Comodo rejects PositiveSSL order because it has the word "malware" in the name

I just had an order for a Namecheap Comodo PositiveSLL cert rejected because it had the word “malware” in the name. The domain name is malwareman.com and it’s going to be for a malware removal service.

The reason given is so dumb I literally don’t even know what to say.

Can someone from Comodo please address this on the forums and/or talk some sanity into the ‘escalation team’?

Hi

I don’t think the forum is the place to get an answer.

I would suggest you Submit a Ticket and ask for it to be escalated:

https://support.comodo.com

Or, contact Sales, click Contact Us:

Garry

I’m bringing this to the forum precisely because the answer I got from submitting the support ticket was obtuse and idiotic.

In short, I had to wait several days to receive an eventual rejection by the ‘escalation team’ after it completed ‘brand validation’ because the domain name contained the keyword ‘malware’.

When I pressed for more details, the verbatim reply in the ticket “we do not issue certificate to brand names.”

So apparently the escalation team considers the term ‘malware’ to be a ‘brand name’…WTF?!!

I sent a reply in the ticket asking for the supporting facts and evidence behind this decision, asking specifically:

  1. Since when did the ‘malware’ become a brand name?

  2. Who own the rights to it?

  3. Where is the actual evidence that this is a trademarked or copyrighted word?

Hi

How did you get on with resolving this issue?

Have you asked for the ticket to be escalated to the Validation Manager?
Or, contacted Sales for assistance?

Garry

So far there is no response to my reply in support ticket #KZD-764-76827 challenging the rejection with the questions above.

To the best of my knowledge the ticket was escalated to the validation manager, that is who handed down the rejection.

Here’s a quote from the ticket

We regret to inform you that your order has been rejected by our escalation team, since your order has a keyword "malware". We request you to kindly contact your re-seller to get refunds for your order.

Hi

I know that some SSL certificates may not be issued. ie those containing part of a brand name.

In your case, from the info you have provided on this forum, I too do not understand why your order is blocked.

I will PM the CEO to see if he can get the Validation Manager to reply in this forum.

Garry

I appreciate the offer to PM the CEO.

I have yet to receive a response to the Comodo support ticket referenced above.

What bothers me is that Comodo SSL support’s story keeps changing.

First it was ‘your order is kept under review for brand validation’, then 'your domain name has “Malware” which is common name for threat in internet ,so the order is under review ’ then it’s ‘your order has been rejected by our escalation team, since your order has a keyword “malware”’.

Then when pressed for the details (i.e. the facts) behind the decision, I am met with no response whatsoever.

I even called in to find out more and was told I’d be contacted by the brand validation manager but have yet to hear back.

Hi

I PM’d the CEO, he told me he has asked the validation manager to reply to your issue here.

I am surprised you are still waiting for a reply.

Garry

It’s been almost 2 1/2 weeks with no answer to my last response to the support ticket, and almost two weeks with no response or PM via the forums. I am taking my business elsewhere.

Let this experience serve as a warning to others considering Comodo as their TLS/SSL Certificate provider. If there’s a problem with your order, do not expect much in the way of customer service or straight dealing with regards to the facts behind any rejection decision.

If you’re seriously considering providing malware removal services, do not go with a low assurance certificate as these certificates are only validated by demonstrating control over the domain. Low assurance certificates are unfortunately the de-facto standard for certificates preferred by scam artists. (as they’re easy to obtain) I’d personally recommend that if you’re offering such a service that you obtain a “green bar” (EV certificate) as these are “harder” to get and customers have more confidence in your services if they’re able to see a visual indicator directly in their browser of choice that their information is transmitted “securely”.
Edited link. – JoWa

Hi

If the customer wanted a PositiveSSL certificate he should be able to obtain one.

The type of business is still going to be the same whether it’s a low or high assurance certificate.

Yes, the validation process is not the same, but the business is.

So, how could this customer assure you that their business and business practice will be legitimate?
Your reply may assist this, and future, customers.

Garry

I can’t really follow the logic of that recommendation. He’s posting about the fact the standard cert is too hard to get (ie impossible). Why would the resolution be to get a “harder” one?

sysfu, I’ve had exactly this situation a few days ago with a completely ordinary sounding domain (nothing to do with malware). I started a “Live Chat” and asked how to arrange a refund, and they responded by saying “The certification has been issued!!!”, and it was. They still couldn’t answer anything about why I regularly have certificates issued immediately, and others just go on this permanent validation hold.

PositiveSSL certificates are not “standard” certificates. They’re the lowest assurance certificate one can obtain as all that is required is someone demonstrates reasonable control over a domain. Sadly, these types of certificates are preferred by those who have malicious intentions and thus tarnishing the reputation of everyone else trying to use them for legitimate purposes. These low-assurance certificates are scrutinized heavily, by a human, before the certificate can be issued since the threat of maliciousness is high. Our other certificate types also undergo this same scrutiny so we’re not being selective in what we do but there are other checks we do (for them) such as calling a verified number or have their lawyer submit something in writing with a further followup with the BAR association in their area to ensure they’re able to practice law. The rules are stricter as the “Validation Level” goes up… DV → OV → EV (Domain, Organization, Extended)

No certificate ever gets stuck in a “permanent validation hold” rather sometimes certificates DO get temporarily stuck for manual human review.

