Comodo continues to issue certificates to known Malware

Thank you for your answer.

So, that means that neither is COMODO part of the solution. If the problem is “When issuing DV certs noone checks the legitimacy of who owns the domain never mind the content of the website”, then neither does COMODO.

This all thing about certificates that tell people they’re at the proper place is a complete bllsht. (Sorry about the last word, but, I can’t find any other that fits my thought.)

And, if “noone checks the legitimacy of who owns the domain never mind the content of the website”, and that includes COMODO, I could just create a domain, get a certificate, lets say from COMODO, make it be legitimate and distribute malware, rogue software etc., and visitors would be assured that the domain is perfectly safe because they’re seeing a COMODO certificate. This is making people believe in something that does not correspond to reality. Its leading them to a false sense of security.

And, how can a CA issue a certificate to someone running some “business” without having any background information about what the domain is for? This makes me wonder if CAs also, and I’ve seen proves before, if we’re still going to witness malware/rogue software also making use of digital certificates from well-known CAs.

Bottom line, you folks (CAs, and not just COMODO) are not part of the solution, rather part of the problem, because you’re misleading people. You make them believe that everyone/anything running your certificates have nothing but good intentions, when it is not the case.

People see a domain running a well-known CA certificate and they assume its safe, because they have no idea people behind malware domains also can get them. The same applies to malware.

So, rather than saying…

… What about you start to become part of the solution?

Let us say you want to open a convenience store,but are morally
opposed to selling alcohol.
If you are in a “wet” area,you are going to have a real problem
staying in business.
Of course you can open your store in a “dry” area and be on a
level playing field.
The entire Security Certs Industry is “DV Cert wet”.
Tobacco is an even better analogy,it just goes with the
territory.
If you are an honorable person in this case,you simply
have do your best to see that existing laws are enforced,such
as no sales to minors,etc.
Or lobby for prohibition.
Back to the tobacco once more.
You cant build a safer cigarette,it is possible beef up the
legitimacy of even DV certs,but as you said,it is a “CA folks”
issue.

Really though when it comes to Rouge sites,just look at them.
They have the Microsoft Logo all over them.
They have stuff like “100 cow award from Tucows”.
“CNET.Com voted best software of the century”.
“Founding Member of Internet Better Business Bureau”
“10% of ever purchase goes to Save The Children”.
It is as fake as a three dollar bill,but it looks good,and is
apt to influence most people more than a little gold lock.

:-TU The only sensible thing I’ve seen since I logged out yesterday.

Let us say you want to open a convenience store,but are morally opposed to selling alcohol. If you are in a "wet" area,you are going to have a real problem staying in business. Of course you can open your store in a "dry" area and be on a level playing field. The entire Security Certs Industry is "DV Cert wet". Tobacco is an even better analogy,it just goes with the territory. If you are an honorable person in this case,you simply have do your best to see that existing laws are enforced,such as no sales to minors,etc. Or lobby for prohibition. Back to the tobacco once more. You cant build a safer cigarette,it is possible beef up the legitimacy of even DV certs,but as you said,it is a "CA folks" issue.

Of course, you could always present the cheaper brand as the safe one with a little work. Make a few quid at others expense?

Really though when it comes to Rouge sites,just look at them. They have the Microsoft Logo all over them. They have stuff like "100 cow award from Tucows". "CNET.Com voted best software of the century". "Founding Member of Internet Better Business Bureau" "10% of ever purchase goes to Save The Children". It is as fake as a three dollar bill,but it looks good,and is apt to influence most people more than a little gold lock.

I have! Since 2005…

Knowing that the yellow padlock is misleading… i helped create the Green Bar as the new Trust indicator EV SSL.
And now I am trying to get a minimum standard for DV certs.

But its not about me… I need all the Browser providers to accept to have a minimum standard for DV certs and all other CAs… by all means do come and help me with this initiative by demanding this from your browser providers!

But I am glad, at last our end users are waking up to the False Sense of Security that DV is…(i have been saying it for long enough ;))

Melih

But, if COMODO is trying to do that, then, how come malware domains are displaying your own certificates to make people believe its a safe domain? I’m lost here… Or, is this the fault of browsers, as well?

For what you said previously, no one really cares to whom they’re issuing certificates. So, the problem is within the CAs in the first place. You can’t expect something to change, unless the ones issuing the certificates change the way they do business. And that, also includes COMODO.

Because, I’d like to ask this: Were/Are these malware domains displaying fake COMODO certificates? If yes, then COMODO needs to do something about it ( just like the example I mentioned before in this thread, which I have no idea where that domain will lead me, and I won’t even try and check - https://forums.comodo.com/digital_certificates_encryption_and_digital_signing/is_this_for_real-t38305.0.html

Is that domain still displaying a COMODO certification logo misleading people to believe that domain is certified by COMODO, hence safe? Did COMODO do something about it? I see no replies from you guys over that thread.)

And, if the malware domains are not displaying fake certificates from COMODO, then COMODO sold them to them (malware folks). How can this be happening? Is this a problem with browsers, or how others do business, or a problem with the way COMODO does business?

