InstantSSL flagged as "Engaged in malware distribution" by hpHosts

Hi there,
I noticed today at an AV company’s forums that they were not recommending COMODO Firewall due to it installing HopSurf toolbar, (blah blah blah…)
They also quoted an article from hpHosts blog…
And when I took a look at hpHosts database…

Database Record IP On Record: 91.199.212.132 (3) IPOR PTR: secure.comodo.net Added: Not recorded Added By: hpHosts Updated: 12-12-2009 Classification: EMD (What is this?)

I honestly don’t know what to think of Comodo, Melih and everyone now…

(But I’m gonna stick with my beloved COMODO Personal Firewall, and nothing is going to change that)

Well I just took a look at hpHosts database too.

After reading your post I believe they updated their DB very quickly! (hpHosts query on secure.comodo.net)

[attachment deleted by admin]

I supposed you’d say that ;D
Comodo.com is NOT listed.
secure.comodo.com is listed indirectly because it is the reverse pointer for the sites in the screenshots ???

[attachment deleted by admin]

Thanks for pointing that out.

Yet secure.comodo.com is not listed as EMD in hphosts too.

EDIT 1: InstantSSL.com and trusttoolbar.com appear to be listed as EWD.

EDIT 2: InstantSSL.com and trusttoolbar.com are not listed as EWD anymore.

EDIT 3: I’ve seen your screenshoots.

Yet strange I’m not able to find any application that can be downloaded on InstantSSL.com though I found a trusttoolbar topic in these forums and I come to understand was confirmed to be perfectly safe…

…thus the related trusttoolbar.com domain appear to have bee erroneously classified probably like instantssl.com.

Out of curiosity I checked hopsurf.com as well since you mentioned the related toolbar in you first post…

…and I was not surprised to find no EMD classification for that domain as well.

That was exactly what I was thinking =)
For you, me and everyone here, that app may be perfectly safe, but for some people (aka hpHosts) it is malware/spyware/adware.
Do take a look at hpHosts blog, it seems to have quite a lot of articles about COMODO :wink:

It’s in other peoples interests (other companys) to bad mouth, find fault, or just plain put down another business. Can’t say I’ve seen/heard COMODO do the same, after all they help others in the security iindustry.

Regardless of anything, I’m happy with COMODO and will continue to trust them in their efforts to keep me safe.

Kind of off topic (don’t see it as a rant) but just as a general reply of opinion, I can’t go too technical like you can too much…yet.

:-TU

Well I hope many will at least be aware of the difference between malware, spyware and adware before listening to anything they’re told anywhere by anybody. :-TU

I’m quite selective about my sources of informations but I might have taken a look hpHosts blog like you suggested if you would have considered it to be authoritative enough in that regard :wink:

Meantime I’ll get some spare time to read http://giveupinternet.com/ sure a noteworthy source of humor ([abbr=In My Humble Opinion]IMHO[/abbr]) ;D

EDIT: Interesting enough instantssl.com and trusttoolbar.com featured in your screen-shots appear to be removed from hphosts.

EDIT: The “This site is not listed …” notice, applied to instantssl.com only, it didn’t apply to www.instantssl.com

Though I still see an EMD classification like that in your screenshot mentioned…
EDIT: It didn’t last long… :-TU

I’ll check again later:
http://hosts-file.net/default.asp?s=trusttoolbar.com
[s]http://hosts-file.net/default.asp?s=instantssl.com[/s]

EDIT: the appropriate query should have been http://hosts-file.net/default.asp?s=www.instantssl.com

[attachment deleted by admin]

Trustoolbar.com got a red mark again…

[attachment deleted by admin]

Let’s clear this up shall we?

  1. comodo.com, comodo.net, secure.* aren’t listed in hpHosts (and haven’t been for well over 12 months if memory serves)

  2. If you look at the information provided, it clearly states “www.instantssl.com is listed with the WWW prefix only”, which means it is NOT listed as simply “instantssl.com”.