If a certificate is ever stuck for longer than 24 hours and you haven’t heard from us, for whatever reason, then please reach out to us. We are very accessible as we have Chat, Phone and Email Support available and ready to assist customers 24/7/365.

P.S. Sorry for the late reply.

PositiveSSL certificates are standard cerificates and allow the owner to provide an https session like any other certificate does, only the validation process changes.

So, if the requester just has to prove “reasonable control over a domain”, which the customer could, why would the person who started this original post be denied the certificate?
All you appear to be going on is the name malware in the domain name.
That’s why it was trapped by the Brand Validation system.

You also say “These low-assurance certificates are scrutinized heavily” which is not correct as you already said “all that is required is someone demonstrates reasonable control over a domain”.

One of my previous questions asked what could this customer have provided to assure you they are legitimate company and not one of the malicious ones?

I’ll agree to disagree here because by and large the vast major of certificates in existence today are not the low-assurance class of certificates like PositiveSSL rather they’re business or organization validated. It should go without saying that all of our digital certificate conform to industry standard regulation and requirements. (e.g. CA Browser Fourm; cabforum.org, x509v3 compliant)

According to our Certificate Practice Statement

Comodo does check subject names against a limited number of trade marks and brand names which are perceived to be of high value. A match between a part of the subject name and one of these high value names triggers a more careful examination of the subject name and Applicant

Since “malware” is a “big thing” in this day and age, it was flagged for human review. To me, the site in question ‘malwareman.com’ looks quite shady even though its not intended to be and it has a Domain Validated certificate (From RapidSSL; :o ) and I know the vast majority of sites with this kind of certificate and offering such a service are not legit and are badware/scareware operations. I would not feel comfortable in using/buying such a service on the Internet today.

How is that not correct? We scrutinize ALL certificates prior to their issuance and since all that’s required to receive a low-assurance certificate, like a PositiveSSL, is to demonstrate reasonable control over the domain. They get looked at a lot more closely due to their validation level and they’re often used in cases of malicious activities such as fraud. As far as I can see of the site in question, is extremely basic and just reeks of potential malicious activity. I realize that may not be the site’s operator’s intention but it makes me feel a little uneasy in just visiting the site. This is why we had to reject the order. We will not willing put users at risk for malicious activity such as fraud. We are in business to assure the end-user that they should feel safe in doing business with the website based on our reputation as an Authority.

I guess you could liken this to providing a driver’s license to someone whom has NEVER driven a vehicle before but an authority hands them a license anyway because they can show they own a motor vehicle and without proving they have the knowledge to drive a vehicle or know the rules required to drive a vehicle. Honestly, wouldn’t you feel uneasy driving with such an individual or individuals on the road? I know I would. I would expect everyone driving today has demonstrated to an authority at one point or another… 1) They are who they say they are 2) They have passed both a written and driven exam.

One of my previous questions asked what could this customer have provided to assure you they are legitimate company and not one of the malicious ones?

For this specific customer, I would hope in order to prove legitimacy in this arena of obtaining a digital certificate, the user would be BEST served by obtaining an EV certificate, as I had previously advised, instead of lumping themselves with those who use this class of certificates for malicious activity. This would prove to his/her customers they are license company, they’ve satisfied an authority that they are who they say there are and in addition to all of that, the browser they’re using will show a green visual indicator in the address bar to signal to the user its safe to use the site.

Now, here comes the slightly tricky part… With low-assurance certificates, there is no insurance or warranty to end-users for those that were duped in to providing money to an illegitimate site for Comodo’s failure to properly validate the owner. However, with high-assurance certificates such as EV, there is. This can be found here: SSL Relying Party Warranty

TL;DR version… EV certificates are the way to go if you are in eCommerce on the public Internet where you have a need for secure TLS transactions for sensitive data.

P.S. I realize this all was a bit long winded so please let me know if this still doesn’t answer the question(s) at hand!

Hi

Whilst I understand your points I cannot agree with pushing EV certificates to a customer who wants/wanted a PositiveSSL…Might have been better to push the InstantSSL offering.

So, I’m leaving it there :-TU

Garry

Well, I want to put diesel fuel in my gas-only engine. Just because someone WANTS to do something doesn’t always make it the BEST and most appropriate solution let alone correct. >:-D :stuck_out_tongue:

Similarly, I had a long response to this thread written, but it’s not hard to see what’s wrong with most of the statements made without anyone needing to say it.

I am having the same problem with Hostgator. With their business plan we get a free SSL. Last year they were using RapidSSL and it was no problem getting one for my site bank-scan.com. Now they switched to Comodo and I am being rejected because of the word “bank”. Is there anyway we can inject some common sense and judgement into this process? My site sells software to create spreadsheets out of financial documents from places like…banks! The FBI, DEA, US Secret Service, etc…use it for G…sakes. But your validation team just sees the word “bank” and issues a curt rejection?

This will stop being an issue shortly. Assuming Comodo adopt upcoming standards, there won’t be any room for humans to get in the way of issuance.