Netcraft has blocked phishing attacks on more than 47,500 sites with a valid TLS certificate between 1st January and 31st March 2017. On 36% of these are by Comodo valid certificates?!
“Certificate authorities Let’s Encrypt and Comodo were responsible for nearly all phishing sites with valid SSL/TLS certificates, according to a new analysis…”
Not very surprising.
Let’s Encrypt and Comodo are attractive to fraudsters as both offer automated, domain-validated certificates at no cost to end users. Let’s Encrypt’s ACME protocol allows for free automated issuance, while Comodo offers no-cost certificates via its trial certificates, cPanel AutoSSL, and its Cloudflare partnership.https://news.netcraft.com/archives/2017/04/12/lets-encrypt-and-comodo-issue-thousands-of-certificates-for-phishing.html
Interesting…
More interesting would be to know what is/has COMODO planning/planned to do, to stop this.
Comodo to ask for ID card everyone who want certificate - to show by uploading to comodo during registration. That will reduce the way someone to misapply certificates, to use for bad things, because can be identified and judged by law.
Today i try to find more and more lists from all websites around the world to download, change and implement on comodo web filtering, but web filtering does not work at all. Can not block website over https but just over http. This frustrated me badly.
In one way comodo give away free certificate to everyone without identification, on other side comodo can not block infected websites, fishing, malware sites with comodo free certificates and others, some websites use self generating certificates which on real are dangerous to visit that site because can catch web history from browser, bookmarks, saved passwords and other things and can upload to them on suspicious servers (fishing).
here in forum i found one post which say that comodo dns is not updated more than one year…
Even an ID card (not necessarily available in all countries) would not be proof of identity.
And would you need to validate the ID before the certificate is issued? … Not DV if you do.
I imagine anyone producing a phishing site would also provide a fake ID.
What I think Comodo want is DV certificates to be downgraded to unsecured by the browsers.
This would then give people a visible indication of a minimally validated certificate in use.
That would mean that at least 70 % of all secured sites would be “unsecured”. In other words, “unsecured” would be the norm. Will people care? No. Will people care when the connection is really not not secure, if “unsecured” is the norm they are used to? No.
Warning fatigue.
As they do not really prove anything, you cannot really call it a secure website.
Maybe a different colour to say that they could possibly be a fake website, thereby warning the user to check.
Dennis
https://www.melih.com/2017/07/19/to-indicate-or-not-to-indicate-a-devilish-question/
Here is my answer.
If the certificate is valid, and the TLS-configuration is “modern”, the connection is secure/private. That is not to say the the site should be trusted. The security mentioned is required for trust, but may not be enough for trust, depending on what you do on the site. In some cases you probably want to know (see a verification of) that you are actually on your bank’s site, for example.
Since both OV- and EV-certificates include the owner’s name (O), I think browsers should show that information in the URL-bar for both OV and EV. DV does not have such information to show, which is in a way an indicator of lower trustworthiness.
I disagree with the above statement that the “Connection is secure/private”.
Secure from who?
Your answer will be: from prying eyes.
My answer will be: how do you know the recipient is not the same person as the one you are trying to avoid?
Your answer has to be: I don’t know…
My answer will then be: If there is a chance that the recipient can be the very person you are trying avoid, how can you call it “secure or private”?
Your answer will be: …
“Secure from who?” Secure from any third party, making it impossible for a third party to read the data in transit, or to tamper with it.
“how do you know the recipient is not the same person as the one you are trying to avoid?” The same person? If I want to share information securely with “DV-site.org”, there are 7,5 billion people I want to avoid sharing it with, and 7,5 billion people I don’t want to be able to tamper with the data. Anyone but “DV-site.org” I want to avoid. Being able to do so is worth a lot to me. I log in on forums with a DV-certificate every day, and am glad that my login credentials are secure and private in transit, and that third parties can not monitor my activities on those sites.
What do I know about the site/forum where I log in, if it has a DV-certificate? I only know the URL/domain, and keep an eye on it.
Next I log in on a typical email site. It has an OV-certificate. Looks just like DV in my browser. Only if I open the certificate viewer can I see the difference. Does the average user ever open the certificate viewer? Of course not. How, then, is OV better than DV?
As I said in my previous post, I think (O) should be visible in the URL-bar for both OV and EV. I know Dragon now does so, using Chrome’s new EV-indicator for OV, and Chrome’s old EV-indicator for EV (if I remember rightly). A bit confusing, perhaps, and not standardised in any way. That is an exception, as in most browsers DV and OV look the same, and EV is different.
