Comodo continues to issue certificates to known Malware

You already know, Melih. This whole thread is a statement.

I would mention the starting point, but apparently, that has been “done to death”.

Melih, why don’t you talk to these people direct? Better than this, surely.

Valuable insights could be gained by all. It couldn’t hurt, could it?

If a positive result came from it, The people who depend on all the security related folk, whatever avenue they walk, would benefit. That’s what everyone wants. right? That would be cool.

Honestly Data,

I am not quite understanding exactly what you are saying.
can you pls clarify it for me. What could we do to improve? Straight plain english pls (i am suffering from a jetlag :slight_smile: )


I think the COU thread explains this some… =]

They want comodo to take a more proactive stance against malicious domains and they expect comodo to react fast when a site is reported malicious. They actually not seem Ill intended.

I think they feel like comodo is letting them down a little with the ask toolbar and due to various stuff. =/ Well best to read for yourself since some might be interesting feedback. =)

There are different viewpoints going on at different forums and message boards. In order to see the full picture you could talk to others who have the opposing viewpoint to yourself.

Might be productive, might not. It needs you, Melih, to take the first step.

Possibly, that could be a total opt-in policy. Worth trialling the idea, maybe?

I don’t have your responsibilities, Melih, but I hope there is no reason, why things couldn’t be worked out to some sort of amicable state, and the status quo be returned.

It’s people involved in other security aspects, not a competitor product. Like I said, all want the same thing.

With that I bid you good night.

See? The perfect ice breaker.

I understand.
But we acted as fast as we could? So I do not understand why they are saying we should react faster? They are under false assumption that that msvp guy emailed us… He didn’t to my knowledge.

Also pls tell Donna, she doesn’t understand how SSL Certificate validation work (no disrespect intendent). Identity of the domain owner is only validated by OV or EV certs. DV certs do NOT validate the owner of the domain (which is a big problem). And NO SSL cert validate the content of the website. Again DV certs do NOT validate/certify the identity of the owner (pls do tell her). Also pls do tell her we revoke any site who breaches our T&Cs and we revoke certs immediatley like we did with todays incident. Again pls tell her, as soon as we found out we revoked, we were not emailed by that guy to my knowledge.

I know she is ticked with ask issue, but she has to be fair and treat issues seperately.



Sorry I really do not wish to be awkard at all but I really do not understand what you are saying :frowning:
can anyone help pls?


Apparently some are explicitly encouraging everybody to not report such sites to Comodo. Such sites are claimed as known whereas it is unspecified if they are such before the certification. Nor it is possible to verify if other claims are facts or conjectures whenever individual viewpoints about responsible disclosure related topics may eventually differ.

What's the use of reporting to Comodo if they will ask the alerter on security/privacy issue to shut-up? And why give email address in the first place to report problems on certificates issued to known malware/rogue by Comodo?

Whenever somewhere else it is suggested that it would be fine to address the issue by pushing on Comodo alone something should more reasonably proposed as a standard for all DV-SSL certs of all CAs (if ever some advices would be actually feasible for DV-SSL certs) whereas it doesn’t apparently matters that focusing on Comodo alone is not going to solve the issue.


You made the following statement:

“Which means to me also of what you’ve describe. He claims that I and others is believing Mike have emailed them but he believe there is none.
Now after searching MVP Mike’s blog showing that they respond before to his reports, it simply show that Mike did not fail to report and that they acted before…”

You say we responded to MVP Mike before and he gave us kudos. So why would we not respond to him this time if he sent us an email? Your logic doesn’t make sense. If we responded before then we would respond again. And we did respond as soon as we were alerted but did NOT receive any emails from MVP Mike as far as I know.

Also Donna, you seem to be under misunderstanding that CAs check the applicants website and their content when issuing DV certs. They do not! DV certs are automatically issued once money is paid to the domain holder.


Corrine made the following statement:

“Right or wrong, the implication to me is that perhaps more than an hour is needed in order to determine whether the requester is qualified to receive the Organizationally Validated (OV) SSL Certificate.”

As long as the applicant provides the necessary documentation it doesn’t take more than an hour of a validation expert to validate the documents provided. The reason why process might take longer is if the applicant can’t provide the necessary documents. If validation took 3-7days of someone’s time then it couldn’t have been priced at low hundreds of dollars.

Also Corrine, why are you talking about organisational validation certs in the first place?

