Thank you for the clarification. They do feed off eachother’s posts as you can see its same gang that posts eachother’s blogs. I will refer to them all in my future posts…Again, thank you for clarification.
Melih
Security related blogs tend to refer to each other, that’s always been the case, and there’s nothing special in this particular case (we all know each other and hence, we all refer to each other when the need arises).
How about, instead of referring “to them all from now on”, you just refer to the person that actually made the comment? Doing otherwise is completely unfair.
How about also apologising to Donna for your recent rash of posts concerning something she had no part in?
I accept that there are 2 different people (Corrine and Donna) and blogs and I should have clarified it clearly (I have put an edit to my original post), but what I said still stands about Donna. She is involved in a witchhunt spreading lies.
My post about Donna still stands and I now see my reply showing up on her blog.
And my post from 4th July to Donna’s blog now shows
(And this blogger looks stupid now doesn’t he clamining I lied about my 4th July post 
) You can see it showing up at Donna’s blog…
Since you accepted that you guys know eachother and post eachothers blogs allow me ask you few questions about their activities about the real issues that caused all this.
Is it a good practice to disclose vulnerability without first alerting the security vendor? (Corrine?)
Is it also a good practice to continue spreading lies even though you have been told that your statement is incorrect?(Donna?)
Thank you for taking part and I hope we can have a sensible conversation without fud, flames in the interest of end users.
thanks
Melih
edit to fix broken link bf
Donna is involved in no such thing, never has been, never will be. What she posted was accurate. Donna see’s something, and blogs about it - nothing more, nothing less, and neither she nor I (nor anyone else involved in blogging about security related stuff), care who is involved.
If the behaviour is questionable, we’ll blog about it (whether Comodo, Symantec, Google or anyone else).
Err no, Corrine doesn’t look stupid at all - you claimed you left a post on Corrine’s blog, when infact, you’d left it on DONNA’S blog. The fact you thought Corrines blog was Donna’s, is your mistake - not theirs.
What vulnerability was disclosed? She saw something pertaining to HopSurf, something clearly available publicly anyway - and blogged about it. This was not a vulnerability that was discovered.
What lies has Donna spread? HopSurf feeds queries through Ask/IAC servers - this is accurate, your own EULA clarifies this.
- 3.4. All search results accessible through the use of HopSurf search feature are copyrighted as a collective work under the U.S. copyright laws, and IAC Search & Media owns a copyright in the selection, coordination, arrangement and enhancement of such search results. The Ask name and logo are trademarks of IAC Search & Media. All other trademarks appearing as part of HopSurf or in connection with the use of the services are the property of Comodo or the respective Content owner.
- 7.2. f you wish to remove and uninstall HopSurf from your computer, click on the “Start” button; then click on the “Settings” button, then click on the “Control Panel” button, then click on the “Add or Remove Programs” button, then look for ”Ask Toolbar” and click on the “Change/Remove” button.
Your replacing the toolbars wrapper with one of your own, does not remove the underlying function - which is Ask/IAC based (had this not been the case, you would have had an option in the toolbar, to allow the user to select alternate search engines, and the traffic would not be routed through Ask/IAC controlled servers*). A quick run through Fiddler (www.fiddlertool.com) will verify this, as documented here.
* Clarification: By “routed through Ask/IAC controlled servers”, I am obviously not referring to the final destination, as the query has to go to the search engine - it is the traffic in between the client and the final destination, that we are more than a little concerned about
/edited to add relevant section of the EULA
Let me try to clarify it further… it is confusing… for me too
2 issues
1)Donna said hopsurf is an ask toolbar.
this is a lie. She was informed that is not the case… She still insists that it is the case. I mean what else can one say?
2)Corrine (hope i got his name right): Reported a malware using SSL on his blog, without informing the CA involved (comodo). Don’t you think this is wrong?
Melih
This is NOT a lie. Again, you may have created your own toolbar “wrapper”, but the underlying functionality is the same as previously - thus, no matter which way you cut it, it’s an Ask/IAC toolbar. Stop routing the traffic through Ask/IAC controlled servers, allow the user to select their own search engine - then perhaps it wouldn’t be considered an Ask/IAC toolbar.
Corrine didn’t say this, Mike did. Mike also informs the CA involved (when he did this, I’ve no idea, you’d have to ask him that), as he’s always done.
That blog is mine, and your comment has been posted - along with my response.
