certs and the inherent vulnerability with them. The organisational validation certs were NOT used so I am at a loss as to why you are talking about this. I think you mixed the OV and DV certs and now trying to clarify it. Let me help
OV certs: You validate the applicant and the applicant must provide docs to prove who they say they are and checked by validation experts.
DV certs: you pay and the cert gets issued to the domain holder with no docs and its automatic process with no human involvement hence it can be done in minutes.
So malicious intent sites will go with DV certs cos
2)they have to provide no docs and no checks apart from checking to see if you have a domain name or not
3)cheaper (cos there is no human validation involved)
So again, I am at a total loss as to why you are talking about OV certs!
But I am glad that all of you are attempting to discuss these issues as I have been trying to make people understand that DV certs should be banned from the face of ecommerce! You yourself got confused about DV/OV etc imagine how an end user feels about it…
At last I understand.
In God’s name we need to be rid of the whole concept of DV certs!
They seem inherently to be a conflict in terms.
They certify Joe ■■■■ forked out “X” amount of cash.
Not a ■■■■ thing more!
IF Comodo was the only one doing this,there woyuld be a Comodo specific issue.
This is a industry thing.
I would like to say something off topic but somehow related to this…
Mr. Melih, you should be prepared for more and more of such “behind the scene” attacks, reciprocal to (FREE) CIS market share, more of those kind of attack will be provoked, you should expect anything until then and only then you put $price on your free flagship product, please don’t give up yet…
That’s right i am afraid. What else can they do?
Here is a HIPS that is as quite as any on the market.
An AV that is already ahead of Industry regulars.
A benchmark firewall.
Low resource use,protection of mostly ignored areas of infection,
That is as a whole,improving daily.
New angles of attack are the only option for detractors.
The cure is not information,but rather to somehow get more people to simply trail the suite.
(Of course it takes information to get that to happen also.)
Yap dirty rhetoric will continue. Not only about CIS but also about comodo. Pretty much any angle they can find I suppose. Been like that on wilders for months already… 88) 88) They criticise Melih, our comunity, all there who likes Comodo (comodos fans), CIS and A LOT MORE… Really low blows… They would NEVER EVER attack a comunity of an other security product… Its a witch hunt really…
I apologize for not reading the whole thread… I tried, but, it more seemed like X said this, Y said that, Z said they both lie… Then “misunderstandings”…
Bottom line, I understood nothing… I quite reading the rest.
So, I’d like to ask something:
Is COMODO (or any other CA) issuing certificates to malware domains? How? How is it possible? No background information is required, and no means of checking what sort of “business” a domain runs? If no, then what’s the purpose of certificates?
For the little knowledge I have, certificates certificate, in this case, that the web site you’re at is the real deal?
I’ve found an interesting post in one other forum regarding this topic, which I am not registered there, but I do go there from time to time to check on the security board.
Basically what one user commented to one other sticking for COMODO was a question:
So, what you're saying, is that, COMODO is certificating that the malware domain the user is at is the real deal, and not some bogus malware domain? Is that it?
Is that it? What’s the real use of certificates, if anyone - including bad people - can get them? There’s no use. Or am I missing something in this picture?