Quite why this is, I’ve no idea as both instantssl.com and trusttoolbar.com, were added prior to my taking over the project in 2006 (as shown by the lack of an “Added” date), however, I am satisfied that instantssl.com should not be listed, and it will be removed as soon as I’ve posted this.

  1. trusttoolbar.com and www.trusttoolbar.com are both listed in hpHosts (quite why you’ve got a screenshot showing otherwise, is puzzling), as shown here;

The reason they’ve not been removed is due to;

http://www.virustotal.com/analisis/71497cf61838fd9c9164dec931615c2c6053513a1793e803313dfb962793b236-1260649565

  1. Unless it states “This site is currently listed in hpHosts”, the site is NOT listed.

  2. IP PTR’s aren’t listed unless querying it explicitly states otherwise (i.e. the IP PTR for trusttoolbar.com is secure.comodo.net, but secure.comodo.net is NOT listed in hpHosts, as shown by this).

Which means, the following, quoted from a post above, is incorrect, there is no “indirectly” with hpHosts, it’s either listed, or it isn’t (in which case, see #4).

secure.comodo.com is listed indirectly because it is the reverse pointer for the sites in the screenshots
  1. If a domain is listed, but the “Added” field states “Not recorded”, then it was added before I took over the project, in which case, do feel free to point me to it.

I’m curious as to why no-one felt it necessary to contact me with these queries, and instead decided to speculate, but never the less, if you’ve got any further queries regarding this, or indeed, any other site listed in hpHosts, I’ll be happy to answer them.

Honestly, I never knew that hpHosts was not originally your project… that explains the weird “not recorded” about the adding date.
I could have contacted you when I got to know about this, but I didn’t know if I could PM you at MBAM’s forums about this (MBAM was how I got to know about instantssl.com’s blocking). That was the easiest way for me to do it ;D

My sincere apologies to you and everyone here for this situation. :a0

No apology necessary.

hpHosts was originallu ran by hpGuru.

Are the critera for inclusion publicly documented somewhere?

According to trusttoolbar.exe certificate the toolbar has been available since 2005. Yet 37 out of 41 virustotal featured Antiviruses still don’t list it yet. Wouldn’t be that a reason for removal?

The FSA criteria is published in the hpHosts forums, but I’ve not published the rest, other than here as I thought the rest were self explanatory.

I’ll make a note to test it on Monday and will base the removal decision on the results.

Though looks that while the query was run against instantssl.com the result matched www.instantssl.com.

EDIT: The “This site is not listed …” notice, applied to instantssl.com only, it didn’t apply to www.instantssl.com

Can you please clarify further? was that match not supposed to occur? ???

That typically occurs when;

  1. Whoever added it, forgot to add it without the www. prefix
  2. It failed to resolve without the www. prefix at the time of addition

In either case, when you see a result like this, I’d appreciate a heads up as it either shouldn’t be listed, or needs to be checked to ensure it’s listed with and without the www. prefix (where both resolve)

Thanks for pointing it out though I would appreciate if you could confirm if in the above mentioned case the query instantssl.com successfully matched www.instantssl.com or not and if anybody should be discouraged to rely on a query result if that “is listed with the WWW prefix only” message is mentioned.

I never discourage replying/comments or suggestions, I just like to correct confusion when such occurs.

It’s possible instantssl.com matched www.instantssl.com, but if it displayed a message that it was listed when infact it was only listed with the www. prefix, then it’s a bug in the code and I’ll take a look when I get home (it’s in desperate need of a re-write anyway)

EDIT: The “This site is not listed …” notice, applied to instantssl.com only, it didn’t apply to www.instantssl.com

In that regard I’m still confused and I hope you could later confirm if the results of the instantssl.com query pertained www.instantssl.com (field host in the above screenshoot) or not whenever that www. prefix message was displayed.

I the result was actually erroneous I feel the posts featuring such screenshot should be edited to mention that though I gather such aspect could be confirmed only after checking the code.

The results displayed under “Database record”, are the results for the www.instantssl.com domain, if that’s what you meant? (sorry if I’ve mis-understood, I’m absolutely shattered)