Is Comodo under attack?

What is happening in the world… :cry:
Is Comodo under attack?

Any other info that we must know about it?

It’s a Comodo reseller, not a division of Comodo. There is no possibility of certificates being compromised in this instance.

Ewen :slight_smile:

Hi Ewen,

What do you mean by:

  1. “reseller, not a division”?

Do you think that after reading all info available now and in the past, the said statement can possibly make it clear to the “ordinary/average” user, who is not very computer literate ?;

  1. “this instance”, which is what instance?.. meaning how it’s different to other instances?

Thanks

A reseller in this instance is one who is selling certificates.

Think of it like this:

You purchase a copy of finance software at a local office store, when you take the software home install it on your computer and register the software with your personal information on the software company’s website.

The office store you bought the software at, has its website hacked, however that doesn’t mean the information you used to register the software with the software maker is compromised, they are two separate companies.

It’s the same thing here, people purchase the certificates from this company, just because the company was hacked doesn’t mean that any information pertaining to your Comodo certificate was leaked as that information is stored on Comodo servers, not this reseller’s server.

By “division” Ewen means it is not part of Comodo, it is a separate company not owned or operated by Comodo in any way.

By “instance” Ewen means that in this scenario there is no sensitive data leak like there could have been if an actual Comodo server was compromised.

Remember this was just a company which sells some of Comodo products, they are not owned, operated, or in any way managed by Comodo, and as such they do not have any sensitive data pertaining to Comodo customers in their servers.

hi justin, Are you sure that resellers are not manged by comodo? Just wanted to confirm.
If it is so, how they are going to protect their certificates being used fraudulently?

does any one know, what security suite being employed at comodo resellers?
i’m not sure if sql injection can be done anything (controlling) with firewalls…

thanks,
harsha

Greetings harsha_mic,

Yes, this is a separate company, therefore not managed by nor are they any part of Comodo. Just like a retail store doesn’t have to be managed by a brand to sell a particular product, the same goes in this scenario.

This site simply sells the certificates, and as stated in the article;

...Comodo systems were never compromised. He also said no certificates were issued as a result of the breach, and that the reseller had no access to Comodo databases.

That sums it up all there, no false certificates were issued, therefore there are no concerns for any of Comodo’s customers regarding their certificates or other information.

If there were false certificates issued, Comodo always has the ability to revoke them as well.

Hope this clears things up,
Justin

Thanks justin. I understand now.
Have a great weekend.

Agree.

Remember that it could be “too late”.
I mean, reinforce the security “before” the certificate is issued is the key, isn’t it?
Everyone must “take care” on where/how is his product being sold.

I do also think the same way. If I am allowing someone to use my name and sell my product, I should be watching his back.

I also want to know whether the particular reseller company is using CIS or not… It does matter, if it is hacked, then it could be a failure of CIS…

If the company is not using CIS, why don’t we suggest them to use CIS to secure themselves?

While I’m not sure on Comodo’s practices on regulating the security of its resellers, there is a two-factor authentication system they now require all resellers to use, which does help with security.

As for resellers using CIS, I don’t really see how that would help secure them, keep in mind the hack was on a web server, which is not like a client operating system at all, many webservers use linux in some form or another as well.

That indeed stresses again the requirement of CIS for Linux systems.

The server needs to be secure, whether it is Win Server or Linux Server, and Comodo is already in the field of security producing a world class Internet Security Suite.

So, it does not look good if they are not offering the highest possible security to their own resellers.

While two factor authentication helps, it is a secondary measure and not the primary…

While I can understand your logic, a client system and a webserver are two completely different beasts. The protection methods are also very different, while I agree it would be nice if Comodo offered a version of CIS for Linux, keep in mind protections needed on a Linux desktop or Laptop vs. protections needed on a Linux webserver are extremely different.

Would you feel safe if Microsoft used a regular client PC based firewall to protect their webserver? I wouldn’t, a webserver does much more then a client based PC does, and therefore has more vulnerabilities which need to be protected, which is why they use different encryption techniques as well as other security measures and Comodo now requires all of their resellers to use their Two-Factor authentication system. Also keep in mind, no security system is 100%, we can get it as close as possible, but as they make software upgrades to the webserver or changes, eventually an exploit may be discovered and abused by hackers, it’s just the nature of the beast.

Think of it this way, using the analogy of the office store I posted earlier, is it the job of the companies that make software which is sold in that office store to make sure that office store is safe, and no theft, or confidential information from that store can be stolen? No, that is the store’s liability, not the liability of anyone else.

Securing a server from SQL injection is the responsibility of the company, and is pretty simple to do in itself, the fact that they were subject to such an attack is in no way Comodo’s fault.

I’m going to go ahead and close this topic as I think all of the questions have been explained in detail and at this point it will just be hitting a ball back and forth. If you have any further questions feel free to PM myself, any other Comodo Moderators, or Comodo Staff members.

Making a server secure for SQL injection attack can be done in the html code web site its self according to Wikipedia:

A straightforward, though error-prone, way to prevent injections is to escape characters that have a special meaning in SQL. This technique is called HTML sanitization The manual for an SQL DBMS explains which characters have a special meaning, which allows creating a comprehensive blacklist of characters that need translation. For instance, every occurrence of a single quote (‘) in a parameter must be replaced by two single quotes (’‘) to form a valid SQL string literal. For example, in PHP it is usual to escape parameters using the function mysql_real_escape_string(); before sending the SQL query:
$query = sprintf("SELECT * FROM Users WHERE UserName=’%s’ AND Password=‘%s’",
mysql_real_escape_string($Username),
mysql_real_escape_string($Password));
mysql_query($query);

Routinely passing escaped strings to SQL is error prone because it is easy to forget to escape a given string. Creating a transparent layer to secure the input can reduce this error-proneness, if not entirely eliminate it. [14]