Dragon and Let's Encrypt

I have noticed that COMODO Dragon is marking all sites secured with Let’s Encrypt Certs as not secure. Even on this site right now it says “Your connection is not fully secure” Most other certificates seem fine. Just COMODO issued and Let’s Encrypt issued certs. I have attached the screen shots below. Google Chrome has no issues with these certificates. I have checked all the settings that I can find between the two browsers and still can not get Dragon to say that it is secure. Am I missing something?

For as long as I can remember, Comodo Dragon (& IceDragon) have always degraded the UI for DV certificates. Let’s Encrypt exclusively verifies the requester has reasonable control over the domain. They do a poor job at responding to revocation requests for clear phishing/malware related sites and feel its not the CA’s job to “police” content even when reported to them. This alone is enough to deem them untrustworthy and thus “not secure”. Notice how LE uses an EV cert for their main site(s)? :wink:

The documentation on Dragon is still on version 52 (Dragon is on version 57 at the moment) but here’s a little about the UI indicators for sites using Dragon:

SSL Certificates and Secure Connections (via help.comodo.com)

Now, as far as the Comodo forums go, that indicator is when a site shows mixed content (HTTP & HTTPS) on a HTTPS page. All resources (scripts, images and objects,etc.) are supposed to be HTTPS on a HTTPS page. There is likely a poorly referenced image somewhere within the page you’re viewing to generate the warning. The “Console” section of Dragon/Chrome’s “Developer Tools” is a great way to discover the likely culprit(s) on any site you encounter the indicator.

I do see your points. I see ice dragon it warns that the cert is DV however it still gives the green light for a secure connection on the same sites that CD says are not secure. I guess my main question is if the site is HTTPS and the certificate is valid that makes the connection secure, correct? Does not necessarily mean the the site is “safe” or “clean” so the warning saying that the connection is secure however at the lowest level of verification I could understand such as what IceDragon is showing not the full on HTTPS:// that CD is throwing. Just trying to figure out why one is saying one thing and the other something different.

I agree the degraded UX that Comodo has implemented could be a lot better in both browsers. Until official documentation is released I can only speculate what it might mean. For all I know it could be a bug. I do know that between v52 and v57 Chromium did change its own core way to show secure/not secured pages (I think Chromium 56 or 57 it was) and Let’s Encrypt certs could be hitting such a condition as to trigger the Not Secure rating but I honestly don’t know as I am not a Dragon developer.

Personally, I am leery of any site protected by a DV cert and even more leery if the issuer is Let’s Encrypt.

I too would love to see some updated documentation on CD and some of the other “side projects” some of the things COMODO was working on had a lot of potential sadly they have been abandoned. I am afraid the browsers my see that same fate.
!ot! I’m a Director of Technology for a school district we use COMODO One with endpoint security. If CD was polished and documented and properly maintained (not saying it isn’t) I would replace Google chrome on the endpoints with it due to the extra privacy nativity built in.

It is OV, from their partner IdenTrust. Notice how Comodo uses EV for their sites, and issues mostly DV-certificates.

Confirmed with Dragon 58.

What are users supposed to do with this? The connection to tens of millions of sites is marked as “not secure”, with an indicator that means “Proceed with caution. Something is severely wrong with the privacy of this site’s connection. Someone might be able to see the information you send or get through this site.”

What does it look like when there really is something “severely wrong” with the connection?

I still have this problem unsolved

What you are experiencing is an intended feature due to Let’s Encrypt’s nature and only affects LE and does not appear to affect other DV authorities (e.g. GoDaddy, GeoTrust, RapidSSL, etc.) in the same fashion. I believe this stance is taken because LE’s lack of policing in that they refuse to revoke a certificate used for malicious purposes unless its owner requests it. This is dangerous and puts millions at risk. One should proceed with caution on an LE site & should use some sort of content filter/plugin (Google’s Safe Browsing, DNS filtering, Comodo SecureDNS, etc.)

My Quick Observations of Dragon HTTPS indicators in Comodo Dragon 57/58.

DV - https is shaded orange in the address bar, no padlock present. (similar to how mixed content is shown)
OV/IV - “Company Name [Country]” (from cert) is shown in green with white background with green padlock; https text is green too.
EV - “Company Name [Country]” (from cert) is shown in two different shades of green with green padlock; https text is green too.

Seriously, rely on certificate revocation for malware [and phishing, I would add] protection?

Some considerations and questions on that.

  • Most sites do not have a certificate (and they are neutral in Dragon!).
  • Does revoking a certificate block insecure access to the site?
  • Does revoking a certificate stop the site owner from getting a new certificate from some other CA (or for a new domain from the same CA, because those sites are very short-lived anyway)?
  • How often do CAs scan their customers’ sites, and with what?
  • How reliable are OCSP-checks (share of soft-fails)?
  • (How private are OCSP-checks?)
  • OCSP-checks are “reliable” and “private” enough that Chromium replaced them with a local CRLSet years ago.
  • How soon after revocation is that information in a user’s local CRLSet (if at all, since that list is kept very small)?
  • What effect does it have to mark the (secure!) connection to fifty million sites as not secure and an active danger (red indicator)? Remember the shepherd boy who cried wolf when there weren’t any wolves, and people did not listen to him, even when a wolf actually came (and ate the sheep)?

Your suggestion to use Safe Browsing makes more sense, and it protects over two billion devices. And it gives users a relevant warning (depending on the site’s content). Google scans its web index on a daily basis to identify unsafe websites, and when something bad is found, users are protected in about half an hour, according to the FAQ.

I expect CAs who revoke a site’s certificate due to malware, phishing etc, to report the malicious or fraudulent site to Google (Safe Browsing) and Microsoft (SmartScreen), if those services do not already block the site, in order to protect users.

We are on it. tell us exactly what you need in terms of documentation etc. more than happy to provide it all. I exclusively use CD on my computers.