As I said, COMODO also isn’t being part of the solution. COMODO is selling certificates to the malware folks.

We, end users, depend on you, security vendors, to protect us. What do you do? You’re complices with them. You’re helping them, and not us.

Browsers people are not issuing certificates to bad people, you CAs people are. You need to stop doing it so. Don’t see this just as a plain business. See it like your actions may seriously harm innocent people.

I’m lost here too. it is a witch-hunt? if so it is not fault of Comodo either.

Are you implying that it would be a solution for Comodo to stop providing DV-SSL certs?
Does it mean if only Comodo ought to raise its DV-SSL standards (thus raising internal costs) this is going to solve anything?

What does it actually mean for Comodo to be part of the solution?

And how much Comodo should be going to be the sacrifical lamb whereas marginally part of the problem?

As DV-SSL is imply that trust has been established and entity verification (for identity assurance) is not needed, would Internet browsers be able to help providing such information to end users in a more easy an visible fashion? If so does this mean browsers are both part of the problem and part of the solution?

That site selling frontend got a VeriSign Class 3 Extended Validation SSL CA, VeriSign, Inc.,

EV-SSL got even higher standards than DV-SSL
Is that domain a Malware domain? If so why no security expert wrote about it?

Are malware folks identifiable before they create a site?
Do people have to actually rely on DV-SSL certs other than trusting that the connection is encrypted?

So endusers who are financing them are accomplices themselves. They are helping malware folks not us. Are they both part of the problem and part of the solution?

If Comodo stops providing DV-SSL certificates will this actually stop such innocent victims from being lead to believe that this is going to solve anything?

Will this stop the new DV-SSL certs to be issued?
Will this lead them to not imply that DV-SSL authenticate vendors?
Will this lead them to verify that there are different SSL certs with different level of trust?
Will this prevent some people to misinform endusers providing incorrect information and some others to spread FUD about Comodo?

DV-SSL ensure an encrypted secure transaction and this it ought to be fine if end user already trust the vendor but it would not be fine to trust a vendor because transaction is encrypted and secure.

In order to avoid repeating, I would refer you to my previous posts where I have answered all your questions.

I think you have to understand

1)how DV SSL issuance works
2)what does it take to improve standards on DV certs… (one CA stopping issuance will not stop the others from issuing)
3)why is browser’s allowing CA rootkeys that issues DV certs in their browsers.
4)What standards exist for issuing SSL certificates (yellow padlock)
5)Why should verisign or godaddy (biggest issuers of DV) stop issuing DV certs just because Comodo stopped
6)If Comodo should stop issuing DV certs, where would customers go and would they be better educated about the pitfalls of DV thru other vendors? (you need to check www.positivessl.com as to see how Comodo sells DV and how Comodo explains about DV)

So that you can fully appreciate what we are doing.

Melih

Sorry, all that is too technical for me. When I first posted in this thread, I did it as a concerned user of the Internet. I browse daily and for a few hours a day, with breaks.

I find it quite worrying that malware creators can go ahead and get certificates for their malware domains, and most people won’t even be aware of what is hitting them.

Instead of asking me to tell the browsers people to do whatever you think they should, go ahead and explain them your view.

But, from the view of a casual user like myself, I don’t understand and can’t believe how easy is for malware folks to have legitimate (as in people believing is a legitimate domain) ways of causing harm to people, just because no one cares enough to whom and for what those certificates are meant.

5)Why should verisign or godaddy (biggest issuers of DV) stop issuing DV certs just because Comodo stopped

So, just because others make it easy for people with bad intentions to get certificates, COMODO does the same? Maybe if one takes the lead, others would follow? Maybe not… I have no idea. I guess this is all a business by the end of the day.

6)If Comodo should stop issuing DV certs, where would customers go and would they be better educated about the pitfalls of DV thru other vendors? (you need to check www.positivessl.com as to see how Comodo sells DV and how Comodo explains about DV)

You talk if COMODO should stop issuing DV certificates… I never talked that… Nor for COMODO or any other CA.
There’s a fine line between that and have background information to whom the DV certificate goes to. Because for what I understand, there’s no background information of what so ever. Anybody can get one, no matter what that domain is for.

Does it (www.positivessl.com) explain how easy is for people with bad intentions to get them?

Anyway, just as I mentioned previously, certificates mean nothing at all, if anyone can get them for whatever purpose. Having a certificate doesn’t mean a domain is safe (as in with good intentions), at all.

Well, over and out. I’ve had enough.

Thanks for your explanations.

I have explained my view to browser people

Unfortunately it is easy for malware authors and phishers to get DV certs.

I have explained why Comodo does it in my previous post pls check it.

You are right. To get a DV cert all you need is a domain name and $15…and no background check about your identity is required. The whole process is automatic

That is why I founded www.cabforum.org which resulted in EV SSL certificates. It has very high standards doesn’t have the same flaws as DV certs. Now all major browsers are promoting this technology.

