Comodo providing ssl certificates to online spammers ???

hey guys, you’re fine over there ??? just found

Better wait for Melih to have a look at this :P0l

;D sounds like Verisign is doing well too, together with Comodo already at the time :smiley:

Comodo is not the only one doing this. All CA’s are involved. Domain Validation Certs can NOT be verified… So malware people will continue to have access to such certs…

Comodo is educating though for people to get Extended Validation Certificate - Because its these certs, validation occurs.

Check out here:


interesting link on CCSS thanks :wink:

its very irresponsible of them to have the time to write a blog but NOT inform Comodo.


Thank GOD your still here Melih :P0l and how would you prevent this problem from happening :cry: what IF most people would never reported to Comodo like this as example.

thats the problem with DV certificates

If you look at SSL Market Share you will see that Godaddy and Verisign (Thawte and Geotrust) are the biggest offenders of these kind of certificates!

This DV certificates should not exist! Its a discussion we discussed to death last time around :)…bottom line is: it is not the company thats flawed, its the product…and lack of standards for this type of certificate…combined with greed and shortsighted short term gain desire by few companies keeps this product line going. Sad situation where end users lose! This is why we built Comodo Dragon to alert the user when it comes accross a DV certificate no matter who from.

But these people who reported this are our old friends whose interest to discredit Comodo at any cost to serve their bosses. They like only reporting about Comodo no matter how small…and never report about others no matter how big :slight_smile: Go figure :).


I came across this tonight at the Malwarebytes forum. Nothing can be perfect though, nothings 100%. You folks at Comodo are doing a great job though and it only takes a visit to this forum to see that.

The difficulty is what you could expect anyone to do about it.
Even if they supplied a business verified certificate - that only verifies the business you are dealing with is the one you think you are dealing with.

Since that business would doubtlessly be registered in some far off country with no legal agreement to yours, you’d still be out of luck, and they would still be following the procedures expected.

Besides, if I hacked a perfectly legitimate business, put a trojan on their website, and spammed links to that trojan, you could well find yourself being infected by an EV validated site, through no fault of Comodo’s. At the end of the day, spam and viruses will always be the problems of spam filters and virus scanners.

Sadly, certificate validation - particularly EV validation, remains a complete joke.

I have no idea about other territories, but you certainly can’t obtain EV validation in the UK, unless you are an incorporated company. Despite your business being valid, longstanding, and entirely verifiable (even though COMODO offer you a free upgrade to EV, which they won’t then provide, after annoyingly going to the trouble of jumping through the various hoops that validation entails, and wasting my valuable time).

If your bank are happy that you are a valid company, HM revenue and Customs (i.e. the government) are happy the business is verifiable, and you pay your VAT and Taxes, have a VAT number, have been trading for many years (longer in fact than the company who are offering you an EV certificate in the first place), apparently it’s still not enough. Unless you are on some worthless database, you can’t have EV.

I could very easily buy a ready made UK limited company off the shelf for about $25 (Google ‘uk limited company’), which would then appear on the companies house database, and immediately and fully comply with the EV requirements and would presumably be granted an EV certificate. $5 to register a domain, set up a website, and maybe a few dollars more for hosting. A very secure validation system indeed.

Strangely enough, I brought this exact thing up in 2008 -

We were actually offered a free upgrade last week, and I was stupid enough to think that the process may have changed in the meantime, or at least evolved somewhat. I should have known better.

Nice to know the system has progressed.

Then do it?

I am NO expert on EV, but I do believe you need to be “incorporated” for at least 3 years.

You may read the guidelines here: /

The point is that I shouldn’t have to do it. By having ways around the validation process, then it just shows that the cabforum guidelines are flawed.

Tell me why, if the UK Government are happy to collect VAT from a company, issue a VAT number, a Bank issue a business bank account and so on, and the company has a verifiable address, then apart from some ■■■■■■ policy document devised by people who have no idea how non-corporate businesses operate, why they shouldn’t qualify for an EV certificate?

Incorporation or not shouldn’t make a blind bit of difference. Comodo are quite happy to offer $250,000 insurance that we are who we say we are, and that we are a trading entity where the Corner of Trust and our SSL certificate is involved, however it doesn’t count where EV validation is concerned. Simply because we are not on some government database, which you can get on without any validation, and in reality just makes it easier for Comodo and their ilk to check up on a company quickly and easily rather than actually have to do the work and validate them properly, an EV cert can’t be issued.

As Comodo, and presumably the other providers, will be furiously pushing EV certs, it will put millions of legitimate unincorporated businesses all over the world at a competitive disadvantage when Joe Public doesn’t see the essentially worthless shiny green bar in their browser, panics that the company is somehow not legitimate, and places their business elsewhere.