How does Verification Engine work?

G’day all,

Quick question for the guys at Comodo about how VE displays the coloured border.

Is VE running as a fullscreen transparent window and is this how it displays the coloured border over the top of the browser window?

If so, what about using this same method for the firewall to alert the user about a log entry or a flood?

Cheers,
Ewen :slight_smile:

Hi Ewen,

I’ll make sure the firewall team is informed about this idea.

Thanks,
Shane.

Thanks, but did I guess right about how VE displays its verification?

Cheers,
Ewen :slight_smile:

Hi Ewen,

Well spotted, I didn’t really want to get into the mechanics on forum :slight_smile:

Shane.

Not spotted - just guessed! Cool!

Just played with the VE engine . Pretty nice tool here . Actualy , a gem . Many more should know about this one !!

I invented this “concept” in 2000. Today Internet “serves you content” but does not give you a way of “authenticating” that content it serves to you.

Well, VE is the tool that allows you to authenticate the content! Now you can verify what you see! It works with bank login boxes so that you know the login box you enter your password is a safe/authentic one, works with logos, visa or mastercard logos so that you know the merchants it legit etc etc.

Melih

Ok Ewen… now “spot” 6 numbers betwen 1 and 49… I need new numbers for the lotto on saturday :wink: Your luck is obviously better than mine :smiley:

Hey mongod,

If Ewen’s number help you strike the lotto, please let me know. I am also interested in seeking for his help if it works for you. ;D

Yours truly,
DoomScythe

I think he is hording the lotto for himself… never sent me one number :‘( :’( :cry:

43

hehe, even I can pick one of the winning numbers… 3 days after the draw :wink:

;D

Yours truly,
DoomScythe

ummmmm … we’re not real big on the canadian lotto down here in Sydney! LOL :smiley:

Hi, Melih.

I have been using VE for months and notice no problems at all. Love it and addicted to it. Will not surf the web without it. I just switched to a new notebook and one of very the first things I do is installing VE. Thanks.

Some simple questions if your don’t mind:

  1. When VE authenticates a web page with green border or a golden key, does it confirm “with certainty” that this particular page is provided by the company indicated on the page (or by the logo)? In other words, when I visit www.microsoft.com, www.symantec.com, and www.hushmail.com and see green borders or golden keys, I can be CERTAIN that I am looking at web pages provided by Microsoft Corp., Symantec Corp., and Hushmail respectively. Correct? I am confuse.

  2. I know you do not want to get into technical details, but I just have to ask these questions anyway. How does VE authenticate the website? May be:
    (a) Check the “unique signature” on each page (Require cooperation from owners of websites to signup with Comodo and embed agreed upon “signatures”,
    (b) Check the URL against Comodo’s VE database (Insecure and requires large storage for database),
    (c) ??? (Please help)
    VE is a BLACK BOX to me and there seem to be no explanation around (Forgive me if I am wrong).

  3. Websites mentioned in 1. above plus www.ibm.com and www.intel.com all show green borders, BUT www.McAfee.com, www.java.com, and www.WorldCommunityGrid.com do not. I became very nervous when I noticed that AFTER already downloading files from them (especially program update and virus signatures from McAfee.com). Does it mean I went to fake websites and downloaded from bad people?

  4. Just in case you know the answer… Is www.WorldCommunityGrid.com a legitimate philantrophic project run by IBM Corp. or is it just a scam to put malwares in unsuspected people’s computers. (I have been running their programs for months and felt good about it!!!)

Thanks in advance for the assistance and THANK YOU for trying to make the internet safe for honest people.

Tom

P.S. I love your firewall and waiting for the CAVS 2.0. Thanks.

The way that I look at Browsers and internet as a big “Content serving Engine”. It keeps serving you content…
however, there is no authentication of what it serves you! Nowadays, this content is becoming valuable as it might be a 3rd party certification (like a VISA logo which indicates Visa has authorised them to accept credit cards etc) or it could simply be a company logo, which verifies their identity. However without verification how can a user know that these are authentic? That is exactly why I invented VE!

ok lets answer your questions

1)VE works on “white list” only authenticated entities are in. So if it authenticates, you are good!

2)VE works by CVC (Content Verification Certificates). The way it works is: When you go to a site, VE checks to see if the Site has a CVC certificate or not (CVC certificate could be stored in two configuration a)on the site itself, b)at Comodo servers) by first checking the site and if not then Comodo servers. if it finds the CVC certificate, then checks the content on the website and compares it with the hash signature in the CVC. if they match then it displays the green border. Of course it also checks the domain name, and/or IP address etc of where this content is. Because if you copy and paste the content somewhere domain/ip won’t be the same hence it won’t work. All the information eg: hash of the content, URL, IP address and few other details are stored within CVC certificates.

  1. I went to Antivirus, VPN, Identity & Privacy Protection | McAfee and their logo is verified. The other two must not be in our whitelisted db yet. You can simply request any website to be “validated” by Comodo by simply posting in this forum. This way, if the site passes our validation, we will validate it and add it to our whitelist db and generate a CVC cert for it.

4)I am not sure its run by IBM Corp. I think (this is purely my personal assumption from little information i have) it runs on IBM machines but they seem like a different entity. But they seem genuine enough (but this is purely a personal view without puting them through our validation).

if you wish pls post the URLs that u want validated and our team will take care of it.

thanks

Melih

More follow up questions if you don’t mind. (:NRD)

  1. Does your system require active cooperation from the websites you verify (i.e., applying for CVC certificate and putting “stuff” on the pages for CVE to identify them) OR Comodo just go around collecting, checking, and verifying a bunch of interesting websites without requiring the consent of and action from these site’s owners? (Sorry if this question shows I still do not fully understand your earlier answers.)

  2. Yes, you are right. When I call up www.mcafee.com, I am taken to Antivirus, VPN, Identity & Privacy Protection | McAfee which is verified by CVE. However, ONLY the homepage is verified. When I am told by McAfee Antivirus on my PC that I need to update my antivirus file and follow the instruction, I am led to the page

https://us.mcafee.com/root/login.asp?ErrCode=PLEASE_LOGIN

and see a VERY BIG golden lock warning me that this page is not authenticated (a very nice CVE feature (:CLP) ). This page is important because it involves password. Other pages (e.g., Download and Install our Award Winning Products | McAfee) are also not authenticated.

[NOTE: I am used to Hushmail.com which has every page authenticated. And, by the way, Hushmail introduced me to CVE by recommending CVE on their website.]

  1. Where do I make a request for websites to be verified? If it is this forum, I am requesting that www.java.com, www.worldcommunitygrid.com, and at least https://us.mcafee.com/root/login.asp?ErrCode=PLEASE_LOGIN are verified by the CVE team.

Thanks again for what Comodo is doing for the online community. (L) The least we all should do is help spreading the words.

Tom

1)Both… but we can do it without help as well, which makes it possible for us to protect as many sites as possible.

2)you can either ask Mcafee to get their page authenticated (they can do that by getting in touch with us, or you can put the link on the VE list and see if our guys can authenticate them or not)

  1. here. https://forums.comodo.com/index.php/topic,69.0.html

thanks Tom :slight_smile:

Melih

Your answers are clear. Thanks and keep up the good work, guys. (:CLP)

Cheers,

Tom (L)