So IE sends traffic to Google so it becomes a google toolbar? Your logic is legally and practially flawed I am afraid. Legally its a Comodo product, practically its a Comodo product. Just like when you use IE and choose a different search engine provider the IE doesn’t become a Google or Yahoo toolbar, hopsurf doesn’t become ask toolbar either. What institutes who owns the toolbar is not determined by the choice the user makes. its determined by who develops it, who owns the intellectual property and so on. So legally and practically Donna is wrong and she knows it. And that makes it worse. Knowingly spreading lies 
Can you pls ask Mike as to when he reported it to us (I really don’t know how to get hold of him ) Because within 4 minutes of us knowing about this we revoked the cert and we can’t find anywhere where he reported it (that doesn’t mean that he didn’t send it, but previously he did claim he sent it to us and this time he didn’t claim he did).
Melih
Actually, you’ve missed the point entirely. Google/IE/whichever, don’t route traffic through third party servers on the way to the search engine - they go directly to the search engine - this is not the case with HopSurf. This is the issue we have (along with it’s being pre-checked).
You’ve got his address from the last time he contacted you, so I’ll leave that to you.
On the subject of the toolbar not being an Ask toolbar btw, would you mind explaining this?
if you care to read the last post made in the link u provided you would have seen my explanation
Again you will see, over and over the explanation has been provided to Donna at many occassions since her post but chose to ignore it and continue forcing lies upon her readers.
thanks
Melih
I’d missed the last post, but never the less, this mistake (which would’ve confused many), along with the traffic routing issue I referred to, are the entire reason that people have taken issue with it.
Respectfully, I think you are missing the point: IE doesn’t get rebranded as Google toolbar just because IE route traffic to Google search engine.
But would you agree if he hasn’t sent us an email before he published it, it would be unethical?
Melih
accepted about the website mistake… but why then does she carry on insisting that its an ask toolbar?
the routing is no different that the routing that IE does to google search engine.
Melih
I can’t see anywhere that points to your mentioning this to Donna? You’ve certainly not mentioned the “mistake” with the EULA on her blog, nor on Corrines blog.
See the screenshot of her Fiddler log.
As above.
here is the url to her blog with my comments informing her that her statement is incorrect
Here is the excerpt from my 4th July post to her
Donna
Your statement “instead, the new version of Comodo is now bundled with HopSurf Toolbar which is IAC/Ask.com too.” is not correct. Hopsurf is a Comodo product, conceived, developed and published by Comodo. Hopsurf Toolbar is a Comodo product. I would appreciate it if you corrected your statement, as I am sure you do not want to mislead your readers with false information.
Melih
The reason why I didn’t mention the EULA is because she didn’t mention it on her site that the reason why she thinks its ask toolbar is due to the EULA! So I didn’t know why she thought it was an ask toolbar. Actually I didn’t know the issue on 4th july about the EULA mistake, as per below I don’t think she did either.
Actually she states the below:
means you need to agree with (not included EULA in the installer) the EULA in using Ask Toolbar/IAC/Ask.com service. See HopSurf EULA online: The page you were looking for doesn't exist (404) or http://www.hopsurf.com/license.jsp
Clearly she hasn’t checked both EULAs as she would have realised they are not the same, because she presents them as an “or”. So I doubt that her reason was the EULA 
Also early one she states: “The installer become worst because there’s no EULA presented in addition to” again pointing to her unawareness of the mistake issue with the EULA. So we can safely take the EULA as the excuse for attacks tbh.
So, despite all of the above, she continued to insist that its an ask toolbar. This is clearly a lie.
Melih
The EULA’s being different is irrelevant. The fact one of them mentions Ask/IAC, is the whole issue surrounding the confusion. Are there other reasons she believes it to be an Ask/IAC toolbar? probably - but I’m not Donna.
IMHO, yes, HopSurf is probably Comodo developed (the only way to confirm this, would be to see the toolbars source code, something highly unlikely to happen). However, as I mentioned before, the underlying functionality is tied to Ask - simple as that. Because of this, no matter how it’s dressed, some will always refer to it as an Ask/IAC toolbar in one form or another.
/edit
As an FYI btw, you mentioned you didn’t mention the EULA to her because she hadn’t referred to it. If you had done so, and known about the error at the time - this would’ve likely been partially cleared up by now.
It seems the first people to actually install the software in question & verify the EULA, were Wilder’s Admins following a large amount of posts there yesterday. This implies everybody else ran with a completely unverified story. Is that normal? Of course, the focus was completely on the Ask/IAC component & Comodo’s previous toolbar. But, I don’t think this excuses running a story, especially in such a manner & tone, without any verification. So, as Steve implies, Donna must have that verification… it would be fairly reckless to publish without it. Would it not?
Just had a power cut, so on a rubbish mobile connection atm, but wanted to note, Donna did actually install the software to verify this, prior to publishing.