The issue here is DV certs and the inherent vulnerability with them. The organisational validation certs were NOT used so I am at a loss as to why you are talking about this. I think you mixed the OV and DV certs and now trying to clarify it. Let me help

OV certs: You validate the applicant and the applicant must provide docs to prove who they say they are and checked by validation experts.

DV certs: you pay and the cert gets issued to the domain holder with no docs and its automatic process with no human involvement hence it can be done in minutes.

So malicious intent sites will go with DV certs cos

1)its quick
2)they have to provide no docs and no checks apart from checking to see if you have a domain name or not
3)cheaper (cos there is no human validation involved)

So again, I am at a total loss as to why you are talking about OV certs! :slight_smile:

But I am glad that all of you are attempting to discuss these issues as I have been trying to make people understand that DV certs should be banned from the face of ecommerce! You yourself got confused about DV/OV etc imagine how an end user feels about it…


At last I understand.
In God’s name we need to be rid of the whole concept of DV certs!
They seem inherently to be a conflict in terms.
They certify Joe ■■■■ forked out “X” amount of cash.
Not a ■■■■ thing more!
IF Comodo was the only one doing this,there woyuld be a Comodo specific issue.
This is a industry thing.

Very much so!

I have been trying to establish at least minimum standards for DV certs so that they are not this vulnerable…Verisign and Godaddy are the biggest issuers of these DV certs…

I mean ask yourself, who does DV certs help?
Not the merchant… cos as more and more people realise they will lose business
not the end user… cos they are having false sense of security

Malware author… totally… now they can have access to yellow padlock very easily
Certificate authority… cos they make money from it…

I wish the industry listens to proposals we have put in the cabforum and improve the DV certs vulnerabilities!


I would like to say something off topic but somehow related to this…
Mr. Melih, you should be prepared for more and more of such “behind the scene” attacks, reciprocal to (FREE) CIS market share, more of those kind of attack will be provoked, you should expect anything until then and only then you put $price on your free flagship product, please don’t give up yet…

That’s right i am afraid. What else can they do?
Here is a HIPS that is as quite as any on the market.
An AV that is already ahead of Industry regulars.
A benchmark firewall.
Low resource use,protection of mostly ignored areas of infection,
That is as a whole,improving daily.
New angles of attack are the only option for detractors.
The cure is not information,but rather to somehow get more people to simply trail the suite.
(Of course it takes information to get that to happen also.)

Yap dirty rhetoric will continue. Not only about CIS but also about comodo. Pretty much any angle they can find I suppose. Been like that on wilders for months already… 88) 88) They criticise Melih, our comunity, all there who likes Comodo (comodos fans), CIS and A LOT MORE… Really low blows… They would NEVER EVER attack a comunity of an other security product… Its a witch hunt really…


Comodo is prevailing! Resistance is futile! :slight_smile:


I would agree to this. Much of this smacks of a dirty tricks campaign employing the “throw the spaghetti against the wall” tactic (to see what sticks).

I apologize for not reading the whole thread… I tried, but, it more seemed like X said this, Y said that, Z said they both lie… Then “misunderstandings”…

Bottom line, I understood nothing… I quite reading the rest.

So, I’d like to ask something:

Is COMODO (or any other CA) issuing certificates to malware domains? How? How is it possible? No background information is required, and no means of checking what sort of “business” a domain runs? If no, then what’s the purpose of certificates?

For the little knowledge I have, certificates certificate, in this case, that the web site you’re at is the real deal?

I’ve found an interesting post in one other forum regarding this topic, which I am not registered there, but I do go there from time to time to check on the security board.
Basically what one user commented to one other sticking for COMODO was a question:

So, what you're saying, is that, COMODO is certificating that the malware domain the user is at is the real deal, and not some bogus malware domain? Is that it?

Is that it? What’s the real use of certificates, if anyone - including bad people - can get them? There’s no use. Or am I missing something in this picture?

Edit: I’ve also found this thread here

In no where on that site a COMODO certificate is used, so it seems, for what those users say. No COMODO staff reply? What the heck?

I don’t think this has anything to do with FREE. It has to do with security, and with a security vendor issuing certificates to malware domains.

See the picture?

Believe me :o, free is major thorn in attackers eye…rest are minor which nobody will ever see if there is no FREE thorn…

When issuing DV certs noone checks the legitimacy of who owns the domain never mind the content of the website.

that is the problem!