Again its not as simple as that. The functionality of Hopsurf is totally different than Ask bar in terms of its underlying functionality and this underlying functionality is provided by Comodo on Comodo run servers and nothing to do with ask. This statement you make leads me to believe that you haven’t used the hopsurf product. I think it would be fair to first analyse what we are talking about before we can make any statements about a product.
thanks
Melih
I say
sue donnalet her go broke in a civil law suit.
sue donna
sue donna
sue donna
sue donna
:BNC :BNC :BNC :BNC :BNC
btw: I made a reply to this blog http://msmvps.com/blogs/hostsnews/archive/2009/07/10/1699205.aspx
here is what i wrote fyi (its yet to appear but only posted it late last night) in response to his below statement.
“Third and final, you CAN verify the websites associated with the certs you offer, DV or otherwise. The person signing up for a cert evidently has to tell you the site they are using it for - this instantly allows you to verify it’s validity.”
Very good point, but misses the reality of the issues you would face if you were to implement this I am afraid.
1)it assumes the website is up and running. I know many get certs for a new site yet to put their public face.
2)it assumes the site won’t look legit when checked. How can a Certification Authority figure out a site they see is legit or not? How can looking at html content inform a CA of the site’s future intent?
3)it assumes that a malicious site cannot create a pretty looking site that looks legit if a CA put the above checks in place. Today malware is getting very clever to circumvent AVs. This show’s their intention and how far they are willing to go. Therefore it is a fair assumption to assume that they can create a legit looking site to fool CAs when applying for a certificate. So again, looking at the site doesn’t solve the problem.
There are 2 issues with Digital Certificates
1)There is simply no standard for issuing SSL Certs (yellow padlock) which has resulted CAs to start issuing these certificates without validation. The biggest share of the market goes to Godaddy and Verisign who together control well over 85% of the DV market. Comodo’s DV market share is very small in single digits. Yellow padlock was the trust indicator because it had Identity Validation built in it. The identity validation has been removed in DV (Dangerous Validation)Certs. This was introduces into market place by a Company called Geotrust in around 2001. Their selling point was, hey come and get a cert quickly without documents etc… Of course people didn’t understand the implications and went for the easy solution and started using these. Verisign was against this DV certs, until they bought Geotrust 
Now they are one of the largest provider of DV certs! So why does Comodo provide it? Well we do it in a such a small scale and also we do it in a way so that we can perhaps convince these people who are knowingly or unknowingly going for these DV certs could be convinced to use more trusted certs like EV or OV. At least we try to educate our customers about the dangers of DV and benefits of other more trusted certs. www.cabforum.org is an organsation dealing with the issue of validation for SSL certificates. It published the EV SSL standard which now is used by many banks and ecommerce. This was a great initiative reclaiming some of the trust lost due to DV certs. Of course it will take time but EV SSL certs (the green bar) is getting onto many sites and that is a good news for consumers as they can trust the validation behind the green bar.
now the 2nd issue
2)Code Signing certs. biggest problem is when issuing a code signing cert the only thing that a CA checks is the company validity. It doesn’t check the application the company/legal entity is going to sign using the Code signing cert. My proposal would be for the CAs to check the application and sign the application without actually giving the code signing cert to the applicant. This would mitigate majority of the issues with companies using these certs for signing malware. Of course CAs do not have the code analysis capability… but AV companies do. Perhaps putting them together and getting them to work together would help. Failing that the only recourse is the speed to revocation. how quickly can CAs revoke the certs… I do accept that Comodo has to go the extra mile as the people creating trust online. I do accept we have to do more than our competitors! Let me explain what we have done and continue to do We have setup www.cabforum.org in may 2005. This organisation came up with the EV SSL standards which is now in all major browsers from IE to Opera… This organisation is also working on trying to create new standards for Code Signing certs. We have setup www.ccssforum.org just recently. This is an organisation who has put CAs and Security vendors, OS and Browser providers together to solve the issues the industry faces. For example:now you can submit a maliciously used Code signing cert here http://www.ccssforum.org/contact.php and this organization would make sure that the relevant CA got this and acted on it. This wasn’t done before. There are many other activities this organisation is involved in, I wouldn’t like to preempt it before it had a chance to reveal it itself. So we do go the extra mile, we take our position as the company creating trust online seriously and try to live up to it. More than happy to entertain any discussion in our forums if you so wish.
I hope I was able to shed some light to some of the industry problems we all face and what we are doing to solve them.
Thanks
Melih
as mentioned, this is a reply i posted to the above blogger…
Melih
Why? Donna has done NOTHING WRONG … Neither of the blogs referenced, belong to her.
Nothing to do with Ask? So the toolbar does not require you use a single search engine? (this is how the underlying search functionality is tied to Ask)
With ref to the underlying functionality, it is the search functionality I have been referring to, nothing else.
Perhaps if the domain itself were on an unknown IP and no content existed, then yes, this may be an issue. However, many of the domains involved, are on IP ranges known for malicious activity - this should be an instant red flag, and one of the first things checked.
/edit
As an aside to this, why don’t you either stop offering DV certs if you disagree with them (and I don’t accept “everyone else offers them” as an excuse, would you jump off a bridge if everyone else did?).
Your statement assumes the underlying functionality of hopsurf is search…
it is not.
Again, I kindly ask you to pls look at the product you are questioning before you make these statements. Hopsurf’s underlying functionality is NOT search.
thanks
Melih
Perhaps the issue was posting the following quoted comment without even addressing that blog article…
Third and final, you CAN verify the websites associated with the certs you offer, DV or otherwise. The person signing up for a cert evidently has to tell you the site they are using it for - this instantly allows you to verify it's validity.
Did you notice, by any chance, that the test DV cert was issued for safe-pay-vault.com ?