The current state of the market is very sad due to DV certs, however I am glad that it is getting user attention now and people are realising how vulnerable it is. We need to educate everyone about why we should improve DV Certs.

Melih

All the DV Cert does is say this domain name is valid. It does nothing to verify or validate the contents.
Why was it created since it is really a worthless Cert?

There was no standards for SSL certificate issuance.
in 2001 Geotrust decided to issue certificates without validating the applicant. That’s how DV certs were born…(unfortunately).

Now thanks to cabforum, we introduced a new kind of SSL cert called EV cert that has a standard and new trust indicator (Green bar).

Melih

This is bad, concerns without information lead to FUD.

If endusers are not going to care about anything else than a padlock, in order to acknowledge request to take the lead, Comodo ought to quit issuing DV-SSL until new standards will be made available, until then scanning all the web few hours daily will allow to help remaining CAs to provide better DV-SSL by alerting them if the site turns out rogue and eventually taking the blame if such sites are not blacklisted few milliseconds after a mere picture is hosted.

The most difficult part would be to eventually improve further the background info gathering and make DV-SSL even better than EV-SSL so people will get to know more background info.

After such efforts people will follow suit and check if their friends got a padlock on their forehead to confirm if the trust they already conceded was appropriate whereas knowing them was not enough.

I don’t see how Comodo can just stop selling DV cert’s without the other CA’s doing the same. Anything else would be irrational… seriously. Comodo can’t send their clients to other CA’s to buy DV cert’s. Asides from being highly embarrassing, it could be very damaging. Comodo are doing what they can… and they’ve been doing it for quite awhile I believe (this actual issue).

The padlock obviously needs an upgrade IMHO.

DV-SSL (Domain Validated SSL) are not meant to trust the vendor but to trust that the connection with a recipient is encrypted.

The risk to provide DV-SSL certs to parties which later turns out to be untrusted is the same for all CAs whereas it is easy to focus on each of those events and leverage on misinformation to spread FUD.

If end-users are not going to acknowledge what DV-SSL are meant for and trust DV-SSL more than it would be reasonable, eventual efforts to improve DV-SSL carried by Comodo alone will only worsen the overall situation implicitly promoting DV-SSL in a market where the majority of DV-SSL are sold by other CAs.

If Comodo alone ought to improve DV-SSL certs (thus raising internal costs) this will not affect the majority of DV-SSL around other than increase the confusion about the inherent value of such certs.

If Comodo alone is ought to improve DV-SSL these efforts will damage Comodo and end-users as well.

DV-SSL likely provides the same authentication info of a train ticket. Whereas EV-SSL provide the same authentication info of a Passport.

For many it ought to be obvious that a train ticket do not provide the same authentication of a Passport.

When somebody travels on a train s/he will not trust somebody to be who s/he claims to only looking at that person’s ticket.

In case of unlucky events how much the ticket vendor is part of the problem?
Do train tickets have bear some notes to state that they can be only used to assume that its bearer can travel on a train?

AFAIK looking at DV-SSL certs clicking on a padlock the information provided usually point out that the connection is encrypted (and not much more) whereas EV-SSL points out that the connection is encrypted and the site owner was authenticated.

Besides it is not that encryption alone has no use at all.
eg: GSM voice communications are encrypted but people don’t inherently trust the recipient because of the encryption.

(Above picture grabbed from Internet Explorer 8 Help)

Other than the ones who wrote about the recent issue, was any real end-user actually affected or is this a discussion of potential misuses of encryption-only connections?

If enduser are supposed to care (along those who made a big fuss of this) but not to be informed then the only solution is to remove any DV-SSL cert from Internet browsers.

This ought to trigger a popup for DV-SSL so each user can then decide to access a website using an encrypted connection without authenticating the website owner (hoping this ought to happen because end-users already trust the website and its owner.)

Apparently many security experts are way more interested on focusing on Comodo alone than provide enough informations about DV-SSL to their readers and explain them how to configure their browser to get an alert for DV-SSL certs of ANY CAs.

After much things said and done such security experts have yet to to inform end-users how to better configure their browsers whereas it would be expected accounting how much passion they put in this issue whereas the solution will not affect Comodo alone but endusers as well.

[attachment deleted by admin]

We have built Verification Engine for last few years to warn about a DV certificates.

If Verification Engine sees a DV cert (no matter from which vendor) will alert the user about it! Once again Comodo is trying to protect the end users from the perils of vulnerable DV certificates.

Melih

How VerificationEngine provides feedback on High Assurance and Low Assurance SSL

Indeed this would be another solution although I guess some security experts who may also dislike toolbars are not going to inform anybody about it.

VE is not a toolbar, just simply a browser plugin.

I see. So I guess these informations will be eventually provided on the other sites which addressed DV-SSL related issues as well. :-TU

Lets hope everyone who was concerned about DV certs can now use and promote Verification Engine so that end users can be armed with a tool that would alert them about DV certificates.

I thank you to the original poster for giving us a platform to once again raise this vulnerability with DV certs.

Melih