Mobile browsers? Even worse. At least in Chrome on Android, DV, OV and EV look the same. And mobile phones are the leading browsing platform.
lol…
how do you know the recipient is not the “any third party”?
How do you know the recipient is not one of the 7.5b people you want to avoid?
You are confusing key with key holder…who is the key holder? do you know who that person is ?
For me…I don’t believe DV should exist in an internet security arena.
And thats mainly for the reasons Melih is outlining in this thread.
If I am the first party, the site I choose to connect to is the second party, and all third parties are left out.
I’m not confusing key with key holder I’m talking about the site rather the owner of the site (one does not connect to a person or an organisation, but to a server hosting a site). If one of the forums I log in to would upgrade from DV to OV, and I would be able to see that the site is owned by some Sven Svensson in Sweden, how does that make anything any better? There are one thousand Sven Svensson in Sweden. Can I trust them all? Why should I trust any one of them without knowing them? Or should I trust only sites run by registered organisations with a known address?
If I go to sites.google.com/site/somethingveryfunny, it has an OV-certificate, and I can see that the domain belongs to Google Inc (if I bother to open the certificate viewer), but somethingveryfunny is created by someone else. Should I trust the someone else, if I happen to trust Google Inc?
This forum has an EV-certificate. Excellent, but what does that mean, when Comodo CA has been validated by itself (Comodo CA)?
I think your reasoning makes most sense when someone goes to a site it did not intend to, like your example with PayPal in your article. To be fooled by that phishing site, which has a URL very different from PayPal’s, the user must not pay any attention to the URL, which means no attention the URL-bar, where the security indicator is. It is then likely that the user will not miss the missing PayPal, Inc. [US].
You are comparing apples with oranges…
“site” is a domain…“Third parties” are all People…
You have to compare the “key holder of the site” with “Third parties”…
I am not talking about value of OV or EV.
I am merely talking about the process of DV cannot be called “Secure Connection” or even “Encryption”. So lets focus on DV process discussion.
So do you know the person who ends up with your data in a DV process?
here is an example: You connected to a brand new site…using DV…you sent them your data encrypted using DV. Do you know the person who received it?
Answer is NO.
Do you know if this person is not the same person as the one you were trying to avoid?
Answer is NO.
Hence you cannot attribute “ANY” positive indicator to DV process. You can’t even call it “Encrypted”…You can say data is “Enciphered”…but NOT encrypted!
I wrote about this conundrum in this blog https://www.melih.com/2017/07/19/to-indicate-or-not-to-indicate-a-devilish-question/ Hope you can find time to read it.
I get Melih’s point with DV. Just because a site is encrypted doesn’t mean your submitted data is secure. After all, the thief could have enrolled for a DV certificate and make you think you are on PayPal’s website (or any other website you use every day).
Hence it should not be treated as secure as the OV or EV certificates, it should be treated as neutral.
Can you even call it “Encrypted”?
Because the definition of Encryption is:“encryption is the process of encoding a message or information in such a way that only authorized parties can access it”
Because Encryption process is not complete, because you can’t guarantee “only authorized parties can access it”…can it be called “Encrypted”?
or is it simply “enciphered”? “To encipher or encode is to convert information into cipher or code”.
For an example a MITM attack could be introduced into the equation, and with this added then (JoWa) your worriment of being eavesdropped apron comes true. Also all encryptions can be broke or bypassed over time even if their keys are highest you can make them.
For DV, what I see in the certificate is the domain(s). For OV and EV, usually the name of an organisation.
Like Shakespeare, we should ask “What’s in a name?”.
If I see Comodo CA Ltd [GB] in the certificate, I still don’t know the person I am communicating with. Is it you, the CEO, or a server administrator? Comodo CA is part of Comodo Group, with more than one thousand employees.
If I see Google Inc, is it Sundar Pichai I am communicating with, or one (or more) of the 57 thousand employees? I have no idea.
If we look at one of the forums I mentioned before, it is a local Ubuntu community in Sweden. The domain is owned by Canonical. Is it Canonical’s name you want to see in the certificate? No one at Canonical controls the server. One member of the local community does, our current server administrator. I know who he is and can contact him. Is it his name you want to see in the certificate? Will you feel more secure visiting our site/forum if you see the name of a person you don’t know anything about in the certificate?
Thanks for the link. That is the article I referred to in my previous post.