Was safe-pay-vault.com registered by “ISystem Inc”?
Does safe-pay-vault.com IP address belong to Rcp.net/ VELCOM range [206.53.48.0-206.53.63.255] ?
Besides, as Domain Validation certs are meant to confirm that the connection with a stated domain is encrypted, does this makes those connections so much different from http ones other than the implicit guarantees of encryption?
Something is seriously amiss whereas, among other things, Registar and ISP are explicitly neglected.
If you don’t mind, since you posted a comment on that blog (assuming it was not posted by an impostor), please address these significant (but seemingly overlooked) details…
Or perhaps you do prefer to beg the questions…
I believe there’s been some confusion here. Re-read what I wrote please.
In absence of response I came to believe that MVP logo by itself cannot provide much information about the individual who exhibit it.
And it is rather disappointing that as an average Joe I have to find relevant informations all by myself.
There was nothing in the article that required addressing.
Yes.
No, but that’s irrelevant as the site is the processor for the malicious sites (and ONLY for the malicious sites). That was the sole reason it was set up, and as such, is how it is tied to the malware.
Irrelevant
Irrelevant in this case (but just to clarify, I’ve got a seperate ongoing investigation involving Netdirekt, due to a slew of malicious activity).
These have already been addressed.
What absence of response? (I’ve got my own work to do aswell, so may not always respond immediately)
Yep I deleted the previous one that was pretty much visible when you preferred to ignore it. So in case you overlooked that post I quoted a related reply and pasted the previous post along it… 88)
edit… to address more relevant aspects
I did.
You keep referring to underlying functionality…
and I am trying explain that the underlying functionality is NOT search.
My point that I am trying to get accross is Hopsurf’s primary function or underlying function is NOT search. I want you to see that point because it is this misunderstanding that got Donna to spread misleading information.
Melih
I’m a little confused. Which post did I ignore? (I’ve not seen a post by you, other than those I’ve already responded to)
/edit tried posting this in a new response but it wouldn’t let me …
Again, when I refer to the underlying functionality - I am referring to the underlying SEARCH functionality, not the rest of it.
Now here it comes the interesting part.
Nevertheless I thank your for linking to your own site…
Please remember your comment:
Third and final, you CAN verify the websites associated with the certs you offer, DV or otherwise. The person signing up for a cert evidently has to tell you the site they are using it for - this instantly allows you to verify it's validity.
The relevant aspect you omitted begging the question, whereas the above remark could be a possible source of unwarranted conjectures (even in case it was not intentional), is that the so
called processor ( safe-pay-vault.com) had not ties to the malicious site.
Whereas the core of some Google worth references I read on some blog it is indeed an hindsight bias.
Obviously the relation could be established after safe-pay-vault.com is referenced on the malicious site, whereas such relation could be pointed out though specifically crafted Google searches only after the malicious site is pages that link to safe-pay-vault.com are actually indexed by Google.
I find rather unsettling that these aspect could be considered by an average Joe and not by MVPs.
So feel free to leverage on you expertise and thoroughly correct me by addressing the substance of the arguments.
As for the irrelevant remarks, I guess you do have to provide a meaningful clarification instead of begging the question.
Whereas you already contradicted your claims of “irrelevance” whereas you confirmed that an involved ISP drew your attention…
If I’m understanding correctly, your problem with this is that the domain involved, was not registered to the same owner as the malcious domain itself, and was not hosted on the same IP?
If this is the case, and I’ve understood correctly, then yes - you are indeed correct. However, the domain IS registered to the same individual as a domain previously reported to Comodo for using a Comodo cert, as Mike documented. It is this that caused the problem, as it shows Comodo doesn’t do checks against previously pulled certs.
Again, research on the IP space the domain is hosted on, would’ve provided information relevant in this case, and enough information, to find that it is to be used for malicious purposes.
http://www.robtex.com/cnet/95.168.163.html
The ISP got my attention a long time ago, for behaviour unrelated to this.
AFAIK the documented people were “ISystem Inc” (which did not register safe-pay-vault.com) but the ex-post approach in that article is not meaningful for the criticism there provided.
AFAIK nowhere was mentioned that the same person who registered safe-pay-vault.com registered other sites.
Please I took the effort of linking the specific whois records, I would assume you would do the same.
Besides “Domain Validation cert” assumptions should not be neglected too along with the role of registar and ISP.
The ISP host the sites and is the first able to acknowledge any malicious activity.
The registar assign the name too and thus is involved.
How come that CAs alone should behave as cops?
As the use of a SSL DV cert imply that the connection is encrypted, there is obviously certain degree of security, but this do not mean that the encryption by itself provides more than that.
It is not the malicious domains themselves to which I am referring, it is the malicious processors.
Who says we’re not taking this up with them?
They aren’t the one’s issuing the certs.
Because the CA’s want to be known as “ensuring trust”
And therein lies the problem. Melih has said several times that he doesn’t like DV’s, yet continues to provide them (and please don’t start the “everyone else is doing it so if Comodo doesn’t, they’ll lose money”, Melih tried it, and it’s a very very bad excuse).
If he wants to continue providing them, then at the very least, registrants for them should be checked against a blacklist, and the IP the domain resolves to, should be checked for signs of malicious activity.
All comments aside. Stick to the real issue, Comodo needs to repair its image, not focus on the moderation in the forum.
If certs are being issued to harmful websites then it should come to an end and Comodo needs to do what it says ( Authentic & Secure ) stick to what it does best.
I still use CIS and will continue as long as Comodo sticks to what they said they will do ( protect its users ).
This is what Comodo and its users should focus on a better product and keep Comodo alive and safe.
Views of mods on here are irrelevant to the